China is once again making it more difficult for international organizations to conduct business in the country. Last year, the China Insurance Regulatory Commission (CIRC) announced draft rules that would require insurance carriers to buy and utilize “secure and controllable” solutions for IT.
The current regulations already require all Chinese data for insurance products to be stored in China. The new rules will force insurance companies to prioritize purchasing “secure and controllable” hardware, software, and encryption technologies from Chinese companies.
The draft proposal, which is currently under review by the World Trade Organization (WTO), has already received some backlash from foreign businesses claiming the new regulations, if approved, will put up significant roadblocks for international companies doing business in China. China counters that the need for the new regulations is due to always-increasing cybersecurity threats. Foreign businesses, in turn, say that the draft measures are intentionally ambiguous and do little to improve cybersecurity; the rules will, however, force companies to use technologies developed or manufactured in China, which would put foreign businesses at the mercy of Chinese technologies, should they choose to do business in China. Understandably, international business groups are wary of the viability and intent of Chinese made technologies, given the country’s well-known stance on censorship. In a letter to Xiang Junbo, chairman of the CIRC, more than two dozen businesses from the U.S., U.K., Japan, Canada, and Europe put forth disagreement with the proposed rules based on China’s plans to incorporate data localization mandates and “cases of disproportionate burdens on foreign-invested insurers and discrimination against foreign technology suppliers.”
Can you tell a green field from a cold steel rail?
The Cyber Security Association of China has already announced plans to bolster the country’s cybersecurity posture by instituting strict guidelines for how businesses and citizens use the internet; the government wants 100% visibility and control, and it seems they’ll go to great lengths to ensure they get it. While the draft CIRC rules appear on the surface to affect only insurance companies, foreign businesses fear that this is yet another poorly disguised step by a government that is quickly striding towards becoming the world’s number one superpower, using technology and the threat of cybercrime as a means to get there. In support of that argument, business point to “Internet Plus,” a five-year “cyber power strategy” unveiled earlier this year. According to a Reuter’s report, “Internet Plus” will allow China to “increase Internet control capabilities, set up a network security review system, strengthen cyberspace control, and promote a multilateral, democratic and transparent international Internet governance system.”
The same old fears
While the CIRC proposal is at center stage right now, China has floated similar regulations in other industries before and is sure to draft more in the future. With tensions between China and many countries already high, international businesses aren’t likely to trust China with cybersecurity and privacy. Market share is always a concern for global countries, but how far a business would be willing to go to gain market share—and potentially lose any competitive advantage to eavesdropping and surveillance—is yet to be determined.