Cyberattacks and Legislation: A Tightrope WalkSenior Research Analyst at Marsh & McLennan Companies' Asia-Pacific Risk Center
The increasingly worrying global cyber-risk trend has prompted lawmakers in many countries to either introduce or update their data privacy laws. This is a first step to ensuring better management, security and data control, which ultimately builds cyber resilience.
China will officially roll out its new Cybersecurity Law on June 1, signifying the government’s intent to strengthen cyber regulations. Up to this point, China only had some general directives and localized guidelines for a secure and controllable internet. This new national law, however, is a head-turner for everyone doing business with China and will have implications on those business’ operations.
Significant Provisions of the Cybersecurity Law
This law is the first legislation at the national level to establish legal principles for data privacy, and the financial penalties for data breach incidents are severe. In the event of a compromise to personal data, companies can be charged penalties of up to RMB1 million ($150,000) or ten times the illegal income, while penalties for individuals directly in charge can be up to RMB100,000.
In terms of data localization, the new Cybersecurity Law will require critical information infrastructure (CII) facilities to store personal information and other important business data collected or generated in China to be stored physically in China. CII operators must have government approval to transfer this data outside the country if it is “truly necessary.” Companies that do not localize their data face potential financial penalties, including possibly losing their ability to conduct business in mainland China.
Furthermore, “network operators” are required to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations under the data residency clause.
Finally, for data security purposes, both CII facilities and network operators in China are needed to comply with national standards and mandatory requirements such that equipment and products are safety-certified by inspection.
A Much-needed Mindset Shift
Since its announcement in late 2016, China’s Cybersecurity Law has received much attention for the wrong reasons. Additional barriers to trade and innovation, greater complexity and higher-risk concerns for foreign companies doing businesses in China are some criticisms of the law by foreign business communities.
However, the recent global extortion cyber attack may significantly shift these negative mindsets and change perspectives on the new law.
Massive ransomware cyber attacks hit critical information infrastructures around the world on May 12, ranging from the UK’s National Health Service to a Spanish telecom giant and one of the world’s largest international courier services companies headquartered in the United States. The unprecedented cyber attack over that weekend affected more than 200,000 computers across 150 countries, according to Europol, with the numbers expected to increase in the aftershocks ahead.
Asia-Pacific countries were not spared either. According to China’s official Xinhua News Agency, more than 29,000 educational institutions were affected by similar attacks. Other infected computers were detected at railway stations, hospitals, office buildings, retail malls and government agencies. Over the next few days, more reports of similar attacks surfaced, impacting dozens of other countries, including Singapore, Japan and Australia.
Are our current cyber legal systems aggressive enough to take on ever-growing and ever-present cyber adversaries?
In the face of this unprecedented scale of ransomware cyberattack, tighter cybersecurity legislation has been cast in the limelight. Are our current cyber legal systems aggressive enough to take on these ever-growing and ever-present cyber adversaries? Are our cybersecurity protection schemes and cyber-risk management frameworks comprehensive enough to minimize and mitigate future attacks of similar or greater scale?
While the financial and economic impacts are still being assessed in the aftermath of events, the extent of psychological implications could be far more substantial. This rude wakeup call might just be what is required right now. The need for transparency through stricter and more robust legislation is emphasized time and again, as it is a critical first step in risk management, driving awareness critical to initiate actions required to overcome adversaries and mitigate cyber risks.
Expectedly, the ransomware attack should lead to addressing the complacency in boardrooms at business levels regarding the seriousness of cyber threat. Perhaps it could even shift mindsets and perceptions of the foreign business community toward China’s Cybersecurity Law, which is coincidentally timely in its implementation—just after the attack.
In Light of China’s New Law, What Should Businesses Do?
In addition to the Chinese government strengthening cyber regulations, the public needs to focus on being cybersecure and responsible, while companies (both local and foreign) need to ensure their businesses are in compliance with the new cybersecurity regulations and take corporate actions for managing cyber risks.
As part of enterprise-wide cyber-risk management, foreign companies looking to do business in China should conduct an additional overall China risk assessment to assess their cyber-risk exposure in the China market. Specific reference to the Cybersecurity Law is recommended as the focal point to ensure effective and efficient strategic business plans.
Marsh recently released a risk alert to its clients on China’s Cybersecurity Law and its impact to Multinational Companies (MNCs), which highlighted three key recommendations for MNCs:
Conduct comprehensive risk identification for cybersecurity threats (for example, virus/ spyware/malware, distributed denial-of-service attack, phishing) followed with proper insurance coverage plans.
Enhance the cyber-risk management framework, including a clear definition of role and responsibilities, robust risk management process, advanced technical means, information technology (IT) operation control and log record.
Establish and improve business continuity plans and develop contingency plans related to cybersecurity threats.
Furthermore, robust cyber-risk management skills begin with leadership from the boardrooms. In general, boards can consider the following questions when evaluating the impact of China’s new Cybersecurity Law:
- Does our business fall under the definition of “Critical Information Infrastructure”? If so, will there be significant impacts on our internal plans for data storage, transmission and network security in China? Do we understand the parameters we must all work within and do we have the correct safeguards in place to be compliant?
- Are we storing information generated or gathered in mainland China on servers in mainland China? Do we need to create separate IT systems for China-specific data? Are we reliant on cross-border data transfers, and how would we approach this need with the Chinese government?
- What is our risk exposure stemming from the potential loss of intellectual property or encryption information as a result of this law? How would our business be affected should our Chinese competitors gain access to this information?
- What additional investments do we need to comply with this law and ensure the business is cybersecure?
It is true that the new regulations in China—as they will elsewhere—pose a few challenges for businesses. Indeed, they will also raise questions around data control and privacy. However, given the increasing frequency of cyber-attacks, other countries are likely to follow suit and tighten regulations as well.