Foreign companies operating in China are coming under investigation over cyber security violations as Beijing beefs up its control over cloud computing and the internet of things, sparking fresh concern among multinationals in the world’s second-largest economy.
Beijing is set to implement a strengthened regime of cyber rules under its existing “multilevel protection scheme” (MLPS) in December, according to documents seen by the Financial Times that are yet to be publicly announced. The rules are aimed at fortifying “national information security”, even as US-China commercial tensions flare.
But it has emerged that foreign companies are already being scrutinised for possible cyber security violations. Kent Kedl, partner at Control Risks, a global risk management firm, said at least two foreign companies that deal with consumer data in China had been under official investigation for several months.
“Officially nothing has been released but unofficially we do know companies that have been inspected,” said Mr Kedl, who declined to disclose the companies’ names or national affiliation.
However, Mr Kedl added: “We don’t think foreign companies are being picked on as authorities are also going after Chinese firms. This seems to be more related to the type of data, in this case data around individuals.”
Foreign companies say operating within China’s restrictive but vague regulatory cyber regime is increasingly challenging. They cite concerns they may be required to divulge business-critical data to Chinese authorities or that official inspections may result in a potential leak of their intellectual property to competitors.
Some are opting to reduce their exposure. Morgan Stanley is set to move a number of the back-office data jobs at its Shanghai office, according to people at the US investment bank. About 150 jobs would be affected, with most being relocated to elsewhere in Asia, the people said.
Morgan Stanley declined to comment.
“If companies are pulling out of China it doesn’t surprise me,” said Shaun Wu, a Shanghai-based lawyer who works for investigations firm Kobre & Kim. They are facing fundamental questions of how to “strike the middle ground” between continuing operations but minimising the risk they will face government enforcement.
Cyber security tension has fed into the Sino-US trade war, prompting some multinationals to re-evaluate their commitment to China. Oracle, the US software giant, said this month it was firing 900 staff from its China team, making up 60 per cent of its research and development effort there.
When China’s Cyber Security Law took effect in June 2017, it addressed all aspects of cyber security from network systems and facilities to data localisation and the protection of critical information infrastructure. Analysts and foreign companies have criticised it as extremely vague and exceptionally wide in scope.
The latest strengthening of the MLPS regime — which reinforces the cyber security law — is set to expand supervision over technologies including mobile internet, the internet of things, cloud computing, big data and industrial security systems, according to official documents. They indicate that in future, every link in the life cycle of a piece of equipment’s development will be supervised, checked and evaluated.
The new regulations are set to be formally announced as soon as this week, people familiar with the issue said.
Jake Parker, head of the US-China Business Council’s Beijing office, said: “We are concerned that it may lead to more government scrutiny with authorities monitoring a broader swath of foreign technology and information and communications technology.”
“These new national standards clearly indicate this is a priority for the authorities,” said Carolyn Bigg, a lawyer for DLA Piper in Hong Kong. “Businesses need to know about this and pay attention to them because regulators will expect compliance.”
Additional reporting by Nian Liu in Beijing
Get alerts on Cyber Security when a new story is published