By Sandra Lu | David Pan | Lily Luo

There is no such thing named as “critical information infrastructure” under the U.S. law; rather, the subject is defined as an information system used to support a critical infrastructure. “Critical infrastructure” usually refers to any system or infrastructure that plays a critical role in relation to national security and the normal operation system of the society. In 2002, the U.S. passed the Homeland Security Act, and the Department of Homeland Security became the competent department of critical infrastructure, resulting in a close connection between critical infrastructure and homeland security. The Critical Infrastructures Protection Act of 2001 provides that, “critical infrastructures means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[4]

In 2003 and 2008, the sectors and fields covered by critical infrastructures varied, until 2013, the Presidential Policy Directive No. 21[5] eventually confirmed 16 critical infrastructure sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, water and wastewater systems. On 11 May 2017, President Trump signed off a presidential executive order, demanding the strengthening of cybersecurity of federal critical infrastructures[6].

The Department of Homeland Security designated a sector-specific agency responsible for cybersecurity of each critical infrastructure. According to the sector guidelines issued by the Department of Homeland Security, financial services sector is inclusive of “invest funds for both long and short periods”, and the competent department in charge of cybersecurity of the financial services sector is the U.S. Department of the Treasury. According to Financial Services Sector-Specific Plan 2015, the Financial Services Sector Coordinating Council, which is made up of the major institutions of the financial sector, assisted the Department of Homeland Security to pass projects such as “information sharing”, “best practices”, “incident response and recovery” and “policy support”, to facilitate the cybersecurity of critical infrastructures of the financial services sector[7].

The Council Directive on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection[8] issued in 2008 provides that critical infrastructure shall refer to an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions. The Member States of the EU generally consider “finance” as within the scope of critical infrastructures.

Specifically regarding critical infrastructures, the European Union Agency for Network and Information Security (“ENISA”) advocates the implementation of the national strategy of information protection for the national network, under which the specific measures are similar to China’s CII operator administrative system. For instance, there are measures for the formulation of contingency plans for cybersecurity incidents, the organization of cybersecurity rehearsals, the formulation of the basic standards of cybersecurity, the setting up of a report mechanism for cybersecurity incidents and the reaction capacity towards such incidents.

It is especially worth noting that, the many years of experience of the EU shows that it is important to balance public and private interests in the security administration of CII. ENISA’s report points out that, “Information-sharing among private and public stakeholders is a powerful mechanism to better understand a constantly changing environment. Information-sharing is a form of strategic partnership among key public and private stakeholders. Owners of critical infrastructures could potentially share with public authorities their input on mitigating emerging risks, threats, and vulnerabilities while public stakeholders could provide on a 'need to know basis' information on aspects related to the status of national security, including findings based on information collected by intelligence and cyber-crime units.” For the sake of balancing public and private interests, the EU specifically stressed that “a public-private partnership (PPP) establishes a common scope and objectives and uses defined roles and work methodology to achieve shared goals[9]”.

As regulations on cybersecurity have already ascended to a level concerning “state sovereignty in space”, how a WFOE PFM should commence its business in compliance with Cybersecurity Law has become a serious problem which cannot be neglected. We hereby provide a few suggestions on the adaptive strategies that a WFOE PFM may take at the present stage: 

1. Paying close attention to the legislation progress of the complementary regulations and guidelines of Cybersecurity Law and the corresponding arrangements of transition period; 

2. Being well-prepared to satisfy compliance requirements. For example, based on the existing regulations and the relevant consultation papers, to draft a cybersecurity protection system, contingency plans and emergency disposal mechanisms, system and procedures of security assessment on the cross-border transfer of personal information and important data, and to reorganize the collection procedures of personal information; 

3. Maintaining communication with the Cyberspace Administration of China, CSRC and AMAC. Apart from paying close attention to the legislation progress, WFOE PFMs may also actively provide suggestions towards those authorities, such as: 

(1) Regarding the CII Identification Guidelines, the experiences of the U.S. and the EU may be referred to, e.g. public-private partnership may be promoted to realize the balance between public and private interests; the self-disciplinary authority of the industry (AMAC) may formulate corresponding rules in accordance with the characteristics of private fund industry by taking into consideration the industry nature (whether a WFOE PFM is a financial institution and whether the PFM business belongs to financial industry), the importance of the system (whether the system is a core business system), whether the operator has owned a certain number of clients, a certain amount of data, and a certain scale of assets under management. Such an approach may realize a dynamic supervision and regulation and make compliance with laws and regulations become more predictable, so that a WFOE PFM can be well prepared to satisfy compliance requirements; 

(2) Whether it is possible to exempt or simplify the procedures of security assessment over cross-border transfer of personal information and important data on an intra-group basis for the purpose of compliance and risk control; 

(3) In the event that circumstances invoking the organization of a security assessment by the regulator occur, the regulator may take into account the need of real-time trades of the fund management business and other such characteristics to conduct regular assessment, instead of conducting an assessment every time data is transmitted outbound; 

(4) If WFOE PFMs belong to CII operators and that investment management and trading system falls within the definition of CII, whether it is possible that a longer transition period could be provided to WFOE PFMs which have adopted FIX model, so that the relevant WFOE PFMs may localize the global investment management and trading system, or purchase a local investment trading system and upgrade it to satisfy the compliance and risk control requirements set out by the group corporate.

Authors:

通力法律评述 | 刍议医疗类广告合规风险

通力业绩 | 通力服务A股创业服务第一股——创业黑马(北京)科技股份有限公司于创业板成功上市

通力业绩 | 通力助力上海电气发行股份收购H股上市公司集优股份控股权等资产

通力荣誉 | 通力荣获China Law & Practice 2017年度中国法律奖多项提名

通力法律评述 | 浅析名为股权转让实为房地产转让的合同效力——以司法案例为视角

通力法律评述 | 简析《关于修改〈外商投资企业设立及变更备案管理暂行办法〉的决定》