- PREMIUM
- LIVE QUOTES
- INSTITUTIONS
Index Options
State Street
CME Group
Nasdaq
Cboe
TradingView
Wall Street JournalGeneral Administration of Financial Regulation: Banks and insurance institutions should establish data security technology protection systems for diverse and heterogeneous environments such as big data
The Zhitong Finance App learned that on December 27, the State Administration of Financial Supervision and Administration issued data security management measures for banks and insurance institutions. Banks and insurance institutions should establish data security technology protection systems for diverse and heterogeneous environments such as big data, cloud computing, mobile Internet, and the Internet of Things, establish a data security technical architecture, clarify data protection strategies and methods, and adopt technical measures to ensure data security. Banks and insurance institutions should incorporate data security protection into the information system development life cycle framework, clarify security protection requirements for sensitive data and above, and achieve simultaneous planning, simultaneous construction, and simultaneous use of data security protection measures and information systems.
The original text is as follows:
Notice of the State Financial Supervision and Administration on Issuing Data Security Management Measures for Banks and Insurance Institutions
Gold Standard [2024] No. 24
Financial supervisory authorities, policy banks, large banks, joint stock banks, foreign banks, direct sales banks, financial asset management companies, financial asset investment companies, financial asset management companies, insurance group (holding) companies, insurance asset management companies, pension management companies, insurance intermediaries specialized in insurance, financial holding companies, and administrative units of the General Administration:
The “Data Security Management Measures for Banks and Insurance Institutions” are now being issued to you. Please follow them.
State Financial Supervisory Authority
December 27, 2024
(This document is sent to the supervisory branch office and local legal banking and insurance institutions)
Data security management measures for banks and insurance institutions
Chapter I General Provisions
Article 1. These Measures are formulated in accordance with laws and regulations such as the “Data Security Law of the People's Republic of China”, “Cybersecurity Law of the People's Republic of China”, “Personal Information Protection Law of the People's Republic of China”, “Banking Supervision and Administration Law of the People's Republic of China”, “Commercial Banking Law of the People's Republic of China”, “Insurance Law of the People's Republic of China” and “Insurance Law of the People's Republic of China” to regulate data processing activities in the banking and insurance industry, guarantee data security and financial security, promote rational development and utilization of data, protect national security and social public interest.
Article 2 Banks and insurance institutions referred to in these Measures refer to policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies, enterprise group finance companies, financial leasing companies, auto finance companies, consumer finance companies, money brokerage companies, trust companies, financial management companies, insurance asset management companies, and insurance group (holding) companies established within the People's Republic of China.
To carry out data processing activities involving state secrets, the provisions of laws and administrative regulations such as the “Law of the People's Republic of China on the Preservation of State Secrets” are applied. Where the relevant competent department of the country stipulates otherwise, it shall abide by its provisions in accordance with law.
Article 3. Data referred to in these Measures refers to the recording of information by electronic or other means.
Data processing refers to the collection, storage, use, processing, transmission, provision, sharing, transfer, disclosure, deletion, destruction, etc. of data.
Data security means managing and controlling data processing activities and data application scenarios by taking necessary measures to ensure that data is always in a state of effective protection and legal use, and has the ability to guarantee a continuous state of security.
A data subject refers to a natural person identified in the data or its guardian, enterprise, agency, public organization, or other organization.
Personal information is all kinds of information relating to an identified or identifiable natural person recorded electronically or by other means, excluding information after anonymised processing.
Big data platforms refer to infrastructure for the purpose of processing massive data storage, calculation, analysis, etc., including data statistical analysis platforms and big data processing platforms (such as data lakes, data warehouses, etc.).
Article 4 The State Administration of Financial Supervision and Administration and its dispatched agencies shall be responsible for supervising and managing data security in the banking and insurance industry, formulating and issuing supervisory rules and regulations, and supervising and inspecting the implementation of data security and protection obligations by banks and insurance institutions.
Article 5 Banks and insurance institutions shall establish a data security governance system compatible with the institution's business development goals, establish and improve data security management systems, establish security protection mechanisms covering the entire life cycle and application scenarios of data, carry out data security risk assessments, monitoring and disposal, and ensure the safe and steady development of data development and utilization activities. Banks and insurance institutions that use information networks such as the Internet to carry out data processing activities shall fulfill their data security protection obligations on the basis of a cybersecurity rating protection system.
Article 6. In carrying out data processing activities, banks and insurance institutions shall abide by laws and regulations, respect social morality and ethics, abide by commercial ethics and professional ethics, be honest and trustworthy, fulfill data security protection obligations, assume social responsibility, and must not endanger national security, political security, economic and financial security, or the public interest, or harm the legitimate rights and interests of individuals and organizations.
Article 7 Banks and insurance institutions shall coordinate development and security, implement the national big data strategy, promote the construction of data infrastructure, increase data innovation and application efforts, promote the development of the digital economy with data as a key element, raise the level of intelligence in financial services, innovate inclusive financial service models, and enhance their ability to prevent and mitigate risks.
Article 8. Banks and insurance institutions shall continuously track cutting-edge developments in the development and utilization of emerging data and technological development, effectively deal with conflicts of rules, social risks, and ethical and moral risks that may arise from the application of big data and scientific and technological innovation, and prevent the misuse and misuse of data and technology.
Chapter II: Data Security Governance
Article 9 Banks and insurance institutions shall establish a data security management organizational structure covering departments such as board of directors (administrative) meetings, senior management, data security coordination, and data security technology protection, etc., clarify job responsibilities and work mechanisms, and implement resource guarantees.
Article 10 Banks and insurance institutions shall establish a data security responsibility system, and the Party Committee (Party Group) and Board of Directors (Management) shall bear the main responsibility for the data security work of the unit. The main person in charge of the bank and insurance institution is the first person responsible for data security, and the senior manager in charge of data security is the person directly responsible, clarifying the responsibilities of those responsible at all levels, clarifying irregularities and accountability matters, and implementing accountability mechanisms.
Article 11. Banks and insurance institutions shall designate a central data security management department as the agency's responsible department for data security work. Its main responsibilities include:
(1) Organize the formulation of data security management principles, plans, systems and standards;
(2) Organize the establishment and maintenance of data catalogues to promote the implementation of data classification and hierarchical protection;
(3) Organize and carry out data security assessments and reviews;
(4) Coordinate the establishment of data security emergency management mechanisms, and organize and carry out data security risk monitoring, early warning and treatment;
(5) Organize and carry out data security promotion training to enhance employees' awareness and skills of data security protection;
(6) Establish and maintain an integrated management mechanism for internal data sharing, external data introduction, external data provision, and data exit; take the lead in security management of external data suppliers; and coordinate the management of security requirements for big data applications and data sharing projects;
(7) Report important data security matters to the Party Committee (Party Group), Board (Management) Committee, and senior management;
(8) Other data security work matters requiring integrated management.
Article 12 Banks and insurance institutions shall, in accordance with the principle of “who controls business, who controls business data, and who controls data security”, clarify data security management responsibilities in each business field and implement data security protection management requirements.
Article 13 The risk management, internal control compliance and audit departments of banking and insurance institutions are responsible for incorporating data security into comprehensive risk management systems and internal control evaluation systems, carrying out regular audits, supervision, inspection and evaluation, and supervising problem rectification and accountability.
Article 14 The information technology department of banking and insurance institutions is the department responsible for the technical protection of data security. Its main responsibilities include:
(1) Establish a data security technology protection system, establish a data security technical architecture and protection control baseline, and implement technical protection measures.
(2) Formulate data security technical standards and specification systems, and organize and carry out data security technical risk assessments.
(3) Organize and carry out life cycle security management of information systems to ensure that data security protection measures are implemented in requirements, development, testing, production, and monitoring.
(4) Establish an emergency management mechanism for data security technology, organize and carry out technical monitoring, early warning, notification and treatment of data security risks, and prevent harmful data security activities such as external attacks and internal and external damage.
(5) Research and application of organizational data security technology.
Article 15 Banks and insurance institutions shall establish a good data security culture, carry out data security education and training for all employees, raise awareness and level of data security protection, and form a favorable environment for all employees to work together to maintain data security and promote development.
Chapter III: Data Classification and Classification
Article 16 Banks and insurance institutions shall formulate data classification and hierarchical protection systems, establish data catalogues and classification standards, dynamically manage and maintain data catalogs, and adopt differentiated security protection measures.
Article 17 Banks and insurance institutions shall classify and manage data obtained and generated in the course of the institution's business and operation management. The data types include customer data, business data, operation management data, system operation and safety management data, etc.
Article 18 Banks and insurance institutions shall divide data into core data, important data, and general data according to the importance and sensitivity of the data. Among them, general data is broken down into sensitive data and other general data.
Core data refers to important data that has high coverage of fields, groups, or regions, or has reached high accuracy, large scale, and a certain depth. Once used or shared illegally, it may directly affect political security, key areas of national security, the lifeblood of the national economy, important people's livelihood, and major public interests.
Important data refers to data in a specific field, a specific group, a specific region, or that has reached a certain level of accuracy and scale. Once leaked, tampered with, or destroyed, it may directly endanger national security, economic operation, social stability, and public health and safety.
Sensitive data refers to data that, once leaked, tampered with or destroyed, has a certain impact on economic operation, social stability, public interest, or has an important impact on the organization itself or individual citizens.
Other than the above data, it is other general data.
Article 19 Banks and insurance institutions shall strengthen the time-sensitive management of data security levels and establish approval mechanisms for dynamic adjustments. When the business attributes, importance, and degree of harm that may be caused by the data change, resulting in the original security level no longer being applied, they shall make dynamic adjustments in a timely manner.
Chapter IV: Data Security Management
Article 20 Banks and insurance institutions shall formulate data security protection strategies in accordance with the requirements of the national data security and development policy and in accordance with their own development strategies. Banks and insurance institutions should formulate data security management measures, clarify the division of management responsibilities, establish control mechanisms covering the entire life cycle of data processing, and implement protection measures.
Banks and insurance institutions shall formulate safety management implementation rules for external introduction or cooperative sharing of data, data exit, etc.
Article 21. Banks and insurance institutions shall establish an enterprise-level data structure, carry out the registration and management of global data assets in an integrated manner, establish data asset maps, clarify data protection targets based on data classification and classification, and implement security management around data processing activities.
Article 22. Banks and insurance institutions shall carry out data security assessments in advance when processing sensitive data at or above, or when carrying out activities that have a great impact on data subjects, such as entrustment processing, joint processing, transfer, disclosure, and sharing of data. Data security assessments shall analyze data security risks and their impact on the rights and interests of data subjects according to the purpose, nature and scope of data processing, assess the necessity and compliance of data processing, and evaluate the effectiveness of data security risks and prevention and control measures in accordance with laws, regulations and ethical and moral requirements.
Article 23 Banks and insurance institutions shall establish an enterprise-level data service management system, formulate data service specifications, establish a dedicated data service team, coordinate internal and external data processing and analysis, and carry out activities such as data service requirements analysis, service development, service deployment, and service monitoring.
Article 24. Banks and insurance institutions shall adhere to the principle of “lawfulness, legitimacy, necessity, and good faith”, clarify the purpose, method, scope and rules of data collection and processing, and ensure data security and data source traceability during the collection process. Banks and insurance institutions shall not collect data beyond the scope of the data subject's consent, except as otherwise provided by law or administrative regulations.
Banks and insurance institutions must obtain approval from the State Financial Supervision and Administration to collect industry-important data from other banks and insurance institutions.
Article 25 Banks and insurance institutions shall use information systems as the main channel for data collection, and restrict or reduce other channels or temporary data collection.
Banks and insurance institutions shall immediately cease relevant data collection or processing activities after cessation of financial operations or services, except as otherwise provided by law or administrative regulations.
Article 26 Banks and insurance institutions shall formulate a centralized approval and management system introduced through external data procurement and cooperation, incorporate the outsourced risk management system for overall management, establish data requirements, security assessment, collection and introduction, data operation and maintenance, registration and filing, supervision and evaluation management mechanisms in an integrated manner, investigate the authenticity and legality of data sources, evaluate the security capabilities of data providers and their data security risks, and clarify the data security responsibilities and obligations of both parties.
Article 27. Banks and insurance institutions shall use anonymization, de-identification, or other necessary security measures to protect the rights and interests of data subjects when carrying out data processing activities such as data cleaning, conversion, aggregation, analysis and mining of sensitive level or above, except as otherwise provided by law or administrative regulations. Where data aggregation and fusion derives data with sensitivity level or above, or causes changes in data security levels, security protection measures shall be assessed and adjusted in a timely manner.
Article 28 Banks and insurance institutions shall, in accordance with the principle of “necessary authorization for business”, strictly implement authorization management for sensitive data, formulate closed-loop management mechanisms for data access, and carry out audits of data access. Where data is extracted from the production environment due to business needs, strict approval procedures should be established, and the period of use or storage of the data should be clarified.
When banks and insurance institutions use information networks such as the Internet to carry out data processing activities, they must implement system requirements such as network security level protection, critical information infrastructure security protection, and password protection.
Article 29 Banks and insurance institutions shall centrally control data sharing and use, clarify enterprise-level data sharing strategies, and evaluate the necessity, compliance, security, and compliance with ethical and moral codes of data sharing and use.
Banks and insurance institutions shall establish a “firewall” to securely isolate the data of the parent bank, insurance group, or parent company and its subsidiaries, and take effective measures to protect shared data. Banks and insurance institutions shall obtain the authorization and consent of the data subject to share sensitive data with their parent banks, groups, or their subsidiaries, except as otherwise provided by law or administrative regulations. The data subject shall not terminate or refuse to provide financial services to a single subsidiary or subsidiary due to the data subject's refusal to agree to share sensitive data, unless the shared data is necessary to provide a product or service.
Article 30. When entrusting data processing, banks and insurance institutions shall specify the conditions, scenarios, and methods of external use and processing of the data involved. When entrusting data processing, the purpose, period, processing method, data scope, protection measures, data security responsibilities and obligations of both parties, and how the trustee returns or deletes the data shall be recorded and audited by means of a contractual agreement, with the exception of data that can be publicly disclosed. Banks and insurance institutions shall require the trustee not to entrust other entities to process data without their consent, not share data with the outside world, process, train, misappropriate data, or use other forms of data processing to obtain benefits other than those agreed in the contract or agreement.
Article 31 Banks and insurance institutions shall include data entrustment processing within the scope of information technology outsourcing management. During implementation, they shall not outsource information technology management responsibilities or data security principal responsibilities, and shall not outsource functions involving information technology strategic management, information technology risk management, information technology internal audit, and other functions relating to the core competitiveness of information technology. Where supply chain services involve data processing at or above a sensitive level, banks and insurance institutions should strengthen supplier access and security management.
Article 32. When a banking and insurance institution and a third party institution jointly process data, they shall formulate plans and adopt effective management and technical protection measures to ensure data security in accordance with the principle of “necessary authorization for business”, and clarify the data security responsibilities and obligations of both parties during the data processing process by means of a contractual agreement.
Article 33 Where a bank or insurance institution needs to transfer data due to merger, division, dissolution, or being declared bankrupt, etc., it shall clarify the details of the data transfer, agree that the data recipient shall fully assume the security and protection obligations of the corresponding data through agreements, promises, etc., and notify the data subject through announcements, etc. Data transfers should be carried out in a safe and secure manner, and ensure that the transfer process is traceable.
Article 34. Banks and insurance institutions shall obtain the consent of the data subject when providing sensitive data to the outside world, except as otherwise provided by law or administrative regulations. In addition to national authorities performing their duties in accordance with the law, the cross-subject flow of core data of banks and insurance institutions shall pass risk assessments and safety reviews in accordance with relevant national policy requirements.
Article 35 Banks and insurance institutions shall establish an approval mechanism for publicly disclosing data to the outside world to investigate the possible impact. Data disclosure shall be published through the agency's official channels to ensure that the data is true, accurate, and tamper-proof, and record the approval and publication status.
Sensitive data shall not be disclosed, except where laws or administrative regulations stipulate otherwise or where the authorization and consent of the data subject has been obtained.
Article 36. Banks and insurance institutions that provide important data and personal information collected and generated during operations within the People's Republic of China to overseas shall bear the main responsibility for data security and conduct security assessments in accordance with relevant national policy requirements.
Article 37 Banks and insurance institutions shall adopt technical measures to strengthen key protection for sensitive data. Strengthen data backup, formulate backup policies, store backup data and production data separately, and strictly manage access rights to backup data. Formulate a backup verification plan to ensure that backup data is complete and effective and that business can be recovered.
Article 38 Banks and insurance institutions shall establish data destruction management systems and delete or anonymize data in accordance with relevant national and industry regulations and agreements with data subjects. When data processing commissioned by banks and insurance institutions is terminated, the service provider shall be required to promptly delete the data and take effective supervisory measures such as on-site inspections to ensure that the data is destroyed and cannot be recovered.
Chapter V: Data Security Technical Protection
Article 39 Banks and insurance institutions shall establish data security technology protection systems for diverse and heterogeneous environments such as big data, cloud computing, mobile Internet, Internet of Things, etc., establish a data security technical architecture, clarify data protection strategies and methods, and take technical measures to ensure data security.
Article 40 Banks and insurance institutions shall incorporate data security protection into the information system development life cycle framework, clarify security protection requirements for sensitive data and above, and achieve simultaneous planning, simultaneous construction, and simultaneous use of data security protection measures and information systems.
Article 41 Banks and insurance institutions shall include data in the cybersecurity level for protection. Banks and insurance institutions should divide network logical security domains according to data security levels, establish regional data security protection baselines, and implement effective security controls, including content filtering, access control, and security monitoring, to ensure that relevant measures meet the requirements of network security policies and data security protection policies for processing and storing the highest level of data. Computer rooms and networks that store or transmit sensitive data shall implement key protection, establish physical security protection zones, and carry out security monitoring and audit of network boundaries and important network nodes.
Article 42 Banks and insurance institutions shall include sensitive data in information systems protection. Effective access control management measures are taken throughout the life cycle of data, and the same level of security protection measures should be implemented for data in circulation and sharing in different regions. After data from multiple sources with sensitivity level or above is collected and concentrated, security measures that are enhanced or at least not lower than the highest level of data protection before concentration shall be adopted.
Article 43 Banks and insurance institutions shall strictly implement the management of sensitive data and above, formulate user access policies to data, adopt effective user authentication and access control technical measures, and standardize data operation behavior. User access to data shall meet the necessary requirements for business development and match the level of data security. Operations of sensitive data and above shall be logged, including operation time, user identification, type of behavior, etc. The storage time of core data operation logs and their backup data is not less than three years, and the storage time of important data, sensitive data operation logs and backup data is not less than one year, such as data operation logs involving outsourced processing and co-processing, and their backup data shall be stored for no less than three years. Data manipulation practices should be regularly audited, and the audit cycle should not exceed six months.
Article 44. Banks and insurance institutions shall use secure transmission methods to ensure data integrity, confidentiality, and usability.
When exchanging data between banks and insurance institutions, relevant institutions participating in data exchange shall take effective measures to guarantee the confidentiality, completeness, accuracy, timeliness and security of information data transmission and storage.
Article 45 Banks and insurance institutions shall take safe storage measures for sensitive data to prevent attacks such as ransomware viruses and Trojan backdoors. Personal identification data must not be stored, transmitted, or displayed in clear text. Data at or above sensitive level should be backed up for data disaster recovery, and data recoverability verified regularly.
Article 46 After data with sensitivity level or above reaches the period of use or storage, technical measures shall be promptly deleted or destroyed to ensure that the data cannot be recovered. Data at or above sensitive levels in terminals and mobile storage media shall take technical protection measures to ensure controlled and secure access. When the media is scrapped or reused, its storage space data shall be completely erased and unrecoverable.
Article 47 Banks and insurance institutions shall carry out technical infrastructure construction for data security, support the componentization and serviceization of functions such as user identity management, data anonymization, behavior monitoring, log auditing, and data virtualization, and ensure the consistent implementation of security standards in information systems.
Article 48. When developing an information system, banks and insurance institutions shall clarify the data to be processed by the system, their security level, access rules, and protection requirements, and implement effective system security control. Before the system is put into production and online, safety tests should be carried out to ensure the implementation of various security requirements and effectively prevent data security risks. The test environment should be isolated from the production system. In principle, data with sensitivity level or above must not enter the test environment without desensitization to prevent data leakage.
Article 49 Banks and insurance institutions shall adopt measures such as high-availability design, security reinforcement, and data backup for big data platforms. An access authorization mechanism for big data services should be established to dynamically monitor and audit big data access behavior.
Article 50 When banks and insurance institutions carry out activities such as automated decision analysis, model algorithm development, and data labeling, they shall ensure the transparency of data processing and the fairness and reasonable results of data processing. Banks and insurance institutions should unify management of artificial intelligence model development and application, establish an entry mechanism for model algorithm products introduced from outside, actively manage the model development process, and make model algorithms verifiable, reviewable, and traceable.
Article 51 Before the information systems and model algorithms of banks and insurance institutions are put into use, data security reviews shall be carried out to examine the rationality, legitimacy, and interpretability of the use of data and models, as well as the impact of data use on the legitimate rights and interests of relevant subjects, ethical and moral risks, and the effectiveness of prevention and control measures.
Article 52 When banking and insurance institutions use artificial intelligence technology to conduct business, they shall explain and disclose information on the impact of data on decision results, monitor automated processing and system operation results in real time, establish risk mitigation measures for artificial intelligence applications, including formulating alternative plans to exit artificial intelligence applications, and formulating emergency plans and carrying out drills for security threats.
Article 53 When building an open banking, financial ecosystem, or data cooperation with third parties, banks and insurance institutions shall isolate their own security risks. Data interaction with external institutions shall be carried out through centrally managed outreach platforms or application interfaces, and take effective measures to centrally protect and manage interface design, development, service, operation, etc. in accordance with the principle of “business necessity and minimum authority”.
Chapter 6. Protection of Personal Information
Article 54. Banking and insurance institutions shall handle personal information in accordance with the principle of “clear notification, authorization and consent”, except as otherwise provided by law or administrative regulations, and control related functions in the information system.
Article 55. Banking and insurance institutions shall process personal information for a clear and reasonable purpose, and shall be directly related to the purpose of processing. The collection of personal information shall be limited to the minimum scope of achieving the purpose of financial business processing, and personal information shall not be excessively collected. The collected personal information must not be used to engage in illegal activities.
Article 56. Before processing personal information, banks and insurance institutions shall truthfully, accurately, and completely inform individuals of the purpose of processing, processing methods, types of personal information processed, storage period, procedures for accepting and processing applications for individuals to exercise their right to information, and other matters required to be notified by laws and regulations.
Banks and insurance institutions shall establish rules for handling personal information, and rules for handling personal information shall be publicly displayed, easy to access, clear, and easy to understand.
Article 57 Banks and insurance institutions shall not refuse to provide products or services on the grounds that individuals do not agree to the processing of their personal information or withdraw their consent, unless the processing of personal information is necessary to provide the product or service.
Article 58 When carrying out personal information processing activities involving a significant impact on individual rights and interests, banks and insurance institutions shall conduct an impact assessment on the protection of personal information. The assessment includes the legality and necessity of processing personal information, the impact on individual rights and security risks, and the legality, effectiveness, and whether the protective measures taken are appropriate to the degree of risk. Personal information protection impact assessment reports and processing records shall be kept for at least three years.
Article 59 When banks and insurance institutions share personal information with their parent banks, groups, or their subsidiaries or subsidiaries, and provide personal information to the outside world, they shall fulfill the obligation to notify individuals and obtain their consent for related matters.
Article 60 Where a bank or insurance institution provides personal information outside of the People's Republic of China, in addition to meeting the requirements stipulated in Articles 36 and 59, it shall also inform the individual about matters such as methods and procedures for exercising the right to information to the overseas recipient, except as otherwise provided by law or administrative regulations.
Article 61 Where a banking and insurance institution entrusts a third party to process personal information, it shall specify the trustee's obligation to protect personal information, protection measures and time periods, etc. in the terms of the contract or agreement, and strictly supervise the trustee's processing of personal information with the agreed purpose and processing method. Transmitting sensitive personal data with a third party must ensure safety and prevent the risk of data misuse and leakage. The trustee may not entrust another person to process personal information without the consent of the banking and insurance institution.
Article 62 When designing algorithms, selecting training data, and generating models, banks and insurance institutions shall take effective measures to protect the legitimate rights and interests of individuals. The use of personal information for automated decision-making shall ensure the transparency of the decisions and the fairness and impartiality of the results.
Article 63 Where personal information is leaked, altered, or lost, or is likely to occur, banks and insurance institutions shall immediately take remedial measures, and at the same time notify the individual and submit it to the State Financial Supervision and Administration or its dispatched agency. The notice shall include the following:
(1) The types, causes, and possible harm of personal information that has occurred or is likely to be leaked, altered, or lost;
(2) Remedies taken by banks and insurance institutions and measures individuals can take to mitigate harm.
Banks and insurance institutions may not notify individuals if they take measures that can effectively prevent harm caused by disclosure, falsification, or loss of information; supervisory authorities have the right to require banks and insurance institutions to notify individuals if they think they may cause harm.
Chapter 7 Data Security Risk Monitoring and Handling
Article 64 Banks and insurance institutions shall incorporate data security risks into their comprehensive risk management systems, clarify organizational structures and management processes for data security risk monitoring, risk assessment, emergency response and reporting, and incident handling, and effectively prevent and handle data security risks.
Article 65 Banks and insurance institutions shall effectively monitor data security threats, carry out supervision and inspection, actively assess risks, and prevent security incidents such as data tampering, destruction, disclosure, and illegal use. The monitoring includes:
(1) Authorize or use a privileged system account beyond the scope;
(2) Abnormal access and use of data by insiders;
(3) Threats to network security or data security of systems or platforms where data is shared centrally;
(4) Abnormal flow of sensitive data in different regions;
(5) Abnormal use of mobile storage media;
(6) Abnormal data processing or data leakage, loss, or falsification in outsourcing or third party cooperation;
(7) Customer complaints about data security;
(8) Negative public opinion such as data leaks, counterfeiting fraud, etc.;
(9) Other situations that may cause data security incidents to occur.
Article 66 Banks and insurance institutions shall conduct a data security risk assessment once a year. The audit department shall carry out a comprehensive data security audit at least once every three years, and shall carry out a special audit after a major data security incident has occurred. When banking and insurance institutions entrust professional institutions to conduct data security audits, they must not use products or other services provided by the institution.
Article 67 A data security incident refers to an incident where the data of a bank or insurance institution is tampered with, leaked, destroyed, illegally obtained, or unlawfully used, which adversely affects the legitimate rights and interests of an individual or organization, industry safety, and national security. According to the scope and extent of their impact, there are four levels of events: particularly significant, significant, major, and general.
Article 68 Banks and insurance institutions shall establish emergency management mechanisms for data security incidents, establish internal coordination and linkage mechanisms, establish reporting mechanisms for data security incidents by service providers and third party cooperating agencies, and deal with hidden risks and security incidents in a timely manner.
(1) Formulate emergency plans for data security incidents, and conduct regular emergency response training and emergency drills.
(2) After a data security incident occurs, emergency treatment shall be initiated immediately, the cause of the incident shall be analyzed, the impact of the incident shall be assessed, the incident rating shall be carried out, and operational and technical measures shall be promptly taken to control the situation in accordance with the plan.
(3) Establish a data security incident reporting mechanism, establish a reporting process according to the incident security level, report in accordance with regulations when data security incidents occur, and fulfill customer and partner notification obligations in accordance with relevant agreements such as contracts and agreements.
(4) When a data security incident occurs or there is a security defect or vulnerability in the network products and services used, an investigation and evaluation shall be carried out immediately, and timely remedial measures shall be taken to prevent the spread of harm. Where a network product or service provider conceals security flaws or breaches are not reported, banks and insurance institutions shall order them to correct them; if they fail to rectify as required or cause serious consequences, they shall disqualify them from service, punish them as agreed in the contract, and report them to the State Financial Supervision and Administration or its dispatching agency.
Article 69. Within 2 hours of the occurrence of a data security incident, the banking and insurance institution shall report to the State Financial Supervision and Administration or its dispatched agency, and submit an official written report within 24 hours after the incident occurred. In the event of a particularly serious data security incident, banks and insurance institutions shall immediately take measures to deal with it, promptly notify users in accordance with regulations, and report it to the State Administration of Financial Supervision and Administration or its dispatched agency or territorial public security authority. Banks and insurance institutions shall report the progress of disposal every 2 hours until disposal is completed. After the handling of the data security incident has been completed, the banking and insurance institution shall submit the evaluation, summary, and improvement report of the incident and its handling within five working days to the State Financial Supervision and Administration or its dispatched agency. Where other laws or administrative regulations stipulate emergency response to data security incidents, banks and insurance institutions shall implement them.
Chapter VIII: Supervision and Management
Article 70 The State Administration of Financial Supervision and Administration and its dispatched agencies shall supervise and manage the data security protection situation of banks and insurance institutions, carry out off-site supervision and on-site inspections, incorporate the data security management situation into the supervisory rating evaluation system, punish and deal with data security incidents of banks and insurance institutions in accordance with law, and carry out continuous supervision of data security management.
Article 71 The State Administration of Financial Supervision and Administration shall, in accordance with national data classification and classification requirements, draw up a catalogue of important data in the banking and insurance industry, propose a catalogue of core data, and supervise and guide banks and insurance institutions to carry out data classification and classification management and data protection. Banks and insurance institutions shall submit important data catalogues to the State Financial Supervision and Administration or its dispatched agencies as required. Major changes in the important data catalogue should be promptly reported to the updated data catalogue.
Article 72 The State Administration of Financial Supervision and Administration shall establish a mechanism for data security monitoring, early warning, notification and disposal in the banking and insurance industry, continuously monitor data security risks, issue risk alerts to the industry, formulate emergency plans for data security incidents in the banking and insurance industry, and deal with data security risk incidents. Establish a joint prevention and control management mechanism with the national data security administration department to implement data security information sharing, risk monitoring and early warning, and data security incident handling.
Article 73. Banking and insurance institutions shall report to the State Administration of Financial Supervision and Administration or its dispatched agency 20 working days before processing or signing a contract involving data sharing, entrustment processing, transfer transactions, and data transfers in batches of sensitive data, except as otherwise provided by law or administrative regulations.
Article 74. Banks and insurance institutions shall submit a data security risk assessment report for the previous year to the State Financial Supervisory and Administration or its dispatched agency before January 15 of each year. The report includes data security management, technical protection, data security risk monitoring and disposal measures, data security incidents and disposal situations, entrustment and joint processing, data exit, data security assessment and review, and data security-related complaints and handling.
Article 75 The State Administration of Financial Supervision and Administration and its dispatched agencies shall conduct on-site inspections and incident investigations on the data security protection situation of banks and insurance institutions, and investigate relevant units and individuals that have discovered suspected violations of laws and regulations in accordance with law. Field inspections and incident investigations may be commissioned from relevant professional technical institutions or auditing agencies of the country or industry to assist.
Article 76 Where a banking and insurance institution violates the requirements of these Measures, the State Financial Supervisory Authority or its dispatched agency shall take supervisory measures such as risk reminders, supervisory conversations, supervisory notices, and order corrections against the banking and insurance institution in accordance with the law; order the suspension or termination of services for systems or applications involving illegal processing; or the delay in reporting or concealing data security incidents and cases, or the third party that has caused major data security risks, incidents or cases, and order the banking and insurance institution to suspend or stop cooperating.
Article 77 Where a banking financial institution violates the requirements of these Measures, the State Financial Supervisory Authority and its dispatched agencies may order the banking financial institution to make corrections and impose a fine of not less than 200,000 to 500,000 in accordance with the relevant provisions of the Banking Supervision and Administration Law of the People's Republic of China; if the circumstances are particularly serious or the correction is overdue, they may order the suspension of business and rectification or the cancellation of their operating license. According to the irregularities, banking financial institutions may be ordered to take disciplinary action against the directors, senior managers and other directly responsible persons; if the conduct of the banking financial institution does not constitute a crime, the directors, senior managers and other directly responsible persons are warned and fined not less than 50,000 yuan and not more than 500,000 yuan; cancel the directly responsible directors and senior managers for a certain period of time until their lifetime; and prohibit directly responsible directors, senior managers, and other directly responsible persons from working in the banking industry for a certain period of time. If it constitutes a crime, criminal liability shall be prosecuted according to law.
Where an insurance financial institution violates the requirements of these Measures, the State Financial Supervision and Administration and its dispatching agency may, in accordance with the relevant provisions of the “Insurance Law of the People's Republic of China”, order the insurance financial institution to make corrections and impose a fine of not less than 50,000 yuan and not more than 300,000 yuan; if the circumstances are serious, limit the scope of its business and order it to stop accepting new business or revoke the business license. According to the violation, the supervisors directly responsible and other persons directly responsible are warned and fined not less than 10,000 yuan and not more than 100,000 yuan; if the circumstances are serious, they will be disqualified. If it constitutes a crime, criminal liability shall be prosecuted according to law.
If the “Banking Supervision and Administration Law of the People's Republic of China” and “Insurance Law of the People's Republic of China” are amended during implementation, the revised provisions shall prevail.
Article 78 Industry associations such as the China Banking Association and the China Insurance Industry Association shall assist and guide member units to improve the level of data security management through publicity, training, self-discipline, coordination, and service.
Chapter IX Supplementary Provisions
Article 79: The State Financial Supervision and Administration shall be responsible for interpreting and revising these Measures.
Article 80 Other banking financial institutions, insurance financial institutions, financial holding companies, and administrative units of the General Administration shall apply these Measures in accordance with the approval of the State Administration of Financial Supervision and Administration. Financial organizations approved by the local financial administration department shall apply these Measures by reference.
Article 81 These Measures take effect from the date of promulgation, and the “Data Security Measures for Banks and Insurance Institutions” (Banking Insurance Regulatory Office Issue [2022] No. 118) are abolished at the same time.
This article was selected from the official website of the “China Financial Supervisory Administration”. Zhitong Finance Editor: Chen Xiaoyi.