A few words on cybersecurity compliance in China
Clients not located in the People’s Republic of China might still find this article relevant as it highlights Siveco’s compliance to some of the world’s strictest cybersecurity and personal information protection laws, those of China and the European Union.
For Siveco China, this year’s Cybersecurity Week (September 14-20) was very much like all the other weeks. We however took the time to recap our cybersecurity initiatives and to run a special training session for our staff.
Since the 18th National Congress of the Communist Party of China in 2012, the government has stepped up efforts to strengthen cybersecurity. In June 2017, the Cybersecurity Law took effect, China’s first fundamental legal document on governing online security and was followed by numerous regulations and implementation guidelines, many issued during 2018 and 2019. Meanwhile, in 2018, the European Union passed the General Data Protection Regulation (GDPR), known as the toughest privacy and security law in the world, although it can be argued that current Chinese regulations are even tougher.
Cybersecurity has always been at the heart of Siveco’s business as IT solution provider and industrial risk management specialist
As a company providing digital solutions for Industrial Risk Management & Maintenance, with most of our clients running 24/7 operations of plants or infrastructures, Siveco has always been, as part of our daily work, keenly aware of cybersecurity risks and has long had in place processes and tools to protect our assets, our data and those of our clients using our software.
Siveco China is subject to cybersecurity and information protection laws, first as a business using IT tools and processing client data, second as a provider of IT solutions used by clients who are themselves subject to the law. Siveco China operates in China but also in many other jurisdictions where our clients are located: thus, we must operate in compliance with all applicable laws and regulations.
As part of the company’s Risk Management procedures, Siveco China was, for many years already, compliant with internally-defined cybersecurity practices based on European standards and managed under the company’s Quality Management System (ISO 9001:2015 certification by Bureau Veritas maintained since March 2015).
Actions taken by Siveco to ensure compliance with the new Chinese cybersecurity and information protection laws
When the new laws were announced in 2016, but long before clear implementation guidelines were released, Siveco China’s management team launched investigations with the help of third-party technical experts and lawyers. During this phase, we benefited from our experience with large multinationals with strong global cybersecurity practices: our solutions and services successfully passed stringent security audits and penetration tests conducted by Arkema, Carrefour China, the French Ministry of Foreign Affairs (for the French Embassy in Beijing), Saint Gobain, Singapore Power and others.
This preparation period led, in October 2019, to the introduction into our Quality Management System of updated cybersecurity and personal data protection procedures, fully compliant with the new Chinese laws, but also maintaining voluntary compliance with EU’s GDPR (which legally does not apply to Siveco China as we do not operate in Europe).
As mandated by Chinese laws, we implemented a proactive and holistic approach that included: nominating a cybersecurity officer and conducting yearly self-assessment. Strong self-assessment guidelines were defined in reference to the ISO 31000 Risk Management and ISO 55000 Asset Management standards, which Siveco team members were already familiar with, considering the nature of our business. Our procedures cover all our internal systems, systems delivered to clients, our software development (including cybersecurity and personal data protection guidelines and documentation for our software products) and concern all the company’s departments. Training was conducted to all our staff and added in the induction process for new staff. A continuous improvement process was put in place, ensuring full traceability of all actions.
The first self-assessment was completed in November 2019, resulting in actions that were immediately put into application, reviewed during the monthly management meeting. The self-assessment was reviewed and updated, as defined in our Quality Management System, during the half-year management review in July 2020. A new self-assessment will be performed every year.
The new procedures were immediately stress-tested by the COVID19 crisis… immediately followed by the annual ISO 9001 surveillance audit that took place in March 2020, during which Bureau Veritas auditors put our cybersecurity compliance under special scrutiny, with particular interest for how we maintained a strong adherence to our processes at the worst of the crisis (staff working from home and remote access to clients during most of February). The positive outcome of the audit was very encouraging in these difficult times!
Actions taken by Siveco to assist our clients in their compliance efforts
In parallel we launched specific communication towards our client base, in particular customers considered most at risk, to help create awareness of the new laws and see how we could help.
In the past two years we had already ran information campaigns, for example on server reliability, backup systems and the risks of using obsolete version of Windows not supported any more by Microsoft and comprising security loopholes. We contacted China-based clients who chose to host their systems outside of China (only a handful of our customers) to explain the major risks involved under the Chinese law, not to mention existing speed and unreliability issues due to the particular setup of China’s international internet connection.
Our general observation is that many mid-size multinationals are unaware of Chinese law or their global IT team does not believe it applies to them: this represents massive risks. We again, respectfully, would like recommend that legal and IT departments formally assess the risks and inform their headquarters of local regulations. Chinese customers (the majority of our client base being public infrastructures) and larger multinationals, on the other hand, are well aware of the law and often dedicate specific IT budgets to ensure compliance. Having been through the process within our own organization, we would like to highlight that ensuring compliance requires a dedicated, continuous effort, time and money.
Companies using Siveco’s Smart O&M solutions, when conducting their cybersecurity self-assessment, are welcome to contact our Customer Support team. We offer a dedicated service package to help assess compliance, identify loopholes and provide supporting documentation for the systems provided by Siveco. Large customers conducting in-depth due diligence of their suppliers are also welcome to review our cybersecurity processes and more generally our Quality Management System. Although the responsibility for compliance lies with the company using or operating the system, the software provider should be able to assist and to demonstrate its own compliance!
To existing clients, we recommend:
–
Inform yourself (at management level, IT and legal departments) about China’s cybersecurity laws and how they impact your IT systems, your processes, your data, your users, in particular when it comes to your Smart O&M solutions.
–
Contact our Customer Support team for any question. Our hotline can address basic question and provide a specific service package if needed to help you ensure compliance, to prepared for internal or external audits, etc.
To potential clients looking for Smart O&M solutions, we recommend that you do forget to assess potential supplier’s awareness and preparedness in terms of compliance with cybersecurity laws.
Tags: cybersecurity
