Hong Kong companies that consider going public are required to undergo a cybersecurity test. This obligation only applies if the company processes data that could endanger national security. It is still unclear what exactly the Chinese government means by this.
This is evident from a draft proposal published on Sunday by the Chinese regulator, Bloomberg writes.
New legislation against tech companies entered into force
The Chinese government and Chinese technology companies have been battling each other for some time. Last summer, Xi Jinping, the president of the People’s Republic of China, presented a series of proposals to regulate Chinese tech companies. For example, there was a ban on fake reviews, intellectual property is better protected and tech companies such as Tencent and Alibaba are not allowed to make it technically impossible for customers to use each other’s services.
At the beginning of this month, a new law came into effect to better safeguard the online privacy of Chinese internet users. Since then, technology companies have been legally obliged to improve the storage of personal data. The principle of data minimization – only collecting data that is necessary to offer a service – has also been laid down in law from now on. Furthermore, rules have been formulated under which tech companies may collect personal data and that regular audits must be carried out so that information security is in order.
Companies that violate the new rules can count on hefty fines. The Chinese regulator PCPD is allowed to impose sanctions in ‘serious cases’ that can amount to 6.8 million euros, or 5 per cent of the total annual turnover. The PCPD may also force companies to cease operations or revoke their business license.
Chinese government considers mandatory cybersecurity test
However, that does not appear to be the case. The American news agency Bloomberg reports that a plan is currently on the table that requires tech companies in Hong Kong to take a cybersecurity test if they want to go public. If this IPO has potential implications for China’s national security, they must undergo this mandatory test.
What is meant by ‘national security is not explicitly spelt out in the forthcoming law. However, it does say something about internet companies that “collect large amounts of data that are relevant to the security, economic development or the public interest of the country”. If such parties are acquired, merged or restructured and that may have an impact on national security, a cybersecurity assessment is mandatory.
Companies that process personal data of one million users or more must undergo the cybersecurity test, the Chinese regulator said in a statement. Earlier this summer, anonymous sources told Bloomberg that China wanted to make an exception for Hong Kong tech companies. Xi Jinping has apparently backtracked on that.
The draft proposal is currently being discussed. After December 13, the government wants to cut the knot on the legislation.
IT statement as part of loan
China is not the only country considering a mandatory cybersecurity assessment. In our country, there are also voices for a so-called IT statement. Companies that want to take out a loan must then demonstrate that they are doing their best to make the company digitally resilient against ransomware and DDoS attacks or other cyber threats. The IT statement would become a mandatory part of an auditor’s statement.
According to Marc Welters, director of Norea, the professional association for IT auditors and creator of the initiative, there is broad support from companies, banks, investors and accountancy firms. “We are one of the most digitized countries. Other countries, including the US, do more on paper. It is therefore important that we also lead the way in control,” he told the Financieele Dagblad in August.
Experts believe that a mandatory IT statement is a good way to make Dutch businesses less vulnerable to digital attacks. “In practice, such a statement can very quickly change from a ‘nice to have to an obligation. Financiers want certainty about the IT systems when they do business with a company,” said Wido Dalhuisen of accountancy firm BDO.
Catch up on more articles here
Follow us on Twitter here