Comments on the CIRC <Supervision Rules on Insurance Institutions Adopting Digitalized Operations>

2015-10-30 | All chapters

The European Chamber supports China’s desire to create a secure and reliable operating environment for insurance institutions. To this end, we first emphasize some general comments for addressing cybersecurity related legislation in the insurance sector:
1. Market-based solutions
Using a market-based approach, i.e. allowing insurance companies to freely choose the cyber security products and solutions to fulfill their security needs is recognized as the most efficient way to ensure a consistently high security level for the system overall. This is because market-based competition between insurance companies necessitates them to continuously invest in their security, simply for fear of losing out to a competitor. The CIRC, as a regulator, should harness this natural process more effectively, through refraining from prescriptively laying out procurement requirements. Mandating the use of localised or indigenously developed platforms, products or solutions is detrimental to overall system security, as it risks increasing the number of attack surfaces and constrains the interoperabilityof a company’s systems, inside and outside of China. Furthermore, leveraging standards that are based on global best practices and experiences will allow industry to incorporate regular updates to their systems and develop their security needs apace with the evolution of cyber security threats.

2. Transparency and Public Consultation
Ensuring that the policy-making process is conducted in a transparent manner with public consultation, such as this call for comments, will help the CIRC and the business community. By doing so, businesses will better understand issues of concern of regulators, contribute to solutions, and eventually ensure compliance as well. We thus recommend to the CIRC to continue to publicly release its revised (draft) Supervision Rules at the drafting stage for comment and to give sufficient time for formal feedback, ideally 30 days, prior to any implementation. This should apply to any other forthcoming documents related to the (draft) Supervision Rules, such as add-on notices or catalogues clarifying which information technology (IT) products and solutions are under the jurisdiction of the (draft) Supervision Rules. We noted with concern that an unfortunate precedent was set earlier this year with the roll-out of a set of guidelines to regulate the procurement of IT products and solutions in the Chinese banking sector. In that case, a product catalogue with vital information on the product categories affected was never officially made public. In this respect, we would like to reiterate the need for transparency in legislation and involvement of all stakeholders, domestic and international.