China Cybersecurity

The ubiquity of data brings new risks. At a recent IMA Asia forum, members discussed those risks and how best to cope with the evolving cybersecurity environment in China.

Governments around the world have been issuing rules and regulations to rein in the data deluge. China is no different. The China Cybersecurity Law (CCL) came into effect in June 2017, and more detailed regulations have followed. Regulations tend to reflect each nation’s central concerns; in China, it is about control.

‘The EU is concerned about privacy; about the individual being able to keep their data private. In the US, it’s about monetising the data; about making money off of it. In China, control is a constant feature of most recent regulations.’

The Chinese authorities view even seemingly innocuous consumer data, if aggregated by one firm in large enough quantities, as a national security threat and have put restrictions in place to protect it.

‘From reading the Chinese Cybersecurity Law, it would seem that the authorities want to “snow globe” China from the rest of the world.’

The Chinese Cybersecurity Law (CCL) is here: are you ready?

Firms that collect a large amount of Chinese consumer data or sensitive data are at the forefront of implementing the CCL. On the other hand, many B2B firms have been slow to act since they do not handle large amounts of consumer data. However, since they collect employee data and pricing information, they may be at risk of being non-compliant.

Some firms cite the law’s ambiguity for why they are holding back. They are taking a wait-and-see approach before making costly investment decisions; however, delaying could be risky.

‘The CCL is ambiguous, but the law is not going to get any clearer than it is today. There is enough guidance to get started. Given that it is the law, it is time to start with a self-assessment to ascertain your security posture. You can do nothing, but that is a risk.’

Tips for coming to grips with the CCL

Experienced cyber security experts provided valuable insights for IMA Asia members to prepare themselves for China’s new cybersecurity law.

Conduct a cyber self-assessment. Companies should be ‘directionally compliant’ on cybersecurity. That is, understand the law’s intentions and work within that framework. A self-assessment is the first step to avoid unpleasant surprises later.

Piggyback global best practices. The CCL is consistent with global best practices and laws on personal information protection. China operations can benefit from the investments made to be compliant with the EU’s GDPR and APEC’s privacy principles.

Create a cyber team. In China, the cyber role is often bundled with IT support and is not elevated to a strategic function. A resource plan needs to be in place that includes cyber expertise. Third-party experts also can be helpful, especially when managing the cross-border aspects of working with a Chinese cloud.

Request cross-border permits. The CCL strictly limits what Chinese personal data leaves the country. It is vital to understand what data you need to transfer and obtain permission to do so.

Store data in China. Firms are beginning to store data locally on servers and the ‘China cloud.’ Start with a self-assessment and consider different scenarios to better understand what is viable in an evolving situation.

Consider sealing off China’s data. Firms in sensitive industries often have strict system controls in place to put a seal (or air gap) between China and global operations.

Click on ‘Deep Read’ at the top of the page to learn more about cybersecurity preparedness in China.

To learn more about IMA Asia’s memberships, click here or contact us at


Get access to our Insight articles and sign up for our email newsletter.
Already subscribed? Click here to log in.