A lobby group warns that China’s proposed cybersecurity rules pose risks for financial companies.
HONG KONG (Reuters) – In a letter seen by Reuters, a leading lobby group said that China’s proposed cybersecurity rules for financial firms could pose risks to the operations of western companies by, among other things, making their data more likely to be hacked.
The latest regulatory proposal comes at a time when a number of western investment banks and asset managers are setting up wholly-owned units or increasing their stakes in existing joint ventures in China.
The draft Administrative Measures for the Management of Network Security in the Securities and Futures Industry were released by the China Securities Regulatory Commission (CSRC) on April 29. The public had a month to comment on the proposals.
The draft rules want to make it mandatory for investment banks, asset managers, and futures companies that do business in China to share data with CSRC, let regulators test the data, and help set up a centralized data backup center.
Morgan Stanley (NYSE: MS) and HSBC are two companies that have benefited from China’s opening up its financial sector to foreigners in recent months. They follow Goldman Sachs (NYSE: GS) and JPMorgan (NYSE:JPM), which were given permission to run local units in China last year.
In a letter sent to the CSRC on May 27, the Asia Securities Industry and Financial Markets Association (ASIFMA) said that its members were worried about the draft rules because they thought that sharing sensitive information could be dangerous.
Reuters has looked over the letter and hasn’t heard about its contents before.
AsifMA has more than 160 members, including leading financial institutions on both the buy and sell sides, banks, law firms, and market infrastructure service providers. The letter was not confirmed, and ASIFMA did not say anything about what it said.
When Reuters asked for a comment, the CSRC said that ASIFMA gave its opinion on May 31, two days after the consultation period ended.
“However, we still put a lot of weight on the feedback sent by relevant associations,” the document said. It also said that the regulator was “carefully studying the opinions and suggestions” and would keep in touch with the groups.
Beijing has been cracking down on data security, mostly in the tech sector, as part of a wider regulatory crackdown. This has shaken up the country’s stock markets and stopped offshore company listings.
‘HUGE RISKS‘
Financial firms are required by the draft rules to share data for different reasons, but the lobby group is worried that sharing sensitive data will make companies in the sector vulnerable to “hackers and other bad actors.”
The need for a sector-wide data backup center is also being pushed back on by global banks and asset managers.
The ASIFMA letter said, “This not only poses huge risks to all core institutions and operating institutions on an individual level, but it also poses significant systemic risks for the sector in China and around the world, given how connected the global financial sector is.”
The draft rules also say that the CSRC could do penetration testing, which is a simulated cyber attack on the operational system, and system scanning on securities, futures, and fund firms.
But ASIFMA pointed out that global banks are worried that regulator-led or regulator-ordered penetration testing poses “real risks to firms because penetration testing can be disruptive and testing results are sensitive.”
“Testing systems and applications without knowing how they are used could cause a lot of trouble for business operations,” the lobby group said.
The regulator has not set a date for when the final rules will be released or when they will be put into place.
