Corporate Treasurer – China cybersecurity law: corporates scramble for alternatives

By Benny Kung, Corporate Treasurer

Consultants report huge boost in demand as Beijing turns the taps off on open cloud systems as part of new, tougher cyber laws.

Three months on from the introduction of China’s new laws on cybersecurity – which requires companies to store information that involves Chinese citizens only within the country – financial departments at multi-national corporations (MNCs) are scrambling to find alternatives to open cloud systems.

In the ensuing rush, companies find themselves struggling to operate without some of their most valuable data analytics tools, an expert in risk assurance told CT.

As well as personal information, the cyber security law, introduced in June, also requires companies to store information on sectors it deems “critical” onshore – without clearly defining what these areas might be.

The upshot is companies now have to abide by a higher standard on data and systems, with violators facing fines of up to Rmb1 million ($153,000) and imprisonment.

In practice, companies can no longer use open-cloud systems hosted outside China and must protect sensitive information obtained onshore.


Political issue

“I think the authorities in China are really (taking cyber security) as a national security issue – it is a political issue,” said Jim Woods, a global partner for risk assurance at PwC. “The authorities have really made it a top priority in the corporate world.”

“Anyone who’s operating in China must comply with the law, has to protect data, has to make sure data is secure,” Woods said.

“It doesn’t just apply to SOEs [state-owned enterprises] for example; if you are an MNC operating in China, you have to be sure that you know that any data that is produced or retained in China, is retained and secured.”

To an extent, China’s moves to strengthen cybersecurity mirror trends elsewhere. For example, the European Union requires companies to notify authorities within 72 hours of spotting any compromise of personal data. The difference in China is that forcing companies to onshore their information will inevitable obstruct their operations.

Already, many MNCs have started searching for quality alternatives to the cloud-hosted data-analytic tools  they use to assist financial planning, compliance and other operational functions.

“We’re seeing a huge increase in the amount of work (coming to us),” Woods said, referring to the increase in demand for PwC’s consultation services.


VPN ban

Another consequence of the law has been a ban on virtual private networks, or VPNs – services designed to circumvent geo-restrictions and censorship.

“The Great Firewall” – as the Chinese government’s blocking of big-name western web services such as Facebook, YouTube and Google is popularly known – has long been a disincentive for foreign corporates setting up in China, a problem DBS Bank acknowledged in its guide for treasury management.

While foreign corporates have long been used to using VPNs to access information freely available elsewhere on the internet, the new law is likely to make this more difficult.

Apple has already begun removing popular VPN apps from its mobile application platform. Other VPN services are also being disrupted, causing problems for corporates and ordinary internet users alike.



However, cyber experts said the actual implementation of the law could prove to be flexible.

“We are still in a stage of exploration,” said Stephen Chan, principal consultant at Hong Kong-listed Edvance International, said.

Chan cited the example of a British company he worked with. Its Shanghai office was trying to connect to the group’s international computer network.

At the first attempt, an international telecommunication company turned down the request, citing a violation of the cybersecurity law.

“But this is okay,” Chan said, because another company finally finished the project.

Chan also noted that the cybersecurity law did provide some leeway for companies to work around restrictions on things like storing information overseas. “That would just need more coordination with the local Cyberspace Administration offices for the right interpretation of the law,” Chan said.

“Multinational corporates and people living in the free world may not get used to the law, this is a cultural difference,” Chan said, adding corporates should be fine as long as they do not intend to threaten China’s national security.


Sources: Benny Kung, The Corporate Treasurer: