See Webinar Recording at https://resource.alibabacloud.com/webinar/detail.htm?webinarId=8
This presentation features a comprehensive introduction to China’s Cybersecurity Law, including analysis of key articles and their implementation so far. It aims to provide a roadmap to help global companies understand regulatory risks related to network security, content security, personal information protection and data cross-border transfer.
More Webinars: https://resource.alibabacloud.com/webinar/index.htm
Blog: Navigating Through China's Cybersecurity Legislation
https://www.alibabacloud.com/blog/Navigating-Through-China's-Cybersecurity-Legislation_p570635
ICP License: www.alibabacloud.com/icp
China Connect: www.alibabacloud.com/chinaconnect
2. Content Overview
Key Regulatory Risks for Global Companies in China01 (Slide No. 6)
Introduction to Alibaba Cloud’s Compliance
Solutions
02 (Slide No. 16)
2 / 32
3. Cybersecurity Law Timeline
Type Law Draft
Influence of the
Regulation/Law
State Council -
Regulations on
Security Protection of
Computer
Information Systems
Ministry of Public
Security and five other
ministries –
Administrative Measures
for Hierarchical
Protection of Information
Security
Central Leading
Group for
Cyberspace Affairs
established
NPC Standing Committee
July members & other
parties –
Cybersecurity Law Draft
Second Deliberation
Cryptography Law
(Draft) released for
public comment
The Cybersecurity Law
(Draft) for Second
Deliberation was
released on the National
People’s Congress’
website for public
comment
1994.02 2000.04 2000.09 2007.06 2014.02 2015.06 2015.07 2016.072015.12 2016.11 2017.06
2nd World Internet
Conference
“Call for closer cooperation
in cyberspace governance”
The Cybersecurity Law of
the People’s Republic of
China is adopted by
Standing Committee of the
12th National People's
Congress
2017.04
The 12th National
People's Congress
Deliberate the
Cybersecurity Law
(Draft)
Ministry of Public
Security –
Administrative
Measures for
Prevention and
Treatment of Computer
Viruses
State Council –
Administrative
Measures for
Internet Information
Services
Personal information and
important data cross-border
security assessment
measures released for public
comment
The Cybersecurity
Law takes effect on
June 1, 2017
Name of the
Regulation/Law
3 / 32
5. Security/Compliance FAQs from Foreign Companies
Local Branch
Registration
•Fines and penalties?
•Grace period?
•Cost and timeline of compliance?
•Data security?
•Government’s access to data?
Personal Information
Protection
Network Security
Requirements
ICP Licensing/Filing Content Violations
Cross-border Data
Transfer
5 / 32
6. Key Regulatory Risks
Network Security
Risks
Vulnerability management
Prevent computer virus and
cyber attacks
Store network logs for at
least six months
Emergency response
Management and training
Content Security
Risks
Recognize and prevent
prohibited images
Prohibited texts
Prohibited videos and
audios
Personal Information
Protection
Real identity verification
Data collection
Data transfer
Data storage
Cross-border Data
Transfer
Risk self assessment
Risk assessment by
authorities
Cybersecurity Law
6 / 32
7. Fines & Penalties
Fine: Between RMB
10,000 to 50,000
Failure to
immediately take
remedial measures
for security flaws
and vulnerabilities
Failure to require
users to provide
truthful identity
information
Infringe on personal
information
Failure to stop the
transmission of
prohibited information
Act. 61Act. 60Act. 59 Act. 68Act. 64
Failure to perform
network security
protection duties
Fine: Between RMB
50,000 – 500,000
Fine: Between RMB
50,000 – 500,000. A
temporary suspension of
operations, closing of
website, and cancellation
of business licenses
Fine: Between one and
ten times the amount of
the unlawful gains
Fine: Between RMB
50,000 – 500,000. A
temporary suspension of
operations, closing of
website, and cancellation
of business licenses
The most severe penalties for network operators is usually
suspension of business or shut down of website.
7 / 32
8. Examples of Increasing Regulatory Pressure
Increasing PenaltiesInspections By Both
Central and Local Authorities
High PR Risks
8 / 32
10. Alibaba Cloud Cybersecurity Compliance Solutions
• ICP filing/licensing
consulting and application
services
Business Licensing
Requirements
• Vulnerability management
and repair
• Virus and cyber attack
prevention
• Personnel training
• Network logs storage
• Emergency response
Network Security Risk
Management
• Prohibited image recognition
• Prohibited text recognition
• Video and live streaming
solutions
• Social media and
e-commerce solutions
Content Security
• Real identity verification
• Data encryption
• Data leakage prevention
Personal Information
Protection
• Data cross-border transfer
consulting service
• Data cross-border transfer
self-assessment consultin
g
• Data cross-border transfer
authority assessment
consulting
Data Cross-border Transfer
Risk Management
10 / 32
11. Comprehensive
products and services
In-house public Policy
team + Collaboration with
Policy makers
One-stop compliance
solutions
Alibaba Cloud is
CSL ready
Why Alibaba Cloud? Why Now?
Increasing regulatory pressure. Several
companies have already been penalized.
Global companies are investing more in
compliance in China.
Protecting personal information and
ensuring cyber security is a global trend.
Taking Action
11 / 32
13. ICP Filing/License
ICP Filing
- All websites need to apply for ICP Filing
- Non-commercial websites
ICP License
- All commercial websites
- Must be registered in China; IDC and domain in China; based
on business content and specific requirements by local
communications authorities
13 / 32
15. Article 21, China Cybersecurity Law
Network operators shall perform the following security protection duties::
Formulate internal security management systems, determine persons responsible
for network security, and implement network security protection responsibility.
Prevent computer viruses, network attacks, and intrusions.
Store network logs for at least six months; monitor and record network operational
statuses and security incidents.
Data classification, back-up of important data, and encryption.
01
02
03
04
15 / 32
17. Security & Compliance
Certifications
ISO/IEC 27001
Information Security
Management System
The first Cloud Service
Provider to achieve CSA
STAR Gold Certification all
Over the world.
ISO/IEC 20000-1:2011,
IT Service Management
System
ISO/IEC 22301:2012,
Business Continuity
Management System
Multi-Tier Cloud Security
System(MTCS)
SS 548:2015
(Level 3 IaaS Certification)
PCI Compliant AICPA SOC 2 DJCP MPAA HIPAA
17 / 32
19. Article 47, China Cybersecurity Law
“Network operators shall strengthen management of information published
by users.”
“ … and upon discovering information that the law or administrative regulations
prohibits...they shall immediately stop transmission of that information,
employ handling measures such as deleting it, to prevent the information
from spreading, save relevant records, and report it to the relevant
competent departments.”
19 / 32
20. Content Security Solutions
Alibaba Cloud Information Compliance – Provide image, text and video recognition based on Alibaba Cloud Big Data
technology to protect your brand from association with illicit or otherwise illegal and brand damaging activity..
• Pornography Detection
• OCR
• Text Recognition
• Video Recognition
2015
• Sensitive Graph
• Sensitive Content
• SPAM
2016
• Branding Logo
• Audio Recognition
• Customized Service
2017
Video Pornography
• CDN Detection
• OSS API Detection
• Frame Based Image
Detection
Image Pornography
• OSS Image Pornography
Detection
• Pornography Detection
API
20 / 32
22. Article 24, 41, 42 - China Cybersecurity Law
“Network operators shall
require users to provide
real identity information
when signing agreements
with users or confirming
provision of services.”
(Article 24)
“… abide by the
principles of legality,
propriety and necessity;
explicitly stating the
purposes, means, and
scope for collection and
usage, and obtaining the
consent …” (Article 41)
“… prevent personal
information from leaking,
being destroyed or lost. …
report to regulating
authorities upon any
leakage, destruction or loss
of personal
information. ”(Article 42)
22 / 32
23. Personal Information Protection – Real Identity Verification
Base on user-submitted information, Real Identity Verification is an ID authentication solution that leverages the Alibaba
Cloud facial recognition and big data risk management model to detect ID fraud activities.
• ID Authentication
• Facial Recognition
• Fake ID Authentication
• Name and ID Pair Matching
• OCR Support
ID Authentication
• Static Comparison
• Interactive Authentication
Facial Recognition
• Identify fraud ID, phone no
and devices
• High performance check on
known database
Fake ID Authentication
23 / 32
25. Personal Information Protection – Anti-hacking
Risk overview of you
network and assets
Vulnerability Management
Asset Management
Incident response and
24/7 services
Find vulnerabilities in
your system from
community white hat
0-day mitigation
Anti-bot service
Data Leakage Protection
25 / 32
27. Article 37, China Cybersecurity Law
“Personal information and other important data gathered or produced by critical
information infrastructure operators during operations within the mainland territory of
the People's Republic of China, shall store it within Mainland China.
Where due to business requirements it is truly necessary to provide it outside the
mainland, they shall follow the measures jointly formulated by the State network
information departments and the relevant departments of the State Council to
conduct a security assessment.”
27 / 32
28. Data Cross-border Transfer Risk Management
Data Cross-border: Personal information or important data collected or generated domestically by network operator
sending to oversea company, organization or individual using network or other methods.
Definition
Transferring client information collected in China to overseas HQ.
Scenarios
Transferring Chinese employees’ personal information to overseas HQ.
Your clients transfer data overseas using your platform.
Transferring client information collected in China to third party consulting, auditing agencies or contractors.
28 / 32
29. Data Cross-border Risk Management
Data Cross-border Transfer
Legitimacy and Legality
Risk Management
Allowed
Two-tiered Assessment. Conditions
for self and authorities assessment
Definition of Legitimacy and Legality
Risk Management
Responsibility Boundaries
Managing Risk After Data is
Transferred Overseas
Data Cross-border Risk Management
Overall Risk Assessment
Self-assessment Consulting
Authority Inspection Consulting
Result Reviewed and Tested
by Authority
29 / 32
30. Compliance Consulting Service Methodology
Compliance Survey
01 02 03 04 05
Gap Assessment
Compliance Strategy
Change Implementation
Result Testing
30 / 32
31. Alibaba Cloud Cybersecurity Compliance Solutions
• ICP filing/licensing consulting
and application services
Business Licensing
Requirements
• Vulnerability management
and repair
• Virus and cyber attack
prevention
• Personnel training
• Network logs storage
• Emergency Response
Network Security
Risk Management
• Prohibited image recognition
• Prohibited texts recognition
• Video and live streaming
solutions
• Social media and
e-commerce solutions
Content Security
• Real identity verification
• Data encryption
• Data leakage prevention
Personal Information
Protection
• Data cross-border transfer
consulting service
• Data cross-border transfer
self-assessment consulting
• Data cross-border transfer
authority assessment
consulting
Data Cross-border
Transfer Risk
Management
31 / 32