Implications Of China's National Cybersecurity Law

A new report examines cloud adoption practices and priorities in the Chinese Financial Sector.

The National People’s Congress of the People’s Republic of China (PRC) recently passed a National Cybersecurity Law designed to tighten and centralize state control over the flow of information and use of technology equipment, raising some concerns among foreign companies currently operating in China.

The law adds a number of changes — the most controversial of which strengthens China’s ability to freeze assets and take punitive measures against foreign entities that violate Chinese cybersecurity laws — with financial companies possibly being the most affected. The law could require them to provide data on their customers, subject software and hardware to security review, and institute a data retention requirement. Ultimately, the law — set to go into effect on June 1, 2017 — gives sweeping authority to the government over regulation and monitoring of Internet services in China.

The Lawfare blog identified five key characteristics of note in the law, including imposing vague requirements on internet companies to support the scope of state authority; establishing particularly restrictive regulations for critical information infrastructure; providing a legal basis for existing internet regulations; creating wide-ranging punishments for non-compliance including revocation of business licenses and individual detainment up to fifteen days; and providing some substantial individual protections.

In light of this, a Cloud Security Alliance survey report conducted in partnership with EY China, Cloud Adoption Practices and Priorities in the Chinese Financial Sector: Survey Report, looks to present a clearer picture of cloud adoption and potential gaps holding back the adoption of cloud within the FSI sector in China. 

Though the report has not been released in the U.S., the research proves useful for reporting on cloud adoption trends in non-U.S. markets vs. U.S. markets and demonstrates the uncertain future of foreign companies operating in China. Among the reports key findings:

• 47.9 percent of the FSIs in China say they are developing a cloud strategy, 43.8 percent say they have developed a cloud strategy, but only 8.3 percent say they have a strict no cloud policy
• 54.2 percent mention that no cloud service data security and compliance regulations are predetermined in their organization
• 37.5 percent of the respondents say the top cloud threat in their organization is the lack of security management leadership
• Due to the lack of commitment at the senior level, 63.5 percent of all cloud computing and cybersecurity professionals indicate they have not participated in or organized any cloud application development or cloud security related training