《畢馬威：2024關注金融行業數據安全治理護航數字經濟高質量發展洞察報告（英文版）（12頁）.pdf》由會員分享，可在線閱讀，更多相關《畢馬威：2024關注金融行業數據安全治理護航數字經濟高質量發展洞察報告（英文版）（12頁）.pdf（12頁珍藏版）》請在三個皮匠報告上搜索。

1、Data security:Safeguarding High-quality Development of the Digital EconomyNovember 2024 is finalised and will take effect January 1,20252 2024 KPMG Huazhen LLP,a Peoples Republic of China partnership,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG

2、global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicEnhancement of data security capabilities is a fundamental compliance obligation and a timely move to maintain c

3、ompetitiveness in the digital era“Enhance data security capabilities,establish a fundamental system for data classification and grading protection,and improve the work system for network data monitoring,early warning,and emergency response.”-,2023,by the Central Committee of the Communist Party of C

4、hina and the State Council Enhancing data security capabilities is a fundamental compliance obligationData security management is undergoing a gradual shift from legislation to practice.Currently,the regulatory framework for personal information protection has become increasingly comprehensive,which

5、 has also promoted the standardization and systematization of data security management.The identification and protection of key data,as well as the exploration of flexible and convenient cross-border data regulatory mechanisms,are also continuously advancing.Businesses must remain vigilant and activ

6、ely ensure compliance.Data security is the driving force and foundation of technological innovationAs emerging technologies such as big data,artificial intelligence,and blockchain become more widely used,enterprises are facing new security challenges.To maintain seamless technological innovation,it

7、is crucial for enterprises to continuously upgrade their security measures,paying close attention to data security,to identify and respond to potential risks.Protecting data is protecting core competitivenessData contains business secrets,customer information and market insights,etc.The security and

8、 confidentiality of these data are directly related to the business stability and market competitiveness of enterprises.Only by strengthening data security management and ensuring data integrity and availability,can enterprises be invincible in the fierce market competition and achieve sustainable d

9、evelopment.3 2024 KPMG Huazhen LLP,a Peoples Republic of China partnership,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited

10、by guarantee.All rights reserved.Document Classification:PublicOn November 1,the Cyberspace Administration of China publicly solicited comments on the Regulation for the Administration of Network Data Security(Exposure Draft)Applicable scopeNetwork data processing activities conducted online within

11、China,as well as the supervision andmanagement of network data securityPersonal information processing activities conducted outside the country but fall into scope definedunder PIPL Article 3Network data processing activities conducted outside the country but damaging the national securityof the Peo

12、ples Republic of China,public interests,or the legitimate rights and interests of citizens ororganizationsThis regulation does not apply to data processing activities carried out by natural persons for personalor household affairs.On August 30,the State Council executive meeting reviewed and approve

13、d the Regulation for the Administration of Network Data Security(Draft)On June 1,the Cyber Security Law of the Peoples Republic of China(CSL)officially took effect.2017On July 1,the State Security Law of the Peoples Republic of China was officially promulgated and came into effect.2015In May,the Cyb

14、erspace Administration of China publicly solicited comments on the Administrative Measures on Data Security(Exposure Draft)2019On September 1,the Data Security Law of the Peoples Republic of China(DSL)officially came into effect.2021On November 1,the Personal Information Protection Law of the People

15、s Republic of China(PIPL)officially came into effect.202120212024As of September 2024,various industry regulatory authorities,including the Ministry of Industry and Information Technology,the Peoples Bank of China,and the Ministry of Education,have issued data security-related management measures fo

16、r industry sectors like industry and information technology,finance,education,telecommunications,and the automotive.The Regulation for the Administration of Network Data Security (the Regulation)is the first regulation by the State Council under the China CSL,DSL and PIPLKey focusGeneral provisions

17、Special processing activitiesData Security Strategy and GovernanceData Security Lifecycle ManagementData Security Management FrameworkData Security Technology and OperationNational security reviewPersonal information protectionKey data managementCross-border data transfermanagementNetwork platform s

18、ervice providermanagementConsequences of non-complianceGenerally refers to CSL,DSL and PIPL,with more details provided if violating requirements undergeneral provisions,national security review or key data security management:Fines(up to RMB 10 million for an organization;up to RMB 1 million for dir

19、ectly responsiblesupervisors and other responsible personnel)Rectification,warnings,illegal gains confiscated,suspension for rectification,revoke of licensesetc.On September 1,the Regulation was released and would enact from January 1,202520244 2024 KPMG Huazhen LLP,a Peoples Republic of China partn

20、ership,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicData

21、security governance starts from Data ClassificationImpacted objectImpact degreeReferences:GB/T 43697-2024 Data Security Technology Rules for data classification and grading.According to the importance of data in economic and social development and the severity of harm caused by data leakage,tamperin

22、g,destruction,or illegal access,use,or sharing,data is classified into three levels:core data,key data,and general data.General data is further graded into four levels(1 to 4)depending on the impacted object and impact degree.Data Security ClassificationData Security LevelsData Classification Criter

23、iaImpacted objectImpact degreeGeneral data Level 1Individual Rights,Organizational RightsNo impactLevel 2Individual Rights,Organizational RightsGeneralLevel 3Individual Rights,Organizational RightsMajorLevel 4Individual Rights,Organizational RightsCriticalEconomic Operation,Social Order,Public Inter

24、estGeneralKey dataEconomic Operation,Social Order,Public InterestMajorNational SecurityGeneralCore dataEconomic Operation,Social Order,Public InterestCriticalNational SecurityCritical or MajorNational SecurityPublic InterestSocial OrderEconomic OperationIndividual RightsOrganizational RightsCritical

25、 特別嚴重危害Major 嚴重危害General 一般危害No impact 無危害5 2024 KPMG Huazhen LLP,a Peoples Republic of China partnership,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a p

26、rivate English company limited by guarantee.All rights reserved.Document Classification:PublicFocus of financial industry on data security governanceConsider the mapping relationship between data security levels for different regulations.Foreign banks should also consider domestic and overseas data

27、assets as a whole to reduce management costsInaccurate data classification will affect the implementation of differentiated security protection measuresDynamic management and maintenance is continuous rather than one-time workSecurity governance framework:Clarify the division of responsibilities of

28、internal departments related to data security management,and refine the accountability proceduresDesignate a data security management departmentThe important data processor shall specify in writing the person in charge of data security and the internal department responsible for data security leadin

29、g managementSort out data assets according to business classification,identify important data and core data,and compile an important data directoryEstablish the implementation policies for data classification and categorizationTake differentiated security protection measures according to data classi

30、fication and categorizationImplement dynamic management and maintenance of data directoryData Classification and CategorizationA series of industrial regulations and standards have been drafted and released for data security in the financial industry,including Administrative Measures of the Peoples

31、Bank of China for Data Security in Business Fields(Exposure Draft),Administrative Measures for Data Security of Banking and Insurance Institutions(Public Exposure Draft),JR/T 0197-2020 Financial Data Security Guides of Data Security Classification,and JR/T 0171-2020 Personal Financial Information Pr

32、otection Technical Specification.Once the Regulations on Network Data Security Management come into force,the financial industry should,in accordance with the relevant regulations and standards that have been released,focus on the following areas.Administrative Measures for Data Security of Banking

33、and Insurance Institutions(Public Exposure Draft)Administrative Measures of the Peoples Bank of China for Data Security in Business Fields(Exposure Draft)General dataOther general dataGeneral dataSensitive dataImportant dataImportant dataCore dataCore dataFollow the basic principle of“who manages bu

34、siness,who manages business data,who manages data securityData Security Governance and ManagementKey Challenges6 2024 KPMG Huazhen LLP,a Peoples Republic of China partnership,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of in

35、dependent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicFocus of financial industry on data security governance(contd)Construction of data security system:Establish relevant system requirements

36、 for data security governance,data classification and categorization,data security management,data security technology,data security risk monitoring,etcData must be classified and managed accordingly;network data processors are responsible for the security of the data they handleData service managem

37、ent system:Establish a data service management system,formulate data service specifications,and establish a full-time data service teamAt present,there are differences in the current regulatory requirements between the two parties.Financial institutions should seek common ground while reserving diff

38、erences,analyse specific issues on a case by case basis and avoid redundant constructionData Security Governance and ManagementIn combination with JR/T 0197-2020 Financial Data Security Guides of Data Security Classification and JR/T 0223-2023 Specification for Security of Financial Data Security Da

39、ta Life Cycle,the data security protection management requirements at different levels in all steps of data lifecycle are definedImplement the requirements of data security technical measures at different levels in all steps of the data lifecycle,including data collection,data processing,data usage,

40、data sharing,entrusted processing,joint processing,data transfer and provision,data disclosure,data cross-border,data destruction and deletion,data transmission and data backup and storageInternal data sharing within the group should take protective measures,and sharing sensitive and confidential da

41、ta should obtain authorization and consent from the data subjectData Lifecycle ManagementEstablish a security risk monitoring and warning mechanism for data processing activitiesFormulate criteria and emergency plans for rating data security incidentsStrengthen internal personnel and training manage

42、ment,strengthen personnel security awareness and implement emergency plans for security incidentsStandardize emergency response and disposal according to different regulatory authorities and report incidents and disposal in a timely and orderly mannerShall accept public supervision by establishing c

43、onvenient channels for network data security complaints and reports,publicize information on complaint and report channels,and promptly accept and handle network data security complaints and reportsEstablish data security compliance requirements and specificationsCarry out comprehensive data securit

44、y audit according to the requirements of different regulatory authoritiesCarry out a comprehensive data security risk assessment once a year,and complete the reporting as requiredNetwork data processors shall cooperate with the relevant authorities in conducting lawful supervision and inspection of

45、network data securityData Security Incident ManagementData Security Supervision and ManagementKey ChallengesTake different security measures according to different data levels and build a data security technology protection system that adapts to the new technology environmentWhen building a security

46、 control mechanism that covers the whole date lifecycle,it is necessary to consider the core technical capabilities of data security required in combination with the actual data scenarios,such as encryption,data desensitization,digital watermarking,data leakage prevention,privacy computing,data auto

47、matic grading and compliance,etc.,and also consider how to implement the corresponding technologies through technical tools and product platforms(data security applications)When facing data security incidents,it is necessary to be able to quickly identify,evaluate,respond and restore businessFrom th

48、e perspective of financial regulatory authorities,how to effectively manage data security incidents,including how to conduct emergency disposal and regulatory reporting after the event is focused.Financial institutions should focus on developing emergency processes and drillsNormalize data security

49、assessment and audit work and continue communication with regulators7 2024 KPMG Huazhen LLP,a Peoples Republic of China partnership,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG

50、 International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicThe overall compliance requirements for personal information processors should be based on the Personal Information Protection Law and other relevant personal information protectio

51、n regulations,standards and guidelines.The following supplemental requirements noted from the Regulation:o Specify the detailed conditions for transferring personal information and the specific implementation of data retentiono Records of the data processing when providing personal information to ot

52、her network data processors or entrusting them to process it should be retained for at least 3 yearso Network data processors who are processing personal information of more than 10 million individuals must also comply with the relevant requirements for key data processors,including appointing the d

53、ata security officer and establishing data security management organization,and conducting risk assessment before providing,entrusting,or jointly processing personal information.Other references:PIPL,CSL,GB/T 35273 Personal Information Security Specifications,etc.When network data processors engage

54、in data processing activities that affect or may affect national security,they must undergo a national security review in accordance with relevant state regulations.Other references:NSL,CSL,DSL,Security Protection Regulations for Critical Information Infrastructure,Cybersecurity Review Measures,etc.

55、The overall compliance requirements for cross-border data transfer should be based on the Cybersecurity Law,Personal Information Protection Law,Data Security Law,and other related latest regulations for cross-border data transfer.The following supplemental requirements noted from the Regulation:o Th

56、e state shall take measures to prevent and address cross-border security risks and threats related to network data.No individual or organization is allowed to provide programs,tools,or other means specifically designed to damage or bypass technical measures.Knowing that others are engaged in such ac

57、tivities,one must not provide them with technical support or assistance.Other references:CSL,PIPL,DSL,Security Assessment Measures for Cross-border Data Transfer,Measures on the Standard Contract for Cross-border Data Transfer of Personal Information,Provisions on Promoting and Regulating Cross-bord

58、er Data Transfer,etc.Requirements for special processing activitiesPersonal information protectionFocus on the integration and supplement with other relevant compliance requirements and practicesNational security reviewNational security review8 2024 KPMG Huazhen LLP,a Peoples Republic of China partn

59、ership,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicRequi

60、rements for special processing activities(contd)Network platform service provider managementThe management requirements for data security of network platform service providers are proposed in the Regulation for the first time,mainly include:o Shall clearly define the network data security protection

61、 obligations of third-party product and service providers that access their platform,and urge these third-party providers to strengthen network data security management.In particular,network platform service providers that distribute applications must establish application verification rules and con

62、duct network data security-related verifications.o For information pushed to individuals through automated decision-making processes,personalized recommendations should be easy to turn off,and personal characteristic tags should be removableo The state encourages network platform service providers t

63、o support users in using public services for national network identity authentication to register and verify real identity informationIn addition,large network platform service providers:o Shall publish an annual social responsibility report on personal information protectiono When providing network

64、 data across borders,requirements for cross-border data security management must be followed,and relevant technical and management measures must be improved to prevent cross-border security risks related to network datao It is prohibited to use network data,algorithms,or platform rules to engage in

65、improper network data processing activities that harm users legitimate rightso If it involves the processing of key data,the annual risk assessment should fully explain the security status of key business operations and the supply chain related to network dataNetwork platform service provider manage

66、mentnetwork platform service provider offers services to a large number of users and operators within the platform,which may include:social media platforms that provide information publishing and interaction,online platforms that offer payment services,online platforms that provide audio-visual serv

67、ices,online platforms that offer application distribution services,and manufacturers of smart devices with pre-installed applications etc.large network platform service provider refers to those platforms with more than 50 million registered users or more than 10 million monthly active users,with com

68、plex business categories,whose network data processing activities have significant impacts on national security,economic operations,and the livelihoods of the citizens.9 2024 KPMG Huazhen LLP,a Peoples Republic of China partnership,KPMG Advisory(China)Limited,a limited liability company in Chinese M

69、ainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicRequirements for special processing activities(contd)Key data managementThe Regu

70、lation set clear requirements for processors of key data in the following areas:Data Security Strategy and Governance Data security officer and data security management organization should be clearly defined.The data security officer must possess professional knowledge in data security and relevant

71、management experience,and should be a member of the management team of the network data processor,with the authority to report the network data security status directly to the relevant authorities In the event of mergers,divisions,dissolution,bankruptcy,or other similar situations,a report must be s

72、ubmitted to the relevant authorities at or above the provincial level An annual risk assessment of its network data processing activities should be conducted,and the risk assessment report must be submitted to the relevant authorities at or above the provincial levelData Security Lifecycle Managemen

73、t Providing,entrusting the processing of,or jointly processing must comply with additional requirements(e.g.risk assessment,retaining records of processing activities for at least 3 years etc.)Data Security Management Framework,Technology and Operation The state encourages the use of data tagging an

74、d labelling tools to enhance the security managementKey data managementCurrently,regarding the identification and protection of important data,some industry regulatory authorities have clarified their data classification details,defining the scope of important and general data in sectors such as ind

75、ustry,telecommunications,healthcare,and education.Additionally,certain free trade zones have issued detailed regulations and identification guidelines for important data,such as the Administrative Measures on Negative List for Outbound Data Transfer from China(Beijing)Pilot Free Trade Zone(for Trial

76、 Implementation)and the Standards for Data Classification and Grading by Enterprises in China(Tianjin)Pilot Free Trade Zone For industries where the definition and identification rules for important data are not yet clear,the GB/T 43697-2024 Data Security Technology Rules for Data Classification and

77、 Grading and the Information Security Technology Guidelines for Identifying Important Data(Draft for Comments)can be referenced to guide the identification process.Industrial manufacturing Administrative Measures on Data Security in the Field of Industry and Information Technology(for Trial Implemen

78、tation)Guidelines for Identification of ImportantData in the Industrial Field(YD/T4981-2024)Several Provisions on Automotive Data Security Management(Trial)Telecommunications Guidelines for Identification of Key Data in the Telecommunications Sector(YD/T3867-2024)Financial service Administrative Mea

79、sures of the Peoples Bank of China for Data Security in Business Fields(Exposure draft)Administrative Measures for Data Security of Banking and Insurance Institutions(Exposure draft)Guidelines for Data Security Classification(JR/T 0197-2020)Healthcare Guidelines for Data Classification in the Health

80、care Industry(Trial)Education Guidelines for the Identification of Core Data and Key Data in the Education System(Trial)Industrial manufacturingTelecommuni-cationTransportationFinancial serviceNatural ResourcesHealthcareEducationTechnology10 2024 KPMG Huazhen LLP,a Peoples Republic of China partners

81、hip,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicRecommen

82、ded actionsImplement classified protection on network data,clearly define the responsibilities of various parties,and enforce network data security measures.It is essential to clarify security boundaries to ensure that data flows legally,orderly,and freely,thereby creating a favourable environment f

83、or promoting high-quality development of the digital economy and driving technological and industrial innovation.Optimize and implement data security classification“”Further promote the effective implementation of data security classification,integrating compliance requirements with internal needs.A

84、chieve a seamless connection between data asset classification and data security levels.Utilize technology and tools to enable data security classification,and to expand its coverage on data processing activities and system applications,laying a solid foundation for data lifecycle protection.Establi

85、sh and enhance data security governancePromptly establish and improve the data security governance,including but not limited to data security protection principles,data lifecycle security management principles,data security incident management and emergency plans,data security complaint handling mec

86、hanisms,and data security risk and compliance management mechanisms.Improve data security management framework and technology with prioritizationFor data with higher security level and its associated system platforms and infrastructures,to prioritize the implementation of data security management me

87、asures,including but not limited to,strengthening encryption controls,access controls,backup and recovery management mechanisms,and log and event monitoring mechanisms to effectively safeguard the integrity,confidentiality,and availability of such data.Consider integration with privacy and security

88、operation activitiesPersonal information,being a special type of data,requires specific management practices.The internal data security management organization and personnel should effectively integrate with the existing personal information protection framework.Additionally,data security measures s

89、hould be aligned with traditional information and cyber security practices.Consider revisiting and adjusting current cyber security measures to ensure comprehensive data security.11 2024 KPMG Huazhen LLP,a Peoples Republic of China partnership,KPMG Advisory(China)Limited,a limited liability company

90、in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Document Classification:PublicKPMG provides one-stop solutions for managing data security risksDat

91、a Security Lifecycle ManagementData Security Management FrameworkData Security Technology and OperationStrategy and GovernanceGuideSupportSecurity OperationSecurity EngineeringImplement data security management requirementsDrive optimization and implementation of data security management requirement

92、sData security classification design and implementationData security classification standards and tools design,data security classification management process design and implementation,and data security classification implementation etc.Data security management governance planning and implementation

93、Data security management maturity assessment,data security management enhancement plan,data security management system design and implementation,cross-border data transfer compliance management etc.Data security risk assessment/special reviewRegular data security risk assessment,data security specia

94、l audit for high-risk systems such as data warehouse/data lake/data management platform etc.Data leakage prevention managementData leakage prevention requirement analysis,tool/vendor selection,technical implementation support and project management etc.Data security incident response managementEmerg

95、ency response plan,training,and drill etc.Contact UsThe information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.Although we endeavor to provide accurate and timely information,there can be no guarantee that such info

96、rmation is accurate as of the date it is received or that it will continue to be accurate in the future.No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.2024 KPMG Huazhen LLP,a Peoples Republic of China partnership

97、,KPMG Advisory(China)Limited,a limited liability company in Chinese Mainland,member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.The KPMG name and logo are trademarks use

98、d under license by the independent member firms of the KPMG global more detail about KPMG China please scan the QR code or visit：https:/home.kpmg/cn/zh/home/about/offices.htmlRichard ZhangPartnerTechnology ConsultingKPMG ChinaTel:+86(21)2212 3637Mail:Danny HaoPartnerTech Risk,Technology ConsultingKP

99、MG ChinaTel:+86(10)8508 5498Mail:Quin HuangPartnerTech Risk,Technology ConsultingKPMG ChinaTel:+86(21)2212 2355 Mail:Brian CheungPartnerTech Risk,Technology ConsultingKPMG ChinaTel:+852 2847 5062Mail:Lanis LamPartnerTech Risk,Technology ConsultingKPMG ChinaTel:+852 2143 8803Mail:Jason LiDirectorTech

100、 Risk,Technology ConsultingKPMG ChinaTel:+86(10)8508 5397Mail:Frank WuDirectorTech Risk,Technology ConsultingKPMG ChinaTel:+86(21)2212 3180Mail:Kevin ZhouPartnerTech Risk,Technology ConsultingKPMG ChinaTel:+86(21)2212 3149Mail:Jason SongDirectorTech Risk,Technology ConsultingKPMG ChinaTel:+86(21)2212 2888Mail: