China has become the latest major global economy to introduce rules designed to protect the country from the potentially crippling effects of a significant cyber-attack on critical information systems.
On 17 August 2021, the State Council of the People’s Republic of China published the “Regulations on the Security Protection of Critical Information Infrastructure” (the Regulations), which came into force on 1 September 2021. The Regulations are themselves a key, and long awaited, feature in China’s implementation of its Cybersecurity Law of the People’s Republic of China (the Cybersecurity Law), which was implemented on 1 June 2017.
The Regulations follow hot on the heels of laws tabled in other significant jurisdictions, including:
- the United States, where in late July 2021 a bipartisan group of US Senators introduced the Cyber Incident Notification Act of 2021 (for more information, read our article - US Cyber Incident Notification Act 2021: a late arrival to a growing party), and on 27 August 2021 the US House Homeland Security Committee released as a draft bill the Cyber Incident Reporting for Critical Infrastructure Act of 2021;
- Australia, where on 9 November 2020 the Security Legislation Amendment (Critical Infrastructure) Bill (2020) was tabled (for more information, click here); and
- the EU, which issued its Directive (EU) 2016/1148 on Security of Network and Information Systems in July 2016.
What infrastructure is covered by the Regulations?
The purpose of the Regulations, as stipulated in Article 1, is to “ensure the security of critical information infrastructure and maintain network security”.
The concept of “critical information infrastructure” (CII) was introduced under the Cybersecurity Law, and as has been further developed under Article 2 of the Regulations to include network facilities and information systems in the following key areas:
- public communication and information services
- water conservancy
- public services
- national defence related industries
- any other “important industries and fields” that may seriously endanger national security, the economy, people’s livelihoods and the public interest in the event they are damaged, or suffer a loss of function / outage
Who do the Regulations affect?
The Regulations impose obligations on “operators” of CII (CIIOs).
The expectation is that industry regulators in China will be responsible for identifying specific CIIOs in the sectors falling under their jurisdiction, and for supervision of those CIIOs. In time, those regulators will develop sector-specific rules and guidance applicable to those individual CIIOs.
What obligations do the Regulations impose?
Article 6 introduces a general obligation on CIIOs as follows:
“Operators shall adopt technical protection measures and other necessary measures to respond to cyber security incidents and prevent cyber-attacks in accordance with the provisions of these Regulations……and ensure the safe and stable operation of critical information infrastructure, and maintain the integrity, confidentiality and availability of data.”
In addition to the general requirement to adopt “necessary measures” to prevent and respond to cyber incidents, the Regulations introduce a number of specific obligations on CIIOs, including:
- to set up a specific security-management department, which will be responsible for risk monitoring, contingency planning, emergency response and training
- to conduct background checks on key personnel, with the assistance of the police and national security authorities
- at least once annually, to conduct a risk audit of the network security of the CII and assess any security risks (and promptly correct any identified)
- to report to the relevant authorities any cyber incidents or threats (serious security incidents will need to be reported to the Cyberspace Administration and the State Council)
- to conduct detailed cybersecurity reviews before engaging in the procurement of network products or services (in particular, where those may have an impact on national security), and to give priority to “safe and trustworthy” goods and services
- to report to regulators any corporate activity that may impact the cyber security of the CIIO, including e.g. mergers or business sales
The Regulations require that the senior executive of the CIIO is personally responsible for the security and protection of the CII.
What are the consequences of failing to perform those obligations?
Companies face a monetary fine of up to RMB 1 million (c. $154,000) for serious violations, in addition to other possible penalties including correction orders and, in certain circumstances, confiscation of revenue.
The Regulations also introduce the possibility of substantial personal liability for key individuals within the CIIO, including fines of up to RMB 100,000 (c. $15,400), detention, criminal prosecution, and prohibitions from taking on key positions in CIIOs in the future,
In the event of a serious security breach, not only the CIIOs but also third-party cybersecurity-services providers and the relevant regulators may face liabilities.
Why might this be relevant to Australian organisations?
New developments such as these add to an already substantial, and increasingly complex, global landscape regulating the security of IT systems.
Any Australian businesses that operate in China in one of the identified sectors (either as suppliers, subcontractors or owners and operators) will need to be aware of the requirements of the Regulations, as will Australian businesses engaging with China-based suppliers or contractors who are subject to the obligations (and who may look to flow these down into the contractual arrangements with the Australian business).
In addition, Australian companies may find it increasingly difficult to sell network products / services to Chinese CIIOs, since such products will need to be certified as “secure and trusted” under the Regulations. Where there is any suggestion that the network products / services to be procured may present national security concerns, Chinese CIIOs are required to apply to the government for a cybersecurity review prior to finalising any such procurement, with the potential for this to result in a bias towards domestic products over foreign ones.
What is apparent is that organisations that operate globally will increasingly find themselves faced with a matrix of different compliance obligations in different jurisdictions, potentially all triggered by the one event and to a different standard. Addressing this may require organisations to adopt a “gold standard” approach to compliance.
Authors: Lesley Sutton and Nikhil Shah