Accounting firms should conduct risk assessments of clients to avoid falling foul of China’s cybersecurity law
Accounting firms operating in China must remain vigilant if they are to avoid the risk of indirect association with a client who violates China’s cybersecurity law
A new cybersecurity law to be implemented across China in June will target critical information infrastructure (CII) and network providers, increasing the depth that operators must work with crime and national security investigations.
“Bigger accounting firms with diversified services lines such as big data or cloud computing would be subject to the new cybersecurity law,” says BDO senior manager of Risk Advisory Ricky Liu. “Accounting firms and all other businesses need to conduct risk assessments of their clients and business partners to reduce the likelihood of unknowingly aiding in illegal cyber activities,” Liu adds.
The law has a wide and vague scope that means many come under its umbrella. “The ambiguity that lies in the language would allow regulators to expand the scope when deemed necessary, and we therefore believe that accounting firms fall under scope, as a lot of sensitive client data are being transferred, reviewed and retained by accounting firms,” says Jason Yau, partner, Technology and Management Consulting, RSM Hong Kong.
Indeed firms that serve clients from a variety of industries should stay extra vigilant, says BDO director and head of Risk Advisory Ricky Cheng. “There is a risk of indirect association with a client who violates the China cybersecurity law, potentially resulting in the accounting firm being asked to provide sensitive client information”, says Cheng.
Firms may need to carry out risk assessments for clients, and put standard operating procedures in place, particularly for those engaged in cross-border data transfer, or in critical infrastructure, with a non-exhaustive list including information services, energy, transportation, water, finance, scientific research, manufacturing, medical and health, and social security.
CII operators must store personal information and important business data inside China, and may be subject to an additional security assessment if they want to transfer data outside of China. In the face of this new legislation, accounting firms will need to take a proactive stance.
One area that has caused concern is Article 39, requiring companies to provide technical support to authorities, which has raised fears about IP protection. Other provisions mean organisations must monitor and report any network security incidents, and cannot use the internet to endanger national security, promote terrorism, spread false information to disturb the economic order, or incite separatism – all of which can be considered a broad scope for authorities to enforce.
Qualcomm is one company that has fallen into the crossfire of similar legislation, having received a US$975 million fine and been forced to reduce royalty rates on patents in 2015, while Microsoft has also been under scrutiny. “Many believe this could be the beginning where Beijing will ask technology firms to hand over source code and other trade secrets,” says Yau. “Given the weaknesses of China’s enforcement of laws around intellectual property, it is easy to see how trade secrets can potentially fall into the hands of Chinese competitors at the expense of foreign firms.”
Will this lead to companies being forced out of business in China? “Businesses may decide to continue operating in China, but strategically moving some infrastructures to other jurisdictions and separating and relocating non-Chinese data offshore as much as possible to limit exposure to the new cybersecurity law,” says Liu.
While the Chinese market is seen to have so much potential that compliance is the only way forward for many, “the legislation is perceived as stalling innovation, or favouring indigenous innovation in China, where specific standards or regulations are enacted with the purpose to prevent non-Chinese firms accessing the Chinese market,” says Yau.