Measures for the Management of Information Security and Assurance in the Securities and Futures Industries Chapter I General Provisions Article 1 These Measures are formulated in accordance with Securities Law, Law on Securities Investment Fund, Regulation on the Administration of Futures Trading and the laws and administrative regulations concerning information security and assurance for the purpose of safeguarding the safe operation of securities and futures information system, strengthening the administration of information security in the securities and futures industries, promoting the stable and healthy development of the securities and futures markets and protecting the legitimate rights and interests of investors. Article 2 These Measures shall apply to the information security, assurance, management and supervision work in the securities and futures industries. Article 3 The information security and assurance work in the securities and futures industries shall follow the principle of “whoever operates takes responsibility and whoever uses takes responsibility” with security prioritized and development safeguarded. Article 4 The entities responsible for the information security and assurance in the securities and futures industries shall implement the national laws and administrative regulations concerning information security and the industry-related technical administration rules, technical rules, technical guidelines and technical standards, conduct information security work, protect the security of the transactions of investors and the security of their data, and bear responsibilities for the safe operation of information system of their own. The term “entities responsible” as mentioned in the preceding Article includes the institutions undertaking the public functions of the securities and futures markets, the institutions undertaking the operations of the IT public infrastructure in the securities and futures industries and other core institutions and their affiliates (hereinafter referred to as the “core institutions”) in the securities and futures markets, as well as securities companies, futures companies, fund management companies, securities and futures services institutions and other securities and futures operating institutions (hereinafter referred to as the “operating institutions”). Article 5 The institutions which carry out third-party depository business for securities companies clients’ settlement funds, the transfer and settlement business between banks and securities companies, between banks and futures companies and between banks and fund companies, and fund custody and sales business, shall safeguard the safe operation of relevant business systems in accordance with relevant regulations. Article 6 The suppliers who supply hardware and software products or technical services for the securities and futures industries (hereinafter referred to as the “suppliers”) shall ensure that the hardware and software products or technical services they provide are in line with national technical administration rules, technical rules, technical guidelines and technical standards concerning the information security in the securities and futures industries. Article 7 The China Securities Regulatory Commission (CSRC) shall support and assist national information security management departments to organize the implementation of information security-related laws and administrative regulations and implement the supervision and administration of the information security and assurance in the securities and futures industries in accordance with law. The local CSRC offices shall perform their regulatory functions in accordance with authorization. Article 8 The CSRC and local CSRC offices shall establish an information security coordination mechanism with national information security management departments and relevant industry management departments, and establish an information security cooperation mechanism with relevant national professional security institutions and the organizations for standardization. Article 9 The industry associations of securities, futures, securities investment funds (hereinafter referred to as the “securities and futures industry associations”) shall, in accordance with the provisions of these Measures, conduct the self-regulation management on the information security work of their members. Article 10 The core institutions shall, in accordance with the provisions of these Measures, supervise and guide the work of relevant market entities on their security and assurance of associated information systems. Chapter II Basic Requirements Article 11 The core institutions and the operating institutions shall have qualified infrastructure. The construction of infrastructure including equipment room, electricity, air conditioning, fire fighting and telecommunications shall be in line with the relevant provisions of the information security management in the industries. Article 12 The core institutions and the operating institutions shall establish reasonable network structure and divide security zones. Effective insulation shall be made among the security zones with the ability to prevent, monitor and block any damage from internal and external network attacks. Article 13 The core institutions and the operating institutions shall establish information systems which meet business requirements. The information systems shall have a reasonable framework, adequate performance, capacity, reliability, expansibility and security to support the operation and development of businesses. Article 14 The core institutions shall have the ability to develop independently such important information systems as transactions, prices, account opening, settlement, risk control, communications, have executive programs and source codes and store them safely and reliably, and conduct a rigorous review and testing on executive programs and source codes before any important information system is to be put into operation. Article 15 The core institutions and the operating institutions shall have the ability to protect against Trojan horses, viruses and other malicious codes so as to prevent malicious codes from causing damage to information systems and to prevent information from being exposed or tampered with. Article 16 The core institutions and the operating institutions shall establish a sound IT governance structure to specify the mechanism of power and responsibility of IT decision-making, management, implementation and internal supervision. Article 17 The core institutions and the operating institutions shall establish a sound IT management system and operating rules and strictly implement them. Article 18 The core institutions shall develop technical rules on the safe interconnection of information systems between the core institutions and relevant market entities and report to the CSRC for filing. The core institutions shall urge relevant market entities to implement technical rules in accordance with law. Article 19 The core institutions shall provide a variety of mutual backup remote access methods to ensure that relevant market entities can access safely, and conduct monitoring and management on the remote access of relevant market entities. Chapter III Requirements for Sustained Assurance Article 20 The core institutions and the operating institutions shall guarantee adequate and stable funding for IT investment and equip with sufficient IT staff. Article 21 The core institutions and the operating institutions shall, in accordance with industry planning and the development strategy of their own, develop informatization and information security development planning to meet the needs of business development and information security management. Article 22 When the core institutions and the operating institutions newly build, upgrade, change, or regenerate information systems or conduct other construction projects, they shall conduct sufficient verification and testing. Article 23 When such important information systems are put into operation or undergone major change of upgrading as transactions, prices, account opening, settlement, communications of the core institutions, relevant market entities shall be organized to conduct networking tests and a report shall be made as stipulated. Article 24 The core institutions and the operating institutions shall regulate the operation and maintenance of the IT infrastructure and important information systems so as to guarantee the safe and stable operation of the systems. Article 25 The core institutions shall guide relevant market entities to operate and maintain properly the systems and communication facilities which are interconnected with these institutions. Article 26 The core institutions and the operating institutions shall establish data backup facilities and save backup data in the same city and offsite as stipulated. Article 27 The core institutions and the operating institutions shall establish failure backup facilities and disaster backup facilities of important information systems to guarantee the continuation of business activities. Article 28 The core institutions and the operating institutions shall, as stipulated, submit data to the securities and futures industry data center designated by the CSRC. The submitted data must be truthful, complete, accurate and timely. The securities and futures industry data center shall, in accordance with the relevant provisions of the CSRC, conduct the collective saving of industry data to make sure that the data is safe, complete and reliable. Article 29 The core institutions shall be responsible for constructing and operating the industry IT public infrastructure. Article 30 The core institutions and the operating institutions shall strengthen the management of information security and confidentiality to protect the security of investors’ information. Article 31 The core institutions and the operating institutions shall establish network and information security risk detection, monitoring, assessment and early warning mechanisms, timely dispose of any potential risk which is found and make a report thereof as stipulated. Article 32 The core institutions and the operating institutions shall establish information security emergency response mechanisms, timely dispose of information security emergencies and restore the normal operation of information systems as soon as possible, and make a report thereof as stipulated without any delay, omission or concealment. The core institutions and the operating institutions shall conduct an internal investigation on information security incidents, investigate accountability and take corrective measures, and cooperate with the CSRC and the its local offices in investigating and disposing of the incidents. The suppliers who supply hardware and software products or technical services which are related to the information security incidents occurred to the core institutions and the operating institutions shall cooperate with the investigation. Article 33 The core institutions shall organize relevant market entities to do the information security emergency drill once a year, and make a report thereof to the CSRC prior to the implementation. Article 34 The core institutions and the operating institutions shall train IT staff to ensure that they have the ability to fulfill their duties. Article 35 The core institutions and the operating institutions shall establish an information security internal audit system, regularly carry out internal audit and rectify any problem found. Chapter IV Requirements for Procurement of Products and Services Article 36 The core institutions and the operating institutions shall establish a supplier management system to find out and assess the qualification, professional experience, and product and service quality of the suppliers on a regular basis. Article 37 When the core institutions and the operating institutions procure hardware and software products or technical services, they shall enter into contracts and confidentiality agreements with the suppliers and shall expressly specify the rights and obligations on information security and confidentiality in the contracts and confidentiality agreements. When the procurement contracts involve such software products or technical services as securities and futures transactions, prices, account opening and settlement, it shall be specified that the suppliers must accept the extended investigation on information security conducted by the CSRC and the its local offices. Article 38 The hardware and software products or technical services which the core institutions and the operating institutions have procured shall meet the requirements of the prudent operation and risk management. If the hardware and software products or technical services fail to meet the requirements and affect the sustained operation of the core institutions and the operating institutions, the CSRC is entitled to request the core institutions and the operating institutions to improve or replace the same. Chapter V Industry Self-regulation Article 39 The securities and futures industry association shall formulate IT guidelines to urge and guide its members to implement national and industry regulations and technical standards on information security. Article 40 The securities and futures industry association shall guide the industries to strengthen the construction of IT talent team, regularly organize IT training and exchange and improve the executive quality of IT staff. Article 41 The securities and futures industry association shall guide and encourage the IT research and innovation of the industries, enhance self-control ability, organize science and technology awards and promote scientific and technological progress of the industries. Article 42 The securities and futures industry association shall guide the suppliers to participate in the work of informatization and information security in the industries in compliance with regulations, promote fair competition in the market, and promote the common development of the suppliers and relevant market entities. Chapter VI Supervision and Management Article 43 The CSRC shall establish an information security supervision and management system with unified organization and graded responsibility bearing. The information security management department of the CSRC shall be responsible for the organization, coordination and guidance of information security work in the securities and futures industries; relevant business regulatory departments shall conduct supervision and inspection on the information security of the core institutions and the operating institutions in accordance with the scope of duties; and the local CSRC offices shall conduct supervision and inspection on the information security of the operating institutions within their jurisdictions in accordance with their authorization. Article 44 The CSRC shall organize the formulation of administrative regulations and technical standards on information security in the securities and futures industries in accordance with law. Article 45 The CSRC and its local offices shall, in accordance with the scope of duties, conduct investigation on the information security of the core institutions and the operating institutions or entrust relevant professional security institutions of the state or the industries to conduct security inspections. The core institutions and the operating institutions shall cooperate in the inspection. If the information security management of the core institutions and the operating institution fail to meet the specified requirements, the CSRC and its local offices shall order them to make rectifications within a time limit, and part or whole of their securities and futures business operation activities may be suspended or restricted prior to rectification. Article 46 The CSRC and its local offices may request the core institutions and the operating institutions to provide materials on information security. The core institutions and the operating institutions shall provide relevant materials timely, accurately and completely. Article 47 The CSRC shall organize the formulation of an information security emergency preplan in the securities and futures industries, and urge and guide the industries to conduct information security emergency work. Article 48 The CSRC is entitled to investigate and dispose of the information security incidents of the core institutions and the operating institutions. For the information security incidents which damage the legitimate rights and interests of investors or affect the safe and stable operation of the securities and futures markets, the CSRC shall take supervision and management measures against or impose administrative penalties on relevant entities. Article 49 The CSRC shall circulate a notice on system vulnerabilities, potential safety risks and product defects in the whole industries. Article 50 If the core institutions and the operating institutions are in violation of the provisions of these Measures, the CSRC may, depending on the circumstances, take measures against them such as ordering correction, holding regulatory interviews, issuing letters of admonishment, public reprimand, ordering regular reporting, ordering a disciplinary action against the relevant persons, cancelling office qualifications and suspending or restricting the activities of the securities and futures business operation; if circumstances are serious, they shall be subject to warning or fining. Chapter VII Supplementary Provisions Article 51 These Measures shall come into force as of November 1, 2012. The Temporary Measures for the Management of Information Security and Assurance in the Securities and Futures Industries (No. 5 [2005] of the China Securities Regulatory Commission) shall be repealed simultaneously.