Compared to other industries, financial institutions have always assumed higher responsibilities and obligations in terms of cybersecurity and data protection. With the digital economy booming, the risk control and compliance management awareness of financial institutions has been pushed to an unprecedented height. The rapid roll-outs of new information technology (IT) tools are not only reshaping the traditional format of the financial industry, but are also penetrating all aspects of financial business innovation. For financial institutions with “thick walls” that rely on data as their core assets, their cybersecurity and data compliance work has many special traits and is of particular importance.

We have invited three general counsels who, speaking from their respective industries, evaluated the responsibilities and obligations that financial institutions should shoulder, discussed the approaches to lead in-house teams to deal with new risk scenarios, explored the true implications of compliance creating value, pondered how to optimize domestic and international legal frameworks to address existing conflicts and issues, and shared insights into how financial institutions can better serve companies with global footprints under increasingly stringent cybersecurity and data compliance regulations around the world.

- Daniel Liu, Legal Head, Standard Chartered Bank (China) Limited

- Jeffrey King, Compliance Director, General Manager of Legal and Compliance Department, Taikang Insurance Group Inc. 

- Wen Jianxiu, General Counsel, China CITIC Bank 

ALB: What are some of the greater cybersecurity and data protection obligations that the financial industry should perform in comparison to other industries?

Liu: Be it for a country's economic prosperity and stability, or for the financial assets security of an individual or a single enterprise, financial institutions have their unique status in the society and should naturally assume greater legal responsibilities than other industries in terms of cybersecurity and data protection. In terms of banking practice, the financial industry has accumulated and is storing a huge volume of corporate and personal identity information and financial data. At the same time, with more and more reliance on online banking, paperless instructions and online trading, static customer data storage and dynamic transaction data transmission have both shown completely different formats from the traditional ways. 

Therefore, compared to other industries, the systems of banks have higher requirements in many aspects of cybersecurity and data protection, mainly in: (1) preventing computer viruses and network intrusion; (2) preventing, identifying and intercepting information leakage; (3) user authentication and identification; and, (4) transaction data storage, encryption and backup. For example, the financial industry adopts higher standards on digital signature than those applicable to other industries, and third-party certification and third-party depository have gradually become the universal practice in the industry.

King: The following three factors lead financial institutions to assume more stringent cybersecurity and data protection obligations: (1) Financial institutions are quasi-public companies. They are very similar to listed companies as both are of a strong public nature. This is true even for a financial company that is non-listed. Listed companies are public by virtue of their shareholders and investors, while financial institutions are public by virtue of their clients. Public companies involve a wide range of stakeholders, and therefore need to shoulder more stringent cybersecurity and data protection obligations; (2) Financial institutions are also data institutions. Financial institutions provide services related to capital and finance, and the products they offer are virtualized numbers, data, information, etc., such as passbooks, credit cards, stock accounts, insurance contracts, trust deeds, etc., all of which are carriers of data; and, (3) Financial institutions are the most likely to become “systemically important institutions”. Financial institutions make profits by taking in and operating risks. Once risks go out of control, major problems will occur that will affect thousands of households and the national economy. Therefore, financial institutions should take risk prevention and data protection as their top priority when processing data. The focus of cybersecurity and data protection in the financial industry should be on citizen information protection, transaction information protection, data system stability and data mining regulation.

Wen: In view of the special nature of the types of business transacted on the financial industry, there will be a large volume of important client information and client funds stored in terms of network data. Therefore, the financial industry should be subject to higher confidentiality requirements for network data and should also bear greater security protection obligations towards client funds. Judging by the existing legal provisions in China, data and information possessed by the financial industry are adequately protected and cannot be provided without first undergoing judicial procedures. 

At the same time, relevant regulatory authorities have imposed stringent requirements on the protection of personal financial data by banking financial institutions. For example, when using personal financial data, banking financial institutions shall ensure that such use meets the purposes for collecting the data in the first place. Where client information needs to be provided for business partners due to business development needs, banking financial institutions should also comply with regulatory provisions, which can mainly be summarized as follows: (1) The clients have consented to and authorized the use of their financial data by the relevant business partners; (2) The financial institutions have obtained written authorization documents from clients whereby the clients agree that the financial institutions may provide their financial data for the relevant business partners. It should be noted that such authorization documents must specify the scope and purposes of financial data use and should not be in the form of a general authorization; and, (3) The financial institutions should inform clients, in an eye-catching manner, of the possible consequences of granting authorization.

ALB: What are some of the new, hidden or potentially disastrous risk scenarios that have emerged recently or will emerge in the future in your industry that need to be identified and prevented? How is your in-house team planning for such scenarios?

Liu: On the one hand, the rapid development of science and technology will expose potential loopholes in traditional financial technology, and such loopholes may be seized upon by criminals, resulting in crimes such as fake bank cards, bank cards being fraudulently swiped or used and fake company stamps. This has posed challenges to traditional financial IT and internal control, requiring banks to continuously improve system security and internal control standards. On the other hand, during the process of financial innovation, new financial products may also have security flaws, hidden dangers and vulnerabilities. In response to those risks, the technology departments of banks first need to be able to identify and guard against security flaws, hidden dangers and vulnerabilities, and to take immediate remedial action when a risk event occurs. 

From the perspective of a bank’s in-house team, its first task is to issue risk warnings to the technology department, and coordinate compliance, risk control and other departments to issue alerts in the form of industry risk events across the bank. Second, the in-house team should intervene as early as possible during the design process of new products and services, and verify whether product terms, risk disclosure clauses and electronic signature forms are in compliance with the reliability principle. Third, the in-house team should ensure data protection is embedded in the bank's written legal policies, including implementing the principle of legal risk sharing in the service contracts signed between the bank and outsourced service providers, and the terms of the bank’s own products and services. The fourth task of the in-house team is to promote the awareness of cybersecurity, respect for customer privacy and personal financial information protection across the bank and strengthen the culture of financial information protection.

In addition, Internet financial enterprises have been developing rapidly in recent years, and there has been this interesting phenomenon of traditional banks and Internet finance companies competing against while cooperating with each other. Against this backdrop, financial institutions must not only learn from the service model of Internet finance that is flexible, convenient and apt at addressing the needs of long-tail clients, but also uphold the security standards and effective risk models of traditional banks. Legal professionals working in financial institutions should both learn new business models with an open mind and maintain strict compliance with the law. 

For example, traditional banks have been criticized for paying too much attention to collaterals and for refusing to disburse uncollateralized loans, and the market has been calling for the approach of managing risks with big data. Legal professionals in banks should keep a cool head and accurately assess transaction risks. Some questions that they need to ask include: will electronic signature or system data be recognized by the court in litigation? What are the recovery methods available after default? Is evidence preserved in transactions? On the basis of scientific assessment, a bank’s in-house team can provide professional advice for business departments in an objective and fair manner, and facilitate transactions under the premise of controllable risks.

King: We should pay attention to risks in the following two areas. First, an integrated protection system for trade secrets, customer information and know-how. Rights in these aspects are extremely complex and have strong overlap in the financial industry. Although they may be dealt with in different dimensions based on the risk management techniques of legal compliance, when combined together, they will pose greater challenges to the financial industry. Second, information leakage caused by mobile office. With mobile work becoming the norm, it is difficult for employees to completely separate personal information, social information and work information. For example, can an employee discuss work-related issues on WeChat? Is it possible to clearly distinguish between personal information and work information? Which types of work information can be discussed and disseminated on WeChat, and which ones are strictly prohibited? These are all new challenges we are facing today.

In this context, an in-house team needs to work closely with the technical team. Alternatively, the in-house team itself needs to undergo technical transformation by either recruiting interdisciplinary talents or directly recruiting talents with background in IT and information security. At the same time, this also creates new challenges for team management, including job responsibilities, promotion paths, professional culture, team ownership and many others.

Wen: First, with the diversification of payment methods, there will be a lot of cooperation between banks and payment agencies approved by regulatory authorities, which will inevitably involve the transmission of customer information. Although customers will be reminded to pay attention to information confidentiality when opening payment channels, there will still be a large flow of information between payment agencies and between online business organizations, posing risks to information security. 

Second, some banks are exploring partnership with online platforms for business such as financial product sales and supporting electronic accounts/online debit cards where after logging into those online platforms, customers can apply for relevant banking services, and the banks will, based on customer instructions transmitted by the online platforms, complete operations such as account opening and product sales. In this process, the online platforms assume the responsibility of transmitting customer information and transaction instructions. A single event of system transmission errors or customer identity fraud will directly affect the legitimate rights and interests of both the customers and the banks, causing the banks to bear legal risks.

In terms of legal risk prevention, at present, dedicated staff are assigned for innovative business such as Internet finance, while legal professionals are involved in studying the legal aspects of and drafting documentation for relevant product business models. The role of legal professionals is to provide effective and professional legal support, and implement full-process legal risk management throughout business development. 

Some of the key measures taken are: first, controlling security as tightly as possible in the stage of granting market access to merchants, giving customers sufficient reminders in the stage of authorizing payment, and establishing an information prevention and control network together with information security departments to dynamically monitor information and data and issue alerts of abnormal fluctuations; second, on the customer side, issuing reminders to customers when they sign contracts and execute transactions, and having publicity campaigns in both online and offline trading venues; third, as to partner institutions, agreeing with partner institutions on their obligations and responsibilities for verifying the authenticity of customer identity. At the same time, banks and partner institutions should always obtain clear authorization from customers for matters such as customer information collection and transaction instruction execution, and ensure compliance during the use and transmission of customer-related information.

ALB: From the perspective of compliance creating value, what development opportunities will be brought to an organization and what value will be created by rigorous cybersecurity and data protection?

Liu: The secure image of having a “thick wall” and stringent data protection standards are the foundation that enables traditional banks to survive in the Internet era. This is the base from which more customer value can be created. A bank known for customer information security can often reap the benefits of brand effects and win the trust of customers. As a foreign-invested bank, under the guidance of the “Belt and Road Initiative”, Standard Chartered has helped many Chinese companies invest in different countries, especially in Africa and the Middle East. 

We have noticed that when choosing which bank to work with, an enterprise will usually treat a bank's compliance and legal risk management and data protection as important considerations. The reason is very simple. When investing abroad, companies face uncertain legal risks and country-specific risks. Anti-money laundering, anti-terrorist financing and data protection are also high-risk areas. A global bank that upholds international standards and is familiar with the laws of different countries will often become the preferred partner of businesses. 

Take data protection laws as an example. The General Data Protection Regulation (GDPR) of the European Union (EU) came into effect in May 2018. As such, EU-headquartered global banks must update their data protection standards in time to meet the requirements of EU regulations. At the same time, these global banks will take into consideration the differences in the domestic laws of different countries and implement the new data protection standards in light of local realities. In other words, when companies choose these global banks, they will be certain that these banks are following the latest international data protection standards, which gives the companies additional confidence. This kind of bank-business relationship founded on a high turst level can often achieve long-term win-win results.

King: I would like to mention two points. First, the impact of data leakage on a company's operations and business is both direct and catastrophic. Therefore, if the legal compliance team of a company can properly solve this pain point, the management value of the in-house team will, without a doubt, be highly visible. For example, the in-house team can strike directly against illegal external P2P organizations that take advantage of data leakage to maliciously cancel contracts. Second, trade secret protection, intellectual property (IP) protection and technical know-how protection, all undertaken for the purpose of information protection, will provide a new career development path for the legal compliance team and a new management value growth point. For example, IP protection will directly bring benefits to a financial institution.

Wen: Market credibility is the most important point. Against the backdrop of an overflow of online data, it is important to note that data, while creating business opportunities for merchants, are also the privacy of customers. Making lawful and reasonable use of information and ensuring information security are important factors for building a favorable financial image. Market reputation is invaluable. Only a bank that has won customer trust, achieved market recognition and forged a first-class brand can effectively acquire and run business for clients. Such a bank can then continuously deepen its capability of big data analysis and mining to gain insight into customer needs and creatively serve customers. It can be said that the protection of customer financial information is the basis and premise for promoting the development of the bank's Internet financial business and enhancing the bank's comprehensive customer service capabilities.

ALB: On the topic of cybersecurity and data protection, what are some of the other matters that you are thinking about or exploring?

Liu: Foreign-invested banks are bound by the laws and regulations of cybersecurity and data protection in different countries and regions. At the same time, global banks need to manage the credit extension and credit information of clients and client groups on a centralized basis. How to address the conflict between the different legal frameworks of cybersecurity and data protection and global banking business and centralized credit information and data protection is something that legislators and practitioners need to think about.

I would like to mention two concrete issues. 

First, is it possible to have international standards on cybersecurity and data protection? If so, what is the baseline for such standards? EU's GDPR, while providing a good starting point, still has a long way to go to reach the status of being global standards. We believe that globalization and delayering are the trends of the future. Having international data protection standards will be positive for both global banks and multinational enterprises, and will also bring positive effects to global cybersecurity and data protection efforts. 

Second, where can data centers be built? From a cybersecurity perspective, national legislators tend to want data centers in their home countries. However, for global banks or multinationals, it seems that the most cost-effective model is to set up their own global data centers in one or a few locations rather than having a separate data center in each country or region. How to enhance cooperation in different countries and regions, reduce the operating costs of enterprises while ensuring the security of networks and data, requires more top-level legislative design. For example, is it possible to have a wider range of cross-regional cooperation under CEPA? For data centers used by certain industries, can data centers in Hong Kong be regarded as Mainland data centers? We look forward to more communication and cooperation among regulators in different countries and regions in relation to these issues.

King: The application of technology is both an opportunity and a challenge for legal professionals. Law is an old profession that has long relied on experience rather than data for growth and value creation. Big data and technology-driven development will result in the loss of some legal jobs, functions and value, but will also create new core values - the former such as legal search and junior lawyers while the latter such as in-house functions for trade secrets, IP and information security. However, combining law and IT is a huge challenge for both individuals and teams. After all, these two disciplines are both strong in their own right and distinctly different from each other. 

An in-house team may build a differentiated combination of people internally. In terms of personal development, a person coming from the legal background does not necessarily need to learn coding but should accumulate experience in areas such as computer logic understanding, systematic thinking, demand development and project management.

Wen: We are also looking at the following four aspects. First, how the right to retrieve financial information under the National Security Law can be established in a more scientific manner that not only protects customer information security but also maintains social security? Second, there is tension between the complexity of payment channels and information security. How to balance such tension through legislation and how to establish consistent rules for information protection and information security in the entire social business chain is something worth studying. Third, greater efforts of publicity and guidance need to be made to improve the information security awareness of private customers. The large number of cases where funds are lost or information is leaked due to individuals recklessly providing important information for third parties has shown the urgent need for consumers to be provided with guidance and education. Fourth, the measures that punish information abuse need to be further improved.

总法圆桌对话：网络安全

相较其他行业，金融机构在网络安全与数据保护方面历来承担更高责任与义务。伴随数字化经济的迅猛发展，他们的风控意识与合规管理更被推到一个前所未有高度。信息化技术与科技的更新迭代，不仅在重塑这个行业的传统业态，也渗透其金融业务创新的各个层面。对于“深墙厚壁”、以数据为核心资产的金融机构来说，他们的网络安全与数据合规工作有着诸多特殊性和重要意义。

我们在此邀请三位总法，他们从各自行业出发，评估了金融主体应承担的责任与义务；如何带领法务团队应对当下的新型风险场景；合规创造价值对金融机构真正意味着什么；如何优化国内和国际法律框架解决现有冲突和问题；以及在全球日趋严苛的网络安全与数据合规监管下，作为金融机构如何能更好地服务在全球布局的企业。

-渣打银行（中国）有限公司法务总监 刘东先生

-泰康保险集团股份有限公司合规负责人、法律合规部总经理 靳毅先生

-中信银行总法律顾问 文建秀女士

ALB：相较于其他行业，金融行业应履行哪些更高的网络安全与数据保护义务？

刘东：无论从国家经济繁荣稳定，还是单个企业或个人的金融资产安全角度，金融机构具有其独特的地位，在网络安全与数据保护方面理应承担显著高于其他行业的法律责任。从银行实务角度看，金融行业积累和存储了海量的企业和个人的身份信息和财务信息，同时越来越依赖网银、无纸化指令和在线交易方式，静态客户数据保存与动态交易数据传输都呈现出与传统方式完全不一样的业态。

因此相较其他行业，银行的系统在网络安全与数据保护的许多方面的要求更高，集中体现在：（1）防范计算机病毒和网络侵入；（2）防范、识别和拦截信息泄露；（3）用户身份验证和识别；（4）交易数据的存储、加密、备份。举例来说，金融业的数字签名采用有别于其他行业的更高标准，第三方认证、三方存证等逐渐成为行业的普遍标准。

靳毅：以下三方面因素导致金融机构将承担更为严格的网络安全和数据保护义务：（1）金融机构都是准公众公司。金融机构和上市公司非常相似，有比较强的公众性，即使一家金融公司是非上市公司。上市公司的特点在于股东和投资方的公众性，而金融机构在于客户的公众性。公众公司涉及的利益主体多涉及面广，因此需要有更强的网络安全和数据保护义务；（2）金融机构也是数据机构。金融机构提供与资金融通的相关服务，所提供的产品是虚拟化的数字、数据、信息等，例如存折、信用卡、股票账户、保险契约、信托契约等都是数据的载体；（3）金融机构最容易成为“系统重要性机构”。金融机构承担风险，并经营风险从而获得盈利。一旦风险失控，将发生千家万户、国民经济的重大问题。因此金融机构在处理数据的时候，应当将风险防范、数据保护列为重中之重。金融行业网络安全和数据保护的重点应当在于公民的信息保护、交易信息保护、数据系统的稳定性，以及数据挖掘的规范。

文建秀：鉴于金融行业业务类型的特殊性，在网络数据方面，会有大量的客户重要信息和客户资金留存，因此，金融行业对网络数据的保密性要求应该更高一些，对客户资金的安全保护也负有较大的义务。从目前我国法律规定来看，对金融业所拥有的数据信息是有充分保护的，非经司法程序不得要求提供。

同时，相关监管机构对银行业金融机构个人金融信息保护提出了严格的要求，使用个人金融信息时，应当符合收集该信息的目的；因业务开展需要，向合作方提供客户信息的，应注意遵守相关监管规定，归纳起来，主要有以下几点：（1）客户已同意并授权相关合作方使用客户金融信息；（2）金融机构获得客户的书面授权文件，同意金融机构向相关合作方提供客户的金融信息，注意须明确提供金融信息的范围及用途，不得采取概括授权的形式；（3）金融机构应以醒目的方式告知客户授权后可能产生的后果。

ALB：结合本行业来谈，近来或今后会出现哪些新型、隐蔽或后患无穷的风险场景需辨识和防范？您带领的法务团队的应对方案是？

刘东：一方面，随着科学技术的日新月异，传统的金融技术可能存在漏洞，被犯罪分子利用，例如伪卡案件、盗刷案件、萝卜章案件，对传统的金融信息科技和内部控制提出了挑战，需要银行自身不断提高系统安全和内控标准；另一方面，金融创新的过程中，新的金融产品也可能存在安全缺陷、隐患和漏洞。针对这些风险，银行的科技部门首先需要有能力识别、预防安全缺陷、隐患和漏洞，并在发生风险事件时有能力立即采取补救措施。

从法务团队角度讲，一是对银行技术部门进行风险提示，协同合规、风控等部门，在全行以行业风险事件进行案例警示；二是在新产品和服务的设计过程中尽早介入，对产品条款、风险披露条款、电子签名形式是否符合可靠性原则进行把关；三是将数据保护落实到银行的法律文本政策中，包括在银行与外包服务商的服务合同、银行自身的产品和服务条款中落实相关法律风险分担原则；四是在全行普及网络安全、尊重客户隐私和个人金融信息保护的理念并加强金融信息保护的意识。

另外，近几年互联网金融企业高速发展，传统银行与互联网金融企业之间出现了有趣的相互竞争而又相互合作的场景。在这种相生相克的新环境下，金融机构既要懂得借鉴互联网金融的灵活便捷、善于解决长尾客户的服务方式，又要恪守传统银行的安全标准和有效风险模型。对于金融机构法务人员来说，既要以开放的态度学习新的商业模式，也要以严谨的态度守好法律的红线。

举例来说，人们批评传统银行过于看重抵押品、没抵押不贷款的运营方式，市场呼吁更多采用大数据管理风险的方式，银行法务工作者应当保持冷静的头脑，准确评估交易风险，比如，电子签名或系统数据是否在诉讼中能得到法院认可？违约后追偿方式有哪些？证据是否在交易中得以保存等。在科学评估的基础上，法务部可以客观公正的给业务部门提供专业意见，在风险可控的前提下促成交易。

靳毅：以下两方面风险值得我们重视：第一，商业秘密、客户信息和KNOW-HOW的综合保护体系。这几方面的权利客体在金融行业有很强的重叠性和复杂性。虽然在法律合规的风险管理技术上，可以分成不同的维度分别处理，但当它们综合在一起的时候，对金融行业提出的挑战将更高；第二，移动办公所带来的信息外泄。移动办公成为大趋势，员工很难将个人信息、社交信息和工作信息完全剥离开。比如在微信中是否能够讨论与工作相关的内容？是否能够清晰的分别出哪些是个人信息，哪些是工作信息？哪些工作信息是可以进行微信中的讨论和传播，哪些又是严格禁止？这都是面临的新挑战。

在这种大背景下，法务团队需要和技术团队进行密切结合，或者团队本身进行技术方面的转型，招募具有复合型的人才，或者直接招募具有信息技术、信息安全方面的人才。同时这也对团队管理产生新的挑战，包括岗位职责、晋升路径、职业文化、团队归属等等。

文建秀：首先，由于支付方式多样化的出现，银行与经监管部门批准的支付机构之间会有大量合作，势必涉及客户信息传递，虽然在开启支付渠道过程中会要求客户关注信息保密，但会出现信息在支付机构之间大量流转、在网络商业机构之间大量流转，对信息安全构成风险。其次，部分银行正在尝试与互联网平台开展金融产品销售与配套电子账户/在线借记卡的业务合作，客户登录互联网平台后可申请办理相关银行业务，银行根据互联网平台传送的客户交易指令，在线上完成账户开立、产品销售等相关操作。在此过程中，互联网平台承担客户信息和交易指令传递职责，如发生系统传送差错、客户身份冒用等情形，将对客户和银行合法权益造成直接影响，导致银行承担法律风险。

目前我们在法律风险防范方面，对互联网金融等创新业务实行专人负责，法律人员参与相关产品业务模式的法律论证和文本制订，做好法律专业支持工作，将全流程法律风险管理贯穿于业务开展的始终。主要采取以下措施：一是在商户准入环节尽量控制安全性，在授权支付环节尽量给予客户较充分的提示，与信息安全部门一起建立信息防控网，动态监控信息数据是否正常，对异常波动及时提示；二是在客户方面，会通过设置签约提示、交易提示、线上线下交易场所宣传提示来帮助客户防范；三是在合作机构方面，与合作机构约定其在客户身份真实性核验中承担的义务和责任，同时，银行与相关合作机构就客户信息收集和交易指令执行等事项均应取得客户的明确授权，确保客户相关信息使用和传递过程中的依法合规。 

ALB： 从合规创造价值角度看，网络安全与数据保护严格做到位，会给本机构带来哪些发展机遇、创造哪些价值？

刘东：深墙厚壁的安全形象以及严格的数据保护标准，是传统银行立足于互联网时代的根基所在。立足于此，才能创造更多的客户价值。一家以客户信息安全著称的银行，往往能够带来品牌效应，赢得客户的信赖。作为外资银行，在国家“一带一路”政策的引领下，渣打帮助许多中资企业投资于不同的国家，尤其在非洲、中东等地区。

我们注意到，企业选择哪一家银行会把银行的合规法律风险管理、数据保护作为其重要考虑因素。道理很简单，企业在境外投资时会面对不确定的法律风险和国别风险，反洗钱、反恐、数据保护等又是高风险领域，这时候，一家恪守国际准则、熟悉各国法律的国际银行往往成为企业的首选合作伙伴。

举数据保护的法律规范为例，欧盟的《一般数据保护条例（GDPR）》2018年5月正式实施，此时，总部位于欧盟的国际银行必须将其数据保护标准及时更新，以满足欧盟的法令要求，同时这些全球性银行也将根据各国法律的不同，将新的数据保护标准与当地实际情况结合起来贯彻执行。换言之，企业在选择这些全球性银行时，企业清楚这些全球性银行遵循的是最新的国际数据保护标准，这给了企业额外的信心。这种在高标准基础建立的银企关系，往往能达到长期共赢的效果。

靳毅：我们认为有两点：第一，数据外泄对公司经营和业务的影响是直接的和灾难性的，因此法律合规团队如果能够将这个痛点解决好，毫无疑问能够非常清晰、可见度极高的看出团队的管理价值。比如直接打击外部的非法P2P机构利用数据泄漏进行恶意解约；第二，为了保护信息而进行商业秘密保护、知识产权保护、技术诀窍保护，将对法律合规团队提供了新的职业发展方向，以及新的管理价值增长点。例如通过知识产权维权，直接为金融机构本身带来收益。

文建秀：市场信誉度是最为重要的一点。在网络数据大量泛滥的情况下，数据信息是商家的商机、也是客户的隐私，合法合理使用信息、保护信息安全是树立良好金融形象的重要因素，市场口碑是无价之宝。一家银行只有取得客户信赖，赢得市场认同，创造一流银行品牌，才能有效获取客户和经营客户，进而通过不断强化大数据分析挖掘能力，洞察客户需求，创造性服务客户。可以说，客户金融信息保护是促进银行互联网金融业务发展、提升客户综合服务能力的基础和前提。

ALB：关于网安与数据保护这个话题，还有哪些事项是您正在思考的、或在摸索中前行的？

刘东：外资银行受限于不同国家和地区的网络安全和数据保护的法律规范，但同时全球性银行业务需要对客户、客户集团的授信和信用信息进行统一管理。如何解决不同的网络安全和数据保护的法律框架和全球性银行业务和集中性信用信息数据保护的矛盾，是需要立法者和从业者需要思考的问题。

两个具体问题愿意跟大家探讨：第一，网络安全和数据保护是否可以建立国际通行标准？如果可以，这个标准的基准线在哪里？欧盟的《一般数据保护条例》给我们做了一个良好的示范，但离全球标准还有不小的距离。我们认为，全球化扁平化是今后的大势所趋，通行的数据保护标准对于全球性银行和跨国企业来说有积极的意义，也会给全球网络安全和数据保护带来正面效应；第二，数据中心可以设在哪里？从网络安全角度来看，各国立法者均倾向于把数据中心设在本国，但是，对全球性银行或跨国企业来说，似乎最经济有效的运营模式是在一个或有限几个地区设立自己的全球数据中心，而不是在每一个国家或地区都设立单独的数据中心。如何加强不同国家地区的合作，减少企业运营成本的同时保证网络和数据的安全，需要有更多高屋建瓴的立法设计。例如，是否在CEPA下可以建立更广泛范围的跨地区合作？对某些行业的数据中心来说，香港的数据中心是否可以视同为大陆的数据中心？这些具体问题，我们期待不同国家和地区的监管机构有更多的沟通和合作。

靳毅：技术的应用，对法律行业从业人员来说既是机遇也是挑战。法律是一个古老的职业，长期以来基于经验而非数据进行增长和增值。但在大数据和技术驱动的背景下，将导致部分法律职业和功能、价值丧失，同时也创造了新的核心价值——前者比如像法律检索、初级律师；后者像从事商业秘密、知识产权、信息安全法务等方面大有作为。但将法律背景和信息技术背景结合在一起，对个人和团队都是巨大的挑战，毕竟两个专业性都很强且差异性较大。作为法务团队，可以在团队内部构建差异化的人员组合；对于个人的发展，法律背景的人员不一定去学编程，而在于对计算机逻辑的理解、系统性思维、需求开发、项目管理的经验积累。

文建秀：我们还关注以下四个方面问题：其一，国家安全法项下对金融信息的调取权利如何设置可以更科学，既能保护客户信息安全，又能维护社会安全；其二，支付渠道的复杂化与信息安全之间是存在矛盾的，如何通过法律规定来平衡，如何在整个社会商业链条中建立起信息保护、信息安全的一致性规则，非常值得研究。其三，社会客户对自身信息的安全意识需要充分的宣传和引导，大量因个人擅自把重要信息提供给第三方导致的资金丢失、信息泄露的案例说明，消费者也非常需要引导和教育；其四，信息滥用的惩罚措施需要进一步完善。

To contact the editorial team, please email ALBEditor@thomsonreuters.com.