Industry News | The State Administration of Financial Supervision and Administration has publicly solicited comments on the Measures for the Management of Data Security of Banking and Insurance Institutions (Draft for Comments) to strengthen the data security management of banking and insurance institutions

Leaders of relevant departments and bureaus of the State Administration for Financial Supervision and Administration

Answering Journalist's Questions on the Draft Measures for Data Security Management of Banking and Insurance Institutions

In order to standardize the data processing activities of the banking and insurance industry, ensure data security, and promote the rational development and utilization of data, the State Administration of Financial Regulation has drafted the "Measures for the Management of Data Security of Banking and Insurance Institutions (Draft for Comments)" (hereinafter referred to as the "Measures"). The heads of relevant departments and bureaus of the State Administration for Financial Regulation answered questions from reporters.

1、 What is the background of the formulation of the Measures?

Answer: In recent years, higher-level laws such as the Data Security Law and the Personal Information Protection Law have been successively issued, which have put forward clear requirements for regulating data processing activities and personal information protection. At the same time, the digital transformation of the financial industry is accelerating its evolution, with new technologies and business models constantly emerging. The use, processing, transmission, and sharing of data are becoming increasingly frequent, further highlighting the importance of data security protection. It is necessary to fully leverage the role of regulation as the "baton", guide banking and insurance institutions to strengthen their main responsibilities by strengthening policy requirements, improve internal systems, take effective measures to strengthen data management and protection, and ensure the security of customer information and financial transaction data.

2、 What is the main content of the Measures?

Answer: The Measures consist of nine chapters and 81 articles. Including General Provisions, Data Security Governance, Data Classification and Grading, Data Security Management, Data Security Technology Protection, Personal Information Protection, Data Security Risk Monitoring and Disposal, Supervision and Management, and Supplementary Provisions. The main content includes:

One is to clarify the data security governance architecture. Require banking and insurance institutions to establish a data security responsibility system, designate a centralized management department responsible for their own data security work, and clarify the data security management responsibilities in various business areas.

The second is to establish data classification and grading standards. Require banking and insurance institutions to establish a data classification and grading protection system, establish data catalogs and classification and grading standards, and adopt differentiated security protection measures.

The third is to strengthen data security management. Require banking and insurance institutions to establish data security management systems and data processing control mechanisms in accordance with national data security and development policies and their own development strategies.

The fourth is to improve the data security technology protection system. Require banking and insurance institutions to establish a data security technology architecture, clarify data protection strategies and methods, and adopt technical means to ensure data security.

The fifth is to strengthen the protection of personal information. Banks and insurance institutions are required to process personal information in accordance with the principle of "clear notification and authorized consent". The collection of personal information should be limited to the minimum scope and should not be excessively collected.

Sixth, improve the monitoring and disposal mechanism for data security risks. Require banking and insurance institutions to incorporate data security risks into their comprehensive risk management system, and clarify the management processes for risk monitoring and evaluation, emergency response reporting, and event handling.

Seven is to clarify the responsibilities of supervision and management. The State Administration for Financial Regulation and its dispatched agencies shall supervise and manage the data security protection of banking and insurance institutions, and handle data security incidents of banking and insurance institutions in accordance with the law.

3、 What are the main characteristics of the Measures formulated this time?

Answer: Firstly, implement the data security responsibility system. Clearly define that the party committee (party group) and board of directors (board of directors) of banking and insurance institutions are responsible for the data security work of their own units. The main person in charge of the institution is the first person responsible for data security, and the leader in charge of data security is the direct person responsible.

The second is to clarify the centralized management department for data security. Require banking and insurance institutions to designate a data security centralized management department as the main responsible department for data security work, responsible for formulating data security management system standards, establishing and maintaining data catalogs, promoting data classification and classification protection, organizing risk monitoring, pre warning and disposal, and other responsibilities.

The third is to incorporate data security risks into the comprehensive risk management system. Banks and insurance institutions are required to clarify their management processes, proactively assess risks, effectively monitor data security risks, and prevent security incidents such as data destruction, leakage, and illegal use. The risk management, internal control compliance, and audit departments regularly conduct audits, supervisory inspections, and evaluations of data security.

The fourth is to strengthen data security assessment. When requiring banking and insurance institutions to carry out relevant data processing activities, a security assessment should be conducted in advance. Analyze data security risks and their impact on the rights and interests of data subjects based on the purpose, nature, and scope of data processing, evaluate the necessity, compliance, and effectiveness of prevention and control measures for data processing.

The fifth is to establish a baseline for data security protection. Include data in network security level protection, implement key protection measures for data rooms and networks storing or transmitting sensitive level and above data, take effective access control management measures throughout the entire data lifecycle, and use secure and effective transmission methods to ensure data integrity, confidentiality, and availability.

4、 What are the data security management responsibilities stipulated in the Measures?

Answer: The Measures require banking and insurance institutions to develop data security protection strategies in accordance with national data security and development policies and their own development strategies; Based on the purpose, nature, and scope of data processing, in accordance with laws, regulations, and ethical standards, conduct security assessments on relevant data business processing activities, analyze data security risks and their impact on the rights and interests of data subjects, evaluate the necessity, compliance, and effectiveness of prevention and control measures for data processing; The collection of data should adhere to the principles of "legality, legitimacy, necessity, and integrity", clarify the purpose, method, scope, and rules of data collection and processing, ensure the data security of the collection process, traceability of data sources, and not collect data beyond the scope agreed upon by the data subject; In the process of data sharing within the data group, a "firewall" should be established to securely isolate the data of the head office (company) and its subsidiaries, and effective protection measures should be taken for the shared data; The Measures also propose corresponding security management requirements for specific data processing scenarios such as data processing, entrusted processing, joint processing, and data transfer.

Original link: https://www.cbirc.gov.cn/cn/view/pages/ItemDetail.html?docId=1155853&itemId=951&generaltype=2