BEIJING (Reuters) - Foreign business lobbies have asked China to substantially revise proposed cyber security regulations for the insurance industry, signaling a dispute that started with the publication of similar bank technology rules earlier this year may widen.
The draft regulations, announced by the China Insurance Regulatory Commission (CIRC) last month, state that insurance companies, along with their holding companies and asset managers, should prioritize the purchase of “secure and controllable” products, including domestic encryption technologies and local hardware and software.
More than 20 foreign business lobbies, including the American Chamber of Commerce, the American Council of Life Insurers, and Japan Electronics and Information Technology Industries Association (JEITA), stated that such provisions would run counter to global information security standards, in a joint letter to CIRC which they delivered at the end of last month.
“We urge CIRC to avoid the risks associated with exclusive reliance on localized solutions, prescriptive technologies and restrictions on data flows,” the lobby group said in the letter.
“By excluding foreign technology that may be the most secure, this approach is likely to result in less secure digitalized operations,” they said
The business lobbies, which represent insurance firms and tech companies from the United States, Canada and Europe, also called on CIRC to provide sufficient time for consultation.
Reuters obtained a copy of the letter, and people who saw the version sent to the regulator confirmed its contents.
An official at JEITA, who declined to be named as they were not authorized to speak to the media, said the letter was sent because the draft rules because they were unclear and biased towards Chinese products among other concerns.
The insurance regulator did not respond to requests for comment.
China’s extension of its national security standards to the insurance sector may revive a source of ongoing tension between Washington and Beijing.
In September 2014, the China Banking Regulatory Commission (CBRC) and other state authorities jointly released an internal guidance document on the application of “secure and controllable information technology” for the banking industry.
The subsequent draft cyber banking regulations, which effectively required foreign companies to surrender key technologies such as source code and encryption algorithms to Chinese authorities, drew criticism from the U.S. government.
Implementation was publicly suspended in April, in what was seen as a diplomatic victory for the Obama administration.
In August, however, officials from the banking regulator told representatives of several Western tech firms that they would seek opinions on a new version of the bank procurement rules.
Financial industry experts said it is unclear whether China’s insurance regulator will revise its rules in response to the business lobbies’ comment.
On October 30, the CIRC extended its comment period on the draft rules by two weeks until November 15, a move which critics of the regulations said could be significant.
Additonal reporting by Shu Zhang in BEIJING and John Ruwitch and Kazunori Takada in SHANGHAI; Editing by Miral Fahmy