Comments on the CIRC <Supervision Rules on Insurance Institutions Adopting Digitalized Operations>

2015-10-30 | All chapters

The European Chamber supports China’s desire to create a secure and reliable operating environment for insurance institutions. To this end, we first emphasize some general comments for addressing cybersecurity related legislation in the insurance sector:
欧盟商会支持中国为保险机构创建一个安全可靠运营环境的迫切期望。为此，我们希望首先强调几点针对保险业网络安全立法的总体建议：
1. Market-based solutions
市场化解决方案
Using a market-based approach, i.e. allowing insurance companies to freely choose the cyber security products and solutions to fulfill their security needs is recognized as the most efficient way to ensure a consistently high security level for the system overall. This is because market-based competition between insurance companies necessitates them to continuously invest in their security, simply for fear of losing out to a competitor. The CIRC, as a regulator, should harness this natural process more effectively, through refraining from prescriptively laying out procurement requirements. Mandating the use of localised or indigenously developed platforms, products or solutions is detrimental to overall system security, as it risks increasing the number of attack surfaces and constrains the interoperabilityof a company’s systems, inside and outside of China. Furthermore, leveraging standards that are based on global best practices and experiences will allow industry to incorporate regular updates to their systems and develop their security needs apace with the evolution of cyber security threats.
采用市场手段，即允许保险公司通过自由选择网络安全产品和解决方案满足其安全需求，被认为是确保系统整体保持高安全级别最为有效的方法。这是因为保险公司间的市场竞争要求他们在安全领域进行持续投入，以防被竞争对手淘汰。作为监管部门，保监会不应强制规定采购要求，如此才能实现对这一自然过程更为有效的监管。不论在中国还是中国之外，强制使用本地化或自主开发的平台、产品或解决方案都将增加攻击次数、限制同一公司不同系统间的互操作性，从而有损系统整体安全。此外，采纳与全球最佳实践和经验一致的标准可使行业将定期更新纳入其系统，并使其安全需求与变化中的网络安全威胁相适应。

2. Transparency and Public Consultation
透明度及公开征求意见
Ensuring that the policy-making process is conducted in a transparent manner with public consultation, such as this call for comments, will help the CIRC and the business community. By doing so, businesses will better understand issues of concern of regulators, contribute to solutions, and eventually ensure compliance as well. We thus recommend to the CIRC to continue to publicly release its revised (draft) Supervision Rules at the drafting stage for comment and to give sufficient time for formal feedback, ideally 30 days, prior to any implementation. This should apply to any other forthcoming documents related to the (draft) Supervision Rules, such as add-on notices or catalogues clarifying which information technology (IT) products and solutions are under the jurisdiction of the (draft) Supervision Rules. We noted with concern that an unfortunate precedent was set earlier this year with the roll-out of a set of guidelines to regulate the procurement of IT products and solutions in the Chinese banking sector. In that case, a product catalogue with vital information on the product categories affected was never officially made public. In this respect, we would like to reiterate the need for transparency in legislation and involvement of all stakeholders, domestic and international.
确保政策以透明方式制定，并以诸如本征求意见稿等方式进行公开意见征集，将同时使保监会及业界获益。这样，企业方可更好地理解监管机构所关心的问题，更有针对性地提出解决方案，并最终保证合规。因此，我们建议保监会继续在制定阶段公开发布《监管规定》修订征求意见稿，且在实施前为正式反馈预留足够时间，以30日为佳。这一规定应适用于未来任何有关此《监管规定》草案的文件（如附加通知或目录，明确何种信息技术产品及解决方案适用于《监管规定》）。我们注意到，今年年初出台的针对中国银行业采购信息技术产品及技术方案的管理规定创下了一个负面先例：含有产品分类重要信息的受影响产品的目录从未被正式公开。为此，我们希望重申立法透明度和保障所有国内外利益相关方参与度的必要性。