Measures for the Administration of Cybersecurity and Information Security in the Securities and Futures Industries

Measures for the Administration of Cybersecurity and Information Security in the Securities and Futures Industries

Order of the China Securities Regulatory Commission

(No. 218)

The Measures for the Administration of Cybersecurity and Information Security in the Securities and Futures Industries, as deliberated and adopted at the 1st executive meeting of the China Securities Regulatory Commission for 2023 on January 17, 2023, are hereby issued and shall come into force on May 1, 2023.

Yi Huiman, Chairman of the China Securities Regulatory Commission

February 27, 2023

Annexes: 1. Measures for the Administration of Cybersecurity and Information Security in the Securities and Futures Industries

2. Legislative Explanations for the Measures for the Administration of Cybersecurity and Information Security in the Securities and Futures Industries

Measures for the Administration of Cybersecurity and Information Security in the Securities and Futures Industries

(Deliberated and adopted at the 1st executive meeting of the China Securities Regulatory Commission on January 17, 2023)

Chapter I General Provisions

Article 1 For the purposes of guaranteeing the cybersecurity and information security in the securities and futures industries, protecting the legitimate rights and interests of investors, and promoting the stable and sound development of the securities and futures industry, these Measures are developed in accordance with the Securities Law of the People's Republic of China (hereinafter referred to as the “Securities Law”), the Futures and Derivatives Law of the People's Republic of China (hereinafter referred to as the “Futures and Derivatives Law”), the Securities Investment Fund Law of the People's Republic of China (hereinafter referred to as the “Securities Investment Fund Law”), the Cybersecurity Law of the People's Republic of China (hereinafter referred to as the “Cybersecurity Law”), the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the “Personal Information Protection Law”), the Regulation on Protecting the Security of Critical Information Infrastructure and other laws and regulations.

Article 2 These Measures shall apply to the construction, operation, maintenance and use of network and information systems by core institutions and operating institutions in the territory of the People's Republic of China, the cybersecurity and information security guarantee of products or services provided by information technology (“IT”) system service institutions for securities and futures business activities, and the supervision and administration of cybersecurity and information security in the securities and futures industries.

Article 3 Core institutions and operating institutions shall follow the principle of ensuring security and promoting development, establish and improve the cybersecurity and information security protection system, enhance the security guarantee level, ensure the synchronous progress with the IT work, and promote the stable and sound development of their relevant work.

IT system service institutions shall, under the principle of technical security and service compliance, provide products or services for securities and futures business activities, jointly safeguard the cybersecurity and information security in the industry with core institutions and operating institutions, and promote the development of informationization in the industry.

Article 4 Core institutions and operating institutions shall fulfill the obligation of protecting cybersecurity and information security according to the law, and be responsible for their cybersecurity and information security. Their relevant responsibilities shall not be transferred or mitigated due to provision of products or services by other institutions.

IT system service institutions shall perform duties with due diligence and assume responsibility for the safety and compliance of the products or services provided.

Article 5 The CSRC shall perform the following duties of supervision and administration according to the law:

(1) Organizing the development and promoting the implementation of development plans, regulatory rules and industrial standards for cybersecurity and information security in the securities and futures industries.

(2) Being responsible for the supervision and administration of cybersecurity and information security in the securities and futures industries, and effectively protecting the security of key information infrastructure involved in the securities and futures industries according to the regulations.

(3) Being responsible for the administration of major technology routes and major science and technology projects of cybersecurity and information security in the securities and futures industries.

(4) Organizing the protection of the personal information of investors in the securities and futures industries.

(5) Being responsible for cybersecurity emergency drills, emergency handling, incident reporting, investigation and handling in the securities and futures industries.

(6) Guiding the promotion and development of cybersecurity and information security in the securities and futures industries.

(7) Supporting and assisting relevant departments of the state in organizing the implementation of laws and administrative regulations concerning cybersecurity and information security.

(8) Other duties of supervision and administration of cybersecurity and information security as stipulated in the laws and regulations.

Article 6 The CSRC shall establish a supervision and administration system for cybersecurity and information security in the securities and futures industries featuring centralized administration and hierarchical responsibility. The technology regulation department of the CSRC shall conduct supervision and administration of cybersecurity and information security in the securities and futures industries. Other departments of the CSRC performing the regulation duties shall cooperate with the relevant work.

The local offices of the CSRC shall implement routine regulation of cybersecurity and information security of operating institutions and IT system service institutions within their jurisdictions.

Article 7 The Securities Association of China, the China Futures Association, the Asset Management Association of China and other industry associations (hereinafter collectively referred to as the “industry associations”) shall develop self-regulatory rules for industrial cybersecurity and information security in accordance with the law, and implement self-regulatory management of cybersecurity and information security of operating institutions.

Article 8 Core institutions shall, in accordance with the law, develop technical rules to ensure secure interconnection between relevant market participants and their information systems, strengthen guidance for entities associated with their information systems and network communication facilities, urge them to strengthen management of cybersecurity and information security, and ensure safe and stable operation of relevant information systems and network communication facilities.

Chapter II Cybersecurity and Information Security Operation

Article 9 Core institutions and operating institutions shall have perfect IT governance structures, perfect cybersecurity and information security management systems, establish internal decision-making, management, implementation and supervision mechanisms, and ensure that cybersecurity and information security management capabilities match the scale and complexity of business activities.

An IT system service institution shall establish a cybersecurity and information security management system, appoint appropriate security and compliance management personnel, and establish a cybersecurity and information security management mechanism that is compatible with the provision of products or services.

Article 10 Core institutions and operating institutions shall specify the primary person in charge as the first person responsible for their cybersecurity and information security work, and the leading group members or senior executives in charge of the cybersecurity and information security work as directly responsible persons.

Core institutions and operating institutions shall establish coordination and decision-making mechanisms for the cybersecurity and information security work to ensure that the first responsible person and directly responsible persons perform duties.

Article 11 Core institutions and operating institutions shall designate or establish leading departments or institutions for the cybersecurity and information security work, which shall be responsible for the management of important information systems and related infrastructure, the development of cybersecurity emergency plans, the organization of emergency drills, and other work.

Article 12 Core institutions and operating institutions shall ensure that personnel and capital investment are commensurate with the scale and complexity of business activities, and ensure that cybersecurity and information security personnel have professional knowledge and vocational skills that match their performance of duties.

Article 13 Core institutions and operating institutions shall ensure that the information system and related infrastructure have reasonable structure, adequate performance, capacity, reliability, expansibility and security, and ensure that the relevant security technical measures are planned, constructed and used simultaneously with the informatization work.

Article 14 Core institutions and operating institutions shall implement the cybersecurity grade protection system, fulfill the obligations of cybersecurity grade protection according to the law, and carry out such work as recordation, grade evaluation, and security construction of network and information systems in accordance with the relevant requirements of the state and the securities and futures industries for cybersecurity grade protection.

Core institutions and operating institutions shall, in accordance with relevant requirements, report the cybersecurity grade protection work to the CSRC and its local offices.

Article 15 Core institutions or operating institutions that establish and launch, operate and change, and remove important information systems shall sufficiently evaluate the technical and business risks, develop risk prevention and control measures, emergency treatment and return plans, and review and verify the relevant results; and shall report to the CSRC and its local offices, if relatively significant impact on the safe and stable operation of the securities and futures markets may be caused.

Core institutions and operating institutions shall not make changes in important information systems during trading hours, except under circumstances of faults and defects in important information systems, which require urgent repair after assessment.

Article 16 Before launching or changing important information systems, core institutions and operating institutions shall develop comprehensive test plans, continuously improve test cases and test data, and ensure effective execution of tests.

Except under circumstances that sensitive data must be used, core institutions and operating institutions shall desensitize the sensitive data involved in the test environment, and must adopt the same safety control measures as in the production environment for the non-desensitized data.

When launching important information systems such as trading, market quotation, account opening, clearing or communications system, or conducting major upgrading or modification, core institutions shall organize relevant market participants to conduct networking tests.

Article 17 Before suspending or terminating provision of services for investors on the Internet, core institutions and operating institutions shall perform the obligation of notification and reasonably choose announcement, directional notice and other means to notify investors of the impact of relevant business, alternative methods and countermeasures.

Article 18 Core institutions and operating institutions shall establish and improve the monitoring and early warning mechanism for cybersecurity and information security, set monitoring indicators, continuously monitor the operation of the information system and relevant infrastructure, handle abnormal situations in a timely manner, and evaluate and continuously optimize the implementation effects of the monitoring mechanism on a regular basis.

Core institutions and operating institutions shall comprehensively and accurately record and appropriately keep the business logs and system logs in the process of production and operation to ensure that the needs of fault analysis, internal control, investigation and evidence collection, among others, are met. Important information system business logs shall be kept for not less than five years, and system logs shall be kept for not less than six months.

Article 19 Core institutions and operating institutions shall establish cybersecurity and information security protection systems, and comprehensively adopt security guarantee measures such as network isolation, user authentication, access control, strategy management, data encryption, prevention of website tampering, prevention of Trojan horse virus, illegal intrusion detection and cybersecurity situation awareness to improve capabilities of protecting cybersecurity and information security protection, identify and block relevant cyber attacks in a timely manner, protect important information systems and relevant infrastructure, and prevent information leakage and damage.

Article 20 Core institutions and operating institutions shall establish local, intra-city and off-site data backup facilities. Important information systems shall back up data at least once a day and verify the validity of data backup at least once a quarter.

Core institutions and operating institutions shall establish failure backup facilities and disaster backup facilities for important information systems to determine recovery targets according to the significance of the information systems and the business impact, and ensure continuous business operation. Disaster backup facilities shall be embodied in the form of intra-city and off-site disaster backup centers.

If core institutions and operating institutions deploy important information systems by active-active or multiple-active architectures, any data center may be regarded as a disaster backup facility for other data centers under the premise of ensuring continuous business operation.

Article 21 Core institutions and operating institutions shall carry out at least one important information system stress test every year; and conduct pressure tests for relevant information systems in a timely manner, if it is found that the market fluctuates greatly and the performance capacity of important information systems may be unable to guarantee the safe and stable operation.

Core institutions and operating institutions shall, in accordance with the relevant industrial standards and on the basis of the technical characteristics of systems and types of business ass......