Testing the defences

There are several key cybersecurity requirements that WFOE PFMS would do well to pay close attention to, writes Yang Xun

Until May 2018, 11 wholly foreign-owned private fund management companies (WFOE PFMs) had registered with the Asset Management Association of China (AMAC) and been authorized to carry out private fund management business in China. This is bound to be a milestone development for China opening up its private fund business.

The establishment and operations of a private fund business concern a large number of legal issues, including, in particular, protection of cybersecurity, given the strengthened cybersecurity legal regime. In this respect, there are a number of key cybersecurity requirements that WFOE PFMs should pay attention to.

WFOE PFMs prefer adopting an organizational model, under which they hire a small China team focusing on local business, including distribution of funds and execution of investment, while leaving back office functions including compliance check, IT maintenance and administrative functions to offshore teams. To realize such a model, WFOE PFMs typically adopt the following IT structure:

(1) A WFOE PFM’s local employees use terminals at the WFOE PFM end to submit investment proposals and to place investment orders with terminals that are connected to local servers, which are in turn connected to global servers via VPNs;

(2) An overseas compliance team conducts compliance checks and risk control reviews from terminals that are connected to the global server; and

(3) An overseas IT team maintains IT facilities and provides IT support remotely.

CYBERSECURITY LAW REQUIREMENTS

The Cyber Security Law, which was promulgated on 17 November 2016, came into effect on 1 June 2017. As the first comprehensive legislation on cybersecurity matters, it not only imposes a series of obligations on network operators, but also revives a number of existing cybersecurity requirements that have been poorly enforced.

The promulgation of the Cyber Security Law and, subsequently, a series of supporting laws, regulations and guidelines, have triggered attention from a wide range of businesses, including in financial services. The private fund management business is also, without doubt, affected.

Duty to maintain cybersecurity. The Cyber Security Law imposes a number of obligations on network operators to protect the security of their networks and the information stored on them. The term “network operator” is defined broadly to include owners and administrators of all types of computer systems, including both internet sites and companies’ intranet. WFOE PFMs usually operate a network, by which they store client information and process investment transactions, as well as administer their internal functions. As such, WFOE PFMs are “network operators” regulated by the Cyber Security Law and obligated to perform cybersecurity duties, including:

• To formulate and implement an IT security management policy and, following that, adopt necessary technical and managerial measures to ensure the security of the networks, with considerable security-level measures;
• To formulate disaster recovery and contingency plans and, following such plans, to back up data during normal operation of business and mitigate the impact when actual incidents occur;
• To adopt and implement personal data protection policies in compliance with legal requirements, and to protect personal information accordingly; and
• To consider security issues such as reliability, reliance and technical redundancy when procuring IT equipment and IT-related services.

WFOE PFMs heavily rely on their networks to store clients’ personal information, to process transactions, and to communicate with the overseas headquarters. Consequently, the security duties that WFOE PFMs ought to perform must reflect the importance of the networks.

Protection of personal information. The Cyber Security Law provides for a suite of principles on personal information protection. These principles are not significantly different from EU data protection laws, including: (1) seeking data subjects’ informed consent to the collection; (2) adopting proper measures to protect the personal information collected; (3) collecting only “necessary” personal information; and (4) not disclosing or using personal information beyond the scope of purposes to which data subjects consent.

Yang Xun is a partner at Llinks Law Offices