As China aims to strengthen its cybersecurity regime, it recently updated its Multi-Level Protection Scheme (MLPS) for data security. The updated scheme applies to all technology, media and telecommunication (TMT) companies in the country. Several firms had already started preparing for the new requirements by strengthening their online security systems, and more work is expected to come under the heightened regulatory landscape.
The Multi-Level Protection Scheme (MLPS) governs the IT security standards of China. It is required under the Cybersecurity Law (CSL), which became effective in June 2017, as a broad piece of legislation to govern China’s cyberspace. To prevent security issues such as unauthorised access, data leaks, and falsifications, CSL obliges network business operators to comply with rules on establishing, monitoring and inspecting their security systems according to the requirements of the MLPS.
After the introduction of the MLPS in 2007, China’s Ministry of Public Security released the draft Regulation on the Cybersecurity MLPS last year intending to make it MLPS 2.0. As the public security authorities have yet to finalise the draft, what is referred to as “MLPS 2.0” for now is several national standards that became effective in December, says Kate Yin, partner at Fangda Partners.
MLPS 2.0 extends the scope of law application and enhances security standards. It is seen as an effort to make its data privacy regulatory regime increasingly comprehensive and strictly enforced.
WIDER AND STRICTER
Cybersecurity experts point to several highlights of MLPS 2.0 national standards.
“MLPS 2.0 focuses on protection of network while MLPS 1.0 focused primarily on protection of information system,” says Yin. Besides a change in terminology from the term of “information system security” to “cybersecurity”, MLPS 2.0 widens its application to the network that ranges from cloud computing platforms to big data, the Internet of Things, industrial control systems and mobile Internet.
Penalty could also be harsher. All network operators may face the legal ramifications for their failure to comply with relevant MLPS requirements, regardless of the graded level of network. This is a stricter requirement from MLPS 1.0, under which only companies graded as level 3 would face so. And for now, the operators of network graded as level 3 or above may even face a more severe penalty for their incompliance.
Yin also points out that more proactive protection measures are required, saying that MLPS 2.0 requires proactive protection of the network instead of purely relying on preventive measures.
“MLPS 2.0 takes a holistic view on the security measures and management measures, including proactive and preventive measures, response to incident and audit and evaluation of effectiveness of the measures,” she explains.
Another note to take is the potential localisation requirement in MLPS 2.0, Yin reminds the TMT companies. According to MLPS 2.0 national standards, a network operator would need to require the cloud storage provider to meet various security and management measures, including having cloud services infrastructure in China. If the data is hosted entirely outside China and there is no core IT infrastructure in China, there is a high likelihood that such network operator may not be able to complete relevant processes under MLPS 2.0.
“Therefore, the network operators may inevitably localise the facilities necessary for its business, such as server, database, as well as network and security equipment in China to pass MLPS 2.0 grading and filing,” she explains.
And companies will have to keep an eye out on how MLPS 2.0 Regulations, which is expected to be finalised this year, will impact them.
Firstly, there could be a change in the grading and filing process. Under MLPS 1.0, the companies shall conduct self-assessment and grade the information systems, but the new MLPS 2.0 Regulations might give less room for the network operators to grade their information systems. Yin reminds the network operators that are graded as level 2 or above will need to organise a panel of experts to grade their information systems.
She also predicts that more companies will fall into level 3 and above. While adopting the current five-level scheme - scaling from level 1 as the least critical to level 5 as the most important, the new regulations proposed to expand the scope of level 3 to include the information systems that will cause particularly serious damage to the legal rights of citizens, legal persons, and other organisations when damaged, which could have been graded as level 2 under MLPS 1.0.
While agreeing that the compliance burden of companies graded as level 3 or above will increase under MLPS 2.0, Vincent Wang, partner of Global Law Office, does not expect most TMT companies, especially foreign TMT companies in China, to be graded at such high levels, contrary to what Yin predicts.
He also believes that the implementation of MLPS 2.0 will not add too much of a burden to the TMT companies, if they do not opt for over-compliance strategies voluntarily.
“From the perspective of law, MLPS 2.0 Administration is not finalised yet, and relevant laws and regulations under MLPS 2.0 are not complete. So, there is not yet much legal compliance work required by mandatory laws and regulations,” Wang tells ALB.
“And from the perspective of technical requirements, although the new MLPS 2.0 standards came into force on Dec. 1, 2019, most technical requirements are only basic requirements for TMT companies, especially companies graded as level 1 and level 2. Such requirements will not significantly increase their technical compliance burdens,” he further explains.
But Fangda’s Yin believes that the burden is there anyhow, arguing that even without the revamped regime of MLPS, TMT companies in China will inevitably have to upgrade their measures to protect in line with the risks of data that they process and risk of network they use. It is simply because the expectation of the public and the regulators on data protection and network security has been increasing over the years.
And MLPS 2.0 is certainly bringing new challenges to the TMT companies, she believes.
“The requirement on localising the cloud services providers’ infrastructure in China would mean that many TMT companies will have to consider those cloud services providers with data centre in China, for these TMT companies to pass MLPS 2.0 grading,” Yin explains.
However, she expects that data localisation may be a choice instead of a burden given that many renowned cloud services providers are localising their services and infrastructure in China, although in short term it may be seen as costs and excessive workload for the IT and information security department.
Another challenge is that TMT companies in China would have to “top up” a lot of security measures and management measures, as now they have little room to argue on their grading of the information system and network. This is particularly the case for foreign-invested TMT companies, as the technical maintenance of the network graded as level 3 or above will have to be conducted in China.
For many TMT companies, the new regulations bring a huge change in their security maintenance and human resources, and they are getting their acts together quickly to respond to the changes.
Experts from the data compliance department of JD Digits, a Beijing-based technology company, tell Asian Legal Business how they have responded accordingly.
“Our information security team, security compliance team and audit team have formed the three lines of defence for cybersecurity to manage cybersecurity risks at all levels,” they add.
“The security compliance team actively worked with the regulators to formulate and discuss regulatory standards, while studying MLPS 2.0 in-depth and giving suggestions for improvement. The information security team implemented the measures outlined in MLPS 2.0. Meanwhile, our audit team performed cybersecurity compliance audits on our implementation of MLPS 2.0, establishing a closed system for managing compliance risks,” they explain.
The company’s security team now consists of 200 members, who carry out comprehensive protection for its data and systems. On the technical front, they have developed a range of security products, such as a web application firewall, a host-based intrusion detection system, DDoS attack prevention, a mobile security platform, and a vulnerability scanning platform to enable active defence.
They do so with a committed mindset that network operators must ensure the network is free from interference, damage, or unauthorised access, and to prevent network data leaks, theft, or falsification according to the requirements of the MLPS.
“As a lead player in the digital technology industry, JD Digits sees regulatory compliance as a lifeline for the company’s development,” they reiterate. “We have implemented stricter requirements for cybersecurity based on MLPS 2.0, and MLPS 2.0 will only drive our competitiveness instead of being our burden.”
The proactive strategy adopted by JD Digits is also what legal experts would suggest to other TMT companies.
“Take action and no waiting,” Fangda’s Yin says. “If you only look at the legal ramification provided at law, you may think that: ‘well we can wait until the regulators ask us to take action as rectification of incompliance.’ However, in the event of such government investigation, the period of rectification designated by the public security authorities may not be sufficient for completing all or materially all of the actions.”
She also warns the TMT companies to consider other implications if the risk of non-compliance with MLPS 2.0 remains unaddressed. Failure to comply with the rectification order from the authorities to comply with the MLPS may result in criminal liability, if such failure has resulted in serious damage.
She offers two tips for TMT companies to prepare for MLPS 2.0, especially when it comes to grading.
“Firstly, take inventory of the information systems that support a different line of business to help identify the information systems that require grading. Secondly, consult with experts in the grading and get ready for MLPS 2.0,” she says.
Global Law Office’s Wang also reminds the TMT companies to take more initiatives by raising awareness of compliance and identifying their strengths to respond actively to the new changes brought by MLPS 2.0.
And for foreign TMT companies in China, “Grading assessment industry is not listed in the prohibited and restricted list for foreign investors. It is anticipated that there can be more foreign firms providing security grading assessment services for foreign TMT companies in China,” Wang says.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.