Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · MEASURES FOR THE ADMINISTRATION OF THE SECURITY OF REGULATORY DATA OF THE CHINA BANKING AND INSURANCE REGULATORY COMMISSION (TRIAL)

Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial).

中国银保监会监管数据安全管理办法(试行)

Promulgated by: China Banking and Insurance Regulatory Commission.
Document No.: Yin Bao Jian Fa [2020] No. 43.
Issued and effective September 23, 2020.


Issuing Notice

To all CBIRC local offices, all departments of the Commission, and all units administered by the Commission:

In order to earnestly strengthen the administration of the security of regulatory data and guard against regulatory data security risks, this Commission has formulated the Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial), which are hereby issued for your compliance and implementation.

September 23, 2020


Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial)

Chapter 1 General Provisions

Article 1. In order to regulate the administration of the security of regulatory data of the China Banking and Insurance Regulatory Commission (CBIRC), enhance the capacity for regulatory data security protection, and guard against regulatory data security risks, these Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Law of the People’s Republic of China on Banking Regulation and Supervision, the Insurance Law of the People’s Republic of China, the Interim Measures for the Administration of Work Secrets and other laws, regulations and relevant provisions.

Article 2. “Regulatory data” as used in these Measures means the figures, indicators, statements, text and other various information that the CBIRC lawfully collects on a periodic basis in the course of performing its regulatory duties and that is recorded, generated and stored by regulatory information systems, or that is recognized as such by the business departments of the CBIRC.

“Regulatory information systems” as used in these Measures means information systems that are developed and constructed for the purpose of meeting regulatory needs and that have functions such as data collection, processing and storage.

Article 3. “Regulatory data security” as used in these Measures means that, in the course of activities such as the collection, processing, storage and use of regulatory data (hereinafter referred to as regulatory data activities), the regulatory data is in a state of being usable, complete and auditable, and that no leakage, tampering, damage, loss or unlawful use has occurred.

Article 4. These Measures shall apply to regulatory data activities carried out by the CBIRC and entrusted institutions.

“Entrusted institutions” as used in these Measures means enterprises and public institutions that, upon entrustment or designation by the CBIRC, provide the CBIRC with regulatory data collection, processing or storage services.

Article 5. Regulatory data activities shall be carried out in compliance with relevant laws and administrative regulations. Any unit or individual shall keep confidential, in accordance with relevant provisions, the State secrets, work secrets, commercial secrets and personal information that it becomes aware of in the course of regulatory data activities.

Article 6. The CBIRC shall establish and improve a coordinated management system for regulatory data security, promote the joint participation of the relevant business departments of the CBIRC, local offices at all levels, entrusted institutions and others in regulatory data security protection work, strengthen training and education, and foster a favorable environment for jointly safeguarding regulatory data security.

Chapter 2 Work Responsibilities

Article 7. The administration of regulatory data security shall be implemented through centralized (归口) administration, establishing a management mechanism of overall coordination with division of responsibilities.

The statistics and information department of the CBIRC shall be the centralized administration department, responsible for the overall coordination of regulatory data security administration. Each business department of the CBIRC shall be responsible for the regulatory data security administration of its own department.

Article 8. The specific responsibilities of the centralized administration department include:

(I) formulating work rules and management procedures for regulatory data security;

(II) formulating technical protection measures for regulatory data security;

(III) organizing the implementation of regulatory data security assessments and supervision and inspection.

Article 9. The specific responsibilities of each business department include:

(I) regulating the secure use of regulatory data within the department, specifying concrete work requirements, and implementing relevant responsibilities;

(II) organizing and carrying out the regulatory data security administration work of the department;

(III) assisting the centralized administration department in implementing supervision and inspection of regulatory data security.

Chapter 3 Collection, Storage and Processing of Regulatory Data

Article 10. The collection of regulatory data shall be carried out in accordance with the principles of being secure, accurate, complete and lawful and compliant, avoiding repeated or excessive collection.

Article 11. Regulatory data shall be transmitted through the regulatory work network or the financial private network. Where, due to objective constraints, it is necessary to transmit data through physical media, the Internet or other networks, the assessment and consent of the centralized administration department shall be obtained.

Article 12. Regulatory data shall be stored in the equipment rooms of the CBIRC and shall have complete backup measures. Where it is genuinely necessary to store data in the equipment rooms of an entrusted institution, the assessment and consent of the centralized administration department shall be obtained.

Article 13. The storage period and storage medium management of regulatory data shall be carried out in accordance with the relevant provisions of the State and the CBIRC.

Article 14. The processing of regulatory data shall be carried out within the scope of regulatory work authority or the scope of entrustment. Without the consent of the centralized administration department, no unit or individual may connect code, interfaces, algorithm models, development tools or the like to regulatory information systems.

Article 15. Activities such as the collection, transmission, storage, processing, transfer and exchange, and destruction of regulatory data, as well as its use for system development and testing, shall, in accordance with the type of regulatory data and management requirements, adopt graded and classified security technical protection measures.

Chapter 4 Use of Regulatory Data

Article 16. Regulatory data shall be used solely for the CBIRC’s performance of its regulatory work duties. Where Party and government organs such as discipline inspection and supervision, judicial and audit organs need to use regulatory data in order to perform their work duties, the matter shall be handled in accordance with relevant provisions.

Article 17. The use of regulatory data shall be made traceable through management and technical means. Where regulatory data is used for information system development and testing as well as external display, it shall be de-identified (脱敏).

Article 18. The use of regulatory data that has not been publicly disclosed shall, in principle, be carried out on desktop or notebook computers and other CBIRC work machines that cannot be connected to the Internet. Where, due to objective constraints, it is necessary to use regulatory data by means such as a virtual private network, the assessment and consent of the centralized administration department shall be obtained.

Article 19. Regulatory data downloaded due to work needs may only be stored on the CBIRC’s work machines. The media carrying regulatory data shall be properly safeguarded to prevent data leakage.

Article 20. Information such as processed data and aggregated results generated in the course of using regulatory data shall be administered for security purposes as if it were regulatory data.

Article 21. The external disclosure of regulatory data shall be implemented by the designated business department in accordance with relevant provisions and procedures.

Article 22. Where a business department needs, due to work needs, to provide regulatory data to a unit or individual that is not a Party or government organ, it shall fully assess the data security risks, implement the provision upon the consent of the principal person-in-charge of the department, and, where necessary, conclude a memorandum and confidentiality agreement with the counterparty and file them with the centralized administration department for the record.

Where regulatory data is shared with overseas regulatory authorities or international organizations, the matter shall be administered by the international affairs department in accordance with the regulatory cooperation memoranda of understanding, cooperation agreements and other arrangements signed by the CBIRC or other relevant work arrangements.

Where laws and regulations provide otherwise, such provisions shall govern.

Article 23. Where a business department needs, due to work needs, or where an information system goes offline and ceases use of regulatory data, it shall promptly take measures to seal or destroy such data.

Chapter 5 Administration of Entrusted Services for Regulatory Data

Article 24. Where the collection of regulatory data by a business department involves services provided by an entrusted institution, the department shall communicate with the centralized administration department in advance and obtain its joint signature of consent. The technical service plan of the entrusted institution shall pass the security assessment of the centralized administration department. Where the technical service plan is changed, it shall be reported in advance to the centralized administration department for security assessment.

Where the security assessment is not passed, entrusted services shall not be carried out and a designation relationship shall not be established.

Article 25. An entrusted institution that provides regulatory data services for the CBIRC shall satisfy the following basic conditions:

(I) it possesses the in-house research-and-development as well as operation-and-maintenance capabilities for the systems required to carry out regulatory data work;

(II) it possesses the relevant information security management qualification certifications;

(III) it owns proprietary equipment rooms or has signed a long-term lease contract for equipment rooms;

(IV) its network and information systems possess effective security protection and stable operation measures, and it has not experienced any major cybersecurity incident within the past three years;

(V) it possesses effective regulatory data security management measures and is able to ensure access to and control of the regulatory data by each department of the CBIRC;

(VI) it possesses a regulatory data backup system, an emergency response organization system and a business continuity plan.

Article 26. The CBIRC shall establish an entrusted-service relationship for regulatory data by concluding an agreement with the entrusted institution. The agreement shall specify the service items, term, security management responsibilities, grounds for termination and other content.

Where the CBIRC establishes a regulatory data service relationship by means of designation, it shall issue a designation assignment letter.

Article 27. Where, due to relevant policy adjustments, the original entrusted or designated matters no longer need to be continued, or where a major security problem is discovered in the regulatory data services of an entrusted institution, the CBIRC shall have the right to terminate the entrustment or designation relationship.

Upon termination of the entrustment or designation relationship, the entrusted institution shall promptly and completely hand over the regulatory data, and shall destroy the regulatory data obtained on account of the entrusted or designated matters, and may not retain any related data backups or other content.

Chapter 6 Supervision and Administration

Article 28. Each business department and entrusted institution shall conduct regular self-inspections in accordance with the work rules for regulatory data security, and upon discovering risks such as regulatory data security defects or vulnerabilities, shall immediately take remedial measures.

Article 29. The centralized administration department shall regularly carry out regulatory data security management assessment and inspection of each business department and entrusted institution.

Each business department and entrusted institution shall formulate rectification measures for problems discovered in assessments and inspections, promptly carry out rectification, and submit a rectification report to the centralized administration department.

Article 30. Where any business department or entrusted institution encounters any of the following major regulatory data security risk matters, it shall immediately take emergency response measures, promptly eliminate security hazards, prevent the harm from expanding, and report to the centralized administration department within 48 hours:

(I) regulatory data is leaked or unlawfully used;

(II) regulatory data is damaged or lost;

(III) the information system or network carrying regulatory data suffers a systemic failure causing a service interruption of more than 4 hours;

(IV) the information system or network carrying regulatory data suffers an unlawful intrusion, or experiences the large-scale spread of harmful information or computer viruses or other destruction;

(V) a regulatory data security incident gives rise to public opinion concern (舆情);

(VI) other major cybersecurity incidents affecting regulatory data security as enumerated in the Guidelines for the Determination of Major Cybersecurity Incidents.

Where any of the above major regulatory data security risk matters occurs within a jurisdiction, the relevant CBIRC local office shall immediately take remedial measures and report to the centralized administration department of the CBIRC within 48 hours.

Article 31. The centralized administration department shall establish a notification mechanism for regulatory data security incidents, and promptly notify regulatory data security incidents.

Chapter 7 Supplementary Provisions

Article 32. Classified regulatory data shall be administered in accordance with the relevant confidentiality administration provisions of the State and the CBIRC.

Article 33. Each CBIRC local office shall undertake the responsibility for regulatory data security administration within its jurisdiction, formulate, with reference to these Measures, measures for the administration of regulatory data security within its jurisdiction, specify responsibilities and management requirements, and strengthen regulatory data security protection.

Article 34. These Measures shall come into force as of the date of issuance.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →