Financial regulatory authority: Banks and insurance institutions should establish data security technology protection systems for diverse and heterogeneous environments such as big data.

On December 27, the China Banking and Insurance Regulatory Commission issued the Data Security Management Measures for Banking and Insurance Institutions. Banking and insurance institutions should establish a data security technology protection system for diverse heterogeneous environments such as big data, cloud computing, mobile internet, and Internet of Things. They should develop a data security technology architecture, clarify data protection strategies and methods, adopt technical measures, and ensure data security. Banking and insurance institutions should incorporate data security protection into the information system development lifecycle framework, clearly define security protection requirements for sensitive and above data, and synchronize the planning, construction, and use of data security protection measures with information systems. The original text states: Circular on Issuing Data Security Management Measures for Banking and Insurance Institutions by the China Banking and Insurance Regulatory Commission Jin-Gui [2024] No. 24 All financial regulatory authorities, policy banks, large commercial banks, joint-stock banks, foreign banks, direct banks, financial asset management companies, financial asset investment companies, wealth management companies, insurance groups (holding) companies, insurance companies, insurance asset management companies, pension management companies, insurance professional intermediary institutions, financial holding companies, all main regulatory units: We hereby issue the "Data Security Management Measures for Banking and Insurance Institutions" to you for implementation. China Banking and Insurance Regulatory Commission December 27, 2024 (This document is sent to the regulatory branches and legal person banking and insurance institutions) Data Security Management Measures for Banking and Insurance Institutions Chapter I General Provisions Article 1 In order to standardize data processing activities in the banking and insurance industries, ensure data security and financial security, promote reasonable development and utilization of data, protect the legitimate rights and interests of individuals and organizations, maintain national security and public interests, and based on the laws and regulations such as the Data Security Law of the People's Republic of China, the Cyber Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Banking Supervision and Management Law of the People's Republic of China, the Commercial Banking Law of the People's Republic of China, and the Insurance Law of the People's Republic of China, these measures are formulated. Article 2 The banking and insurance institutions referred to in these measures refer to policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies, enterprise group finance companies, financial leasing companies, automobile finance companies, consumer finance companies, money brokerage companies, trust companies, wealth management companies, insurance companies, insurance asset management companies, and insurance groups (holding) companies established within the territory of the People's Republic of China. For data processing activities involving state secrets, the provisions of the National Security Law of the People's Republic of China and other relevant laws and administrative regulations apply. If there are regulations by the relevant competent authorities, they must comply with the regulations. Article 3 The term "data" in these measures refers to the recording of information in electronic or other forms. Data processing refers to the collection, storage, use, processing, transmission, provision, sharing, transfer, publication, deletion, destruction, etc., of data. Data security means managing and controlling data processing activities and application scenarios through necessary measures, ensuring that data is always in a state of effective protection and lawful use, and having the ability to protect and maintain a secure state continuously. Data subject refers to the natural person identified by the data or his guardian, enterprise, institution, social group, and other organizations. Personal information refers to various information related to identified or identifiable natural persons recorded electronically or in other ways, excluding information processed anonymously. Big data platform refers to infrastructure for storage, computing, analysis, etc., with the purpose of processing big data, including platforms for data statistics and analysis and big data processing platforms (such as data lakes, data warehouses, etc.). Article 4 The China Banking and Insurance Regulatory Commission and its dispatched agencies are responsible for supervising and managing data security in the banking and insurance industries, formulating and issuing regulatory rules and regulations, and conducting supervision and inspection of the fulfillment of data security protection obligations by banking and insurance institutions. Article 5 Banking and insurance institutions should establish a data security governance system suitable for their business development goals, establish sound data security management systems, build security protection mechanisms covering the entire data lifecycle and application scenarios, conduct data security risk assessments, monitoring, and disposal, and ensure the safe and stable development of data development and utilization activities. Banking and insurance institutions conducting data processing activities using the internet and other information networks should fulfill data security protection obligations based on the network security level protection system. Article 6 When banking and insurance institutions engage in data processing activities, they must abide by laws and regulations, respect social morals and ethics, adhere to commercial and professional ethics, be honest and trustworthy, fulfill data security protection obligations, bear social responsibilities, and must not harm national security, political security, economic and financial security, public interests, or violate the legitimate rights and interests of individuals and organizations. Article 7 Banking and insurance institutions should coordinate development and security, implement the national big data strategy, promote the construction of data infrastructure, increase efforts in data innovation applications, promote the development of the digital economy with data as a key element, enhance the intelligence level of financial services, innovate inclusive financial service models, and strengthen the capacity to prevent and resolve risks. Article 8 Banking and insurance institutions should continuously track emerging data development and utilization and technological development trends, effectively deal with potential conflicts of rules, social risks, and ethical risks that may arise from big data applications and technological innovations, and prevent data and technology from being misused or abused. Chapter II Data Security Governance Article 9 Banking and insurance institutions should establish a data security management organizational structure covering the board of directors (supervisory board), senior management, data security coordination, and data security technology protection departments, clarify job responsibilities and work mechanisms, and ensure resource support. Article 10 Banking and insurance institutions should establish a data security responsibility system, with the Party Committee (Party group) and the board of directors (supervisory board) bearing primary responsibility for data security work in their respective units. The main leaders of banking and insurance institutions are the first person responsible for data security, and senior management personnel responsible for data security are the direct person responsible, clarifying the responsibilities of leaders at all levels, specifying violations and accountability matters, and implementing an accountability and disposal mechanism. Article 11 BankingInsurance institutions should designate a dedicated data security department as the primary department responsible for data security within the organization. Its main duties include:Organize the formulation of data security management principles, planning, systems, and standards; Organize the establishment and maintenance of data directories, promote the implementation of data classification and hierarchical protection; Organize data security assessments and reviews; Coordinate the establishment of data security emergency management mechanisms, organize data security risk monitoring, early warning, and response; Organize data security dissemination and training, enhance employees' awareness and skills in data security protection; Establish and maintain a coordinated management mechanism for internal data sharing, external data introduction, data provision to external parties, and data export, lead the security management of external data suppliers, coordinate the security requirements management of big data applications and data sharing projects; Report important data security matters to the Party Committee (Party Group), Board of Directors (Board of Supervisors), and senior management; Other data security work items that need to be coordinated and managed. Article 12: Banks and insurance institutions should clarify the data security management responsibilities in various business areas according to the principle of "who manages the business, who manages the business data, who manages the data security," and implement data security protection management requirements. Article 13: Risk management, internal control compliance, and audit departments of banks and insurance institutions are responsible for incorporating data security into a comprehensive risk management system, internal control evaluation system, conducting regular audits, supervision checks, and evaluations, urging problem rectification and accountability. Article 14: The information technology department of banks and insurance institutions is the main department responsible for technical protection of data security, with responsibilities including: Establish a data security technical protection system, establish a data security technical architecture and protection control baseline, implement technical protection measures. Develop data security technical standards and regulations, organize data security technical risk assessments. Organize the security management of the information system lifecycle, ensure that data security protection measures are implemented in all phases such as requirements, development, testing, production, monitoring, etc. Establish a data security technical emergency management mechanism, organize data security risk technical monitoring, early warning, notification, and response, prevent external attacks, internal and external destruction, and other activities that harm data security. Organize data security technical research and applications. Article 15: Banks and insurance institutions should establish a good data security culture, conduct all-staff data security education and training, improve data security awareness and levels, create an environment where all staff members collectively maintain data security and promote development. Chapter Three: Data Classification and Hierarchical Protection Article 16: Banks and insurance institutions should establish a data classification and hierarchical protection system, establish data directories and classification standards, dynamically manage and maintain data directories, and implement differentiated security protection measures. Article 17: Banks and insurance institutions should classify and manage the data obtained and generated in the institution's business and operational processes, including customer data, business data, operational management data, system operation and security management data, etc. Article 18: Banks and insurance institutions should classify data into core data, important data, and general data based on the data's importance and sensitivity. General data is further subdivided into sensitive data and other general data. Core data refers to important data with high coverage in a field, group, or region, or data with high accuracy, scale, and depth, once illegally used or shared, it may directly impact political security, national security key areas, national economic lifelines, major livelihoods, major public interests. Important data refers to data in specific fields, specific groups, specific regions, or data with a certain accuracy and scale, once leaked or tampered with or destroyed, it may directly harm national security, economic operations, social stability, public health, and safety. Sensitive data refers to data that, once leaked or tampered with or destroyed, has a certain impact on economic operations, social stability, public interests, or has a significant impact on the organization itself or individual citizens. Any data not falling under the above categories is considered other general data. Article 19: Banks and insurance institutions should strengthen the timeliness management of data security levels, establish a dynamic approval mechanism, and when the business nature, importance, and potential harm levels of the data change, leading to the original security level being no longer applicable, timely adjust the security level. Chapter Four: Data Security Management Article 20: Banks and insurance institutions should formulate data security protection strategies according to national data security and development policy requirements, based on their own development strategies. Banks and insurance institutions should develop data security management measures, clarify management responsibilities, establish a full life-cycle data processing control mechanism, and implement protection measures. Banks and insurance institutions should formulate detailed implementation rules for security management of data imports, cooperation sharing, and data exports. Article 21: Banks and insurance institutions should establish an enterprise-level data architecture, coordinate the overall registration management of all data assets, establish a data asset map, clarify data protection objects based on data classification and hierarchical protection, and implement security management around data processing activities. Article 22: Banks and insurance institutions should conduct data security assessments before conducting business activities involving sensitive level and above data or activities that have a significant impact on data subjects, such as data processing delegation, joint processing, transfer, public disclosure, sharing, etc. Data security assessments should analyze data security risks and their impact on data subjects' rights and interests based on the purpose, nature, and scope of data processing, in accordance with legal and ethical norms, evaluate the necessity and compliance of data processing, and evaluate the effectiveness of data security risk prevention and control measures. Article 23: Banks and insurance institutions should establish an enterprise-level data service management system, develop data service specifications, establish a dedicated data service team, coordinate internal and external data processing, analysis, and conduct activities such as data service needs analysis, service development, deployment, monitoring, etc. Article 24: Banks and insurance institutions should adhere to the principles of "legitimate, legitimate, necessary, and trustworthy" when collecting data, clearly define the purpose, method, scope, and rules for data collection and processing, ensure the security and traceability of the collection process. Banks and insurance institutions should not collect data beyond the scope of the data subject's consent, except as otherwise provided by laws and regulations. english: (Note: This appears to be a request for translation from Japanese to English.)Banking and insurance institutions collect industry-important level and above data from other banking and insurance institutions with the approval of the China Banking and Insurance Regulatory Commission. Article 25: Banking and insurance institutions should use information systems as the main channel for data collection, limiting or reducing other channels or temporary data collection. When banking and insurance institutions cease financial business or services, they should immediately stop related data collection or processing activities, except as otherwise provided by laws and regulations. Article 26: Banking and insurance institutions should establish a centralized approval management system for external data procurement and cooperation introduction, incorporate it into the outsourcing risk management system for overall management, establish mechanisms for data demand, security assessment, collection and introduction, data operation and maintenance, registration and filing, and supervision and evaluation, investigate the authenticity and legality of data sources, evaluate the security capabilities of data providers and their data security risks, clarify the responsibilities and obligations of both parties in data security. Article 27: When banking and insurance institutions conduct sensitive level and above data cleaning, transformation, aggregation, consolidation, analysis and mining activities, they should use anonymization, de-identification or other necessary security measures to protect the rights and interests of data subjects, except as otherwise provided by laws and regulations. When data aggregation and consolidation derive sensitive level and above data, or lead to changes in data security levels, security protection measures should be evaluated and adjusted in a timely manner. Article 28: Banking and insurance institutions should strictly implement authorization management for sensitive level and above data according to the principle of "business necessity", establish a closed-loop management mechanism for data access, and conduct audits of data access behavior. If data needs to be extracted from the production environment due to business needs, a strict approval process should be established, and the period of data use or retention should be clearly defined. When banking and insurance institutions use the internet and other information networks to conduct data processing activities, they should implement system requirements such as network security level protection, protection of key information infrastructure, and password protection. Article 29: Banking and insurance institutions should conduct centralized security management of data sharing and usage, clarify enterprise-level data sharing strategies, evaluate the necessity, compliance, security, and ethical conformity of data sharing and usage. Banking and insurance institutions should establish a "firewall" for data security isolation between the bank's head office, insurance group, or parent company and its subsidiaries, and adopt effective protective measures for shared data. When banking and insurance institutions share sensitive level and above data with their parent companies, groups, or subsidiaries, they should obtain the authorized consent of the data subjects, except as otherwise provided by laws and regulations. It is not permissible to terminate or refuse financial services to a single subsidiary or subsidiary because the data subject refuses to share sensitive data, except for data that is necessary for providing products or services. Article 30: Banking and insurance institutions should include data outsourcing in information technology outsourcing management, and information technology management responsibility and data security responsibility cannot be outsourced during the implementation process. Functions related to information technology such as strategic management, risk management, internal auditing, and other functions related to information technology core competitiveness may not be outsourced. For supply chain services involving the processing of sensitive level and above data, banking and insurance institutions should strengthen the admission and security management of suppliers. Article 31: When banking and insurance institutions jointly process data with third-party institutions, they should develop plans based on the principle of "business necessity authorization" and take effective management and technical protection measures to ensure data security, and clarify the data security responsibilities and obligations of both parties during the data processing process in a contract agreement. Article 32: When a bank or insurance institution needs to transfer data due to mergers, splits, dissolution, or bankruptcy, the content of data transfer should be clearly defined, and the data receiving party should fully assume the corresponding data security protection obligations through agreements, promises, etc., and notify the data subjects through announcements and other means. Data transfer should be carried out in a safe and reliable manner and ensure that the transfer process is traceable. Article 34: Banking and insurance institutions providing sensitive level and above data to external parties should obtain the consent of the data subjects, except as otherwise provided by laws and regulations. In addition to state organs performing their duties in accordance with the law, the cross-entity flow of core data of banking and insurance institutions should be subject to risk assessment and security review in accordance with national relevant policies. Article 35: Banking and insurance institutions should establish an approval mechanism for public disclosure of data, assess potential impacts, and ensure that data is truthfully, accurately, and tamper-proof when publicly disclosed through official channels. Sensitive level and above data should not be made public, except as otherwise provided by laws and regulations or with the consent of the data subjects.When the data processing is terminated, the service provider should be required to promptly delete the data and take effective supervision measures such as on-site inspections to ensure that the data is destroyed and cannot be recovered.Chapter 5 Data Security Technology Protection Article 39 Banking and insurance institutions should establish a data security technology protection system for diverse and heterogeneous environments such as big data, cloud computing, mobile internet, and the Internet of Things. They should establish a data security technology architecture, clarify data protection strategies and methods, adopt technical measures, and ensure data security. Article 40 Banking and insurance institutions should incorporate data security protection into the information system development lifecycle framework, clearly define security protection requirements for sensitive and above-level data, synchronize the planning, construction, and use of data security protection measures with information systems. Article 41 Banking and insurance institutions should include data in network security level protection. They should divide network logical security zones based on data security levels, establish partitioned data security protection baselines, implement effective security controls including content filtering, access control, and security monitoring to ensure that measures meet the network security and data security protection requirements for handling and storing data of the highest levels. Data centers and networks used for storing or transmitting sensitive and above-level data should implement key protection measures, establish physical security protection areas, and perform security monitoring and audits on network boundaries and important network nodes. Article 42 Banking and insurance institutions should include sensitive and above-level data in information system protection. Effective access control management measures should be implemented throughout the data lifecycle, and equivalent security protection measures should be implemented for data flow and sharing in different regions. After aggregating sensitive and above-level data from multiple sources, security measures should be strengthened or at least maintain the highest level of data protection strength before aggregation. Article 43 Banking and insurance institutions should strictly manage sensitive and above-level data, establish access policies for users to data, adopt effective user authentication and access control technologies, regulate data operation behaviors, and ensure that user access to data meets necessary business requirements and matches the data security level. Operations involving sensitive and above-level data should be logged, including operation time, user ID, and behavior type. Core data operation logs and their backup data should be kept for a minimum of three years, while logs for important data and sensitive data should be kept for at least one year. Logs for data operations involving delegated processing or joint processing should be kept for a minimum of three years. Data operation behaviors should be audited regularly, with audit cycles not exceeding six months. Article 44 Banking and insurance institutions should use secure transmission methods for transmitting sensitive and above-level data to ensure data integrity, confidentiality, and availability. When exchanging data between banking and insurance institutions, all parties involved should take effective measures to ensure the confidentiality, integrity, accuracy, timeliness, and security of information data transmission and storage. Article 45 Banking and insurance institutions should implement secure storage measures for sensitive and above-level data to prevent attacks like ransomware and trojans. Personally identifiable data should not be stored, transmitted, or displayed in plain text. Sensitive and above-level data should have data disaster recovery backups and undergo periodic data recoverability testing. Article 46 After the expiration of the usage or storage period for sensitive and above-level data, technical measures should be taken to promptly delete or destroy the data to ensure that it cannot be recovered. Sensitive and above-level data on end terminals and mobile storage media should have technical protection measures to ensure controlled secure access. When these media are discarded or reused, their stored data should be completely erased and unrecoverable. Article 47 Banking and insurance institutions should establish the technical infrastructure for data security, supporting componentized and service-oriented functions for user identity management, data anonymization, behavior monitoring, log auditing, and data virtualization, ensuring the consistency of security standards executed in information systems. Article 48 When developing information systems, banking and insurance institutions should clearly define the data to be processed, its security levels, access rules, protection requirements, and implement effective system security controls. Security testing should be conducted before system production and launch to ensure that all security requirements are implemented to effectively prevent data security risks. Testing environments should be isolated from production systems, and sensitive and above-level data should generally not enter testing environments without desensitization to prevent data leaks. Article 49 Banking and insurance institutions should provide special protection measures for big data platforms, such as high availability design, security reinforcement, data backup, etc. Access authorization mechanisms for big data services should be established, and the access behavior of big data should be dynamically monitored and audited. Article 50 When conducting automated decision analysis, model algorithm development, data labeling, etc., banking and insurance institutions should ensure transparency in data processing and fairness in results. They should manage the development and application of artificial intelligence models uniformly, establish entry mechanisms for introducing model algorithms from external sources, actively manage the model development process, and ensure that models are verifiable, auditable, and traceable. Article 51 Before using information systems and model algorithms, banking and insurance institutions should conduct data security reviews to examine the rationality, legitimacy, and interpretability of data and model usage, as well as the impact of data utilization on the legitimate rights and interests of relevant parties, ethical and moral risks, and the effectiveness of preventive and control measures. Article 52 When using artificial intelligence technology for business operations, banking and insurance institutions should explain and disclose the impact of data on decision results, monitor automated processing and system operation results in real-time, establish risk mitigation measures for artificial intelligence applications, formulate alternative exit strategies for artificial intelligence applications, create emergency plans for security threats, and conduct drills. Article 53 When constructing open banking, financial ecosystems, or collaborating with third-party data, banking and insurance institutions should isolate themselves from external security risks, and data exchanges with external institutions should be implemented through centralized management external links platforms or APIs. Effective measures should be taken to manage interface design, development, services, and operations through centralized security protection management based on the "business necessity, least privilege" principle. Chapter 6 Personal Information Protection Article 54 Banking and insurance institutions should handle personal information in accordance with the principles of "clear notification, consent, and lawful" and should not collect, use, or disclose personal information without the individual's permission. Individual information should be effectively protected from misuse, unauthorized access, disclosure, alteration, or destruction.The principle of "authorization consent" shall be implemented, except where otherwise provided by laws and administrative regulations, and relevant functional controls shall be implemented in the information system.Article 55 Banking and insurance institutions shall process personal information with clear and reasonable purposes, directly related to the processing purposes, and the collection of personal information shall be limited to the minimum scope necessary to achieve the processing purposes of financial business, and excessive collection of personal information shall not be conducted. Personal information collected shall not be used for illegal activities. Article 56 Before processing personal information, banking and insurance institutions shall truthfully, accurately, and completely inform individuals of the purposes of processing their personal information, processing methods, types of personal information processed, retention periods, procedures for individuals to exercise their information rights, as well as other matters that should be informed according to laws and regulations. Banking and insurance institutions shall establish rules for the processing of personal information, which should be publicly displayed, easily accessible, clear, and easy to understand. Article 57 Banking and insurance institutions shall not refuse to provide products or services to individuals based on their disagreement to process their personal information or withdrawal of consent, unless the processing of personal information is necessary for providing products or services. Article 58 When conducting personal information processing activities that have a significant impact on individuals' rights, banking and insurance institutions shall conduct a personal information protection impact assessment, including the legality and necessity of processing personal information, the impact on individuals' rights and security risks, the legality and effectiveness of protection measures, and whether they are proportionate to the level of risk. The report and records of the personal information protection impact assessment shall be retained for at least three years. Article 59 Banking and insurance institutions shall share personal information with their parent banks, groups, or subsidiary banks and companies, or provide personal information to external parties, and they shall fulfill their obligations to inform individuals and obtain their consent for relevant matters. Article 60 When banking and insurance institutions provide personal information to entities outside the People's Republic of China, they should inform individuals of the manner and procedures for exercising their information rights to recipients abroad, unless otherwise provided by laws and regulations. Article 61 When banking and insurance institutions entrust third parties to process personal information, they shall clearly define the obligations, protection measures, and deadlines of the entrusted parties regarding personal information protection in the contract or agreement, and strictly supervise the entrusted parties to process personal information according to the agreed purposes and methods. The transmission of personal sensitive data to third parties must be ensured to be secure, prevent data misuse and leakage risks. Without the consent of banking and insurance institutions, the entrusted parties shall not further entrust others to process personal information. Article 62 When banking and insurance institutions design algorithms, select training data, and generate models, they shall take effective measures to safeguard the legitimate rights and interests of individuals. When using personal information for automated decision-making, transparency of decisions and fairness of results shall be ensured. Article 63 In the event of or potential occurrence of personal information leakage, tampering, or loss, banking and insurance institutions shall immediately take remedial measures, notify individuals, and report to the China Banking and Insurance Regulatory Commission or its local agencies. The notification shall include: (1) Types of information that have been leaked, tampered with, or lost, reasons, and potential harms that may result; (2) Remedial measures taken by banking and insurance institutions and measures that individuals can take to mitigate the harm. If the measures taken by banking and insurance institutions can effectively prevent harm caused by information leakage, tampering, or loss, individuals may not be notified; but if the regulatory authorities believe that harm may occur, they have the right to request banking and insurance institutions to notify individuals. Chapter VII Data Security Risk Monitoring and Handling Article 64 Banking and insurance institutions shall incorporate data security risks into their comprehensive risk management system, clarify the organizational structure and management processes for data security risk monitoring, risk assessment, emergency response and reporting, and event handling, to effectively prevent and address data security risks. Article 65 Banking and insurance institutions shall effectively monitor data security threats, conduct supervision and inspections, proactively assess risks, prevent security incidents such as data tampering, destruction, leakage, and illegal use. Monitoring content includes: (1) Unauthorized access or use of system privilege accounts; (2) Abnormal access or use of data by internal personnel; (3) Network security and data security threats to systems or platforms with centralized data sharing; (4) Abnormal flow of sensitive and above data in different regions; (5) Abnormal use of mobile storage media; (6) Abnormal data processing or data leakage, loss, and tampering in outsourcing and third-party cooperation; (7) Complaints related to data security from customers; (8) Negative public opinion such as data leakage and fraud; (9) Other situations that may lead to data security incidents. Article 66 Banking and insurance institutions shall conduct a data security risk assessment annually. The audit department should conduct a comprehensive data security audit at least once every three years, and a special audit should be conducted after a major data security event occurs. When banking and insurance institutions entrust professional organizations to conduct data security audits, they shall not use products and other services provided by the organizations. Article 67 Data security incidents refer to events in which banking and insurance institutions' data are tampered with, leaked, destroyed, illegally obtained, or illegally used, causing negative impacts on the legitimate rights and interests of individuals or organizations, industry security, and national security. According to the scope and severity of their impact, they are classified into four levels: particularly serious, serious, moderate, and general. Article 68 Banking and insurance institutions shall establish an emergency management mechanism for data security incidents, establish internal coordination mechanisms, establish a reporting mechanism for data security incidents involving service providers and third-party cooperation institutions, and promptly address risks and security incidents. (1) Develop emergency response plans for data security incidents, conduct regular emergency response training and drills. (2) After a data security incident occurs, immediately initiate emergency response, analyze the causes of the incident, assess the impact of the incident, classify the incident, and take timely business, technological, and other measures to control the situation according to the plan. (3) Establish a data security incident reporting mechanism, formulate reporting procedures based on the security level of the incident, report incidents as required, and comply with relevant provisions in contracts, agreements, etc., to inform customers and cooperate.Duty to inform parties involved.(4) In case of data security incidents or security vulnerabilities and flaws in the network products and services used, an immediate investigation and evaluation should be conducted, remedial measures should be taken in a timely manner to prevent the harm from spreading. If the provider of network products and services hides security flaws and vulnerabilities without reporting them, banks and insurance institutions should order them to make corrections; if they fail to make corrections as required or cause serious consequences, their service qualifications should be revoked, penalties should be imposed according to the contract, and a report should be submitted to the China Banking and Insurance Regulatory Commission or its dispatched agencies. Article 69 When a data security incident occurs, banks and insurance institutions should report to the China Banking and Insurance Regulatory Commission or its dispatched agencies within 2 hours, and submit a formal written report within 24 hours after the incident. In the event of a particularly serious data security incident, banks and insurance institutions should immediately take disposal measures, inform users in a timely manner as required, and report to the China Banking and Insurance Regulatory Commission or its dispatched agencies, as well as the local public security organs. Banks and insurance institutions should report the progress of disposal every 2 hours until the disposal is completed. After the data security incident is disposed of, banks and insurance institutions should submit a report on the event, its disposal evaluation, summary, and improvements to the China Banking and Insurance Regulatory Commission or its dispatched agencies within five working days. Banks and insurance institutions should comply with any other laws and administrative regulations governing the emergency handling of data security incidents. Chapter VIII Supervision and Management Article 70 The China Banking and Insurance Regulatory Commission and its dispatched agencies supervise and manage the data security protection of banks and insurance institutions, conduct off-site supervision, on-site inspections, incorporate data security management into the regulatory rating and evaluation system, impose penalties and disposal measures on data security incidents of banks and insurance institutions in accordance with the law, and implement continuous supervision of data security management. Article 71 In accordance with the national requirements for data categorization and classification, the China Banking and Insurance Regulatory Commission shall establish a directory of important data for the banking and insurance industries, propose core data directory recommendations, supervise and guide banks and insurance institutions in conducting data categorization and classification management and data protection. Banks and insurance institutions should submit the directory of important data to the China Banking and Insurance Regulatory Commission or its dispatched agencies as required. Any significant changes to the directory of important data should be reported promptly. Article 72 The China Banking and Insurance Regulatory Commission shall establish a data security monitoring and early warning mechanism for the banking and insurance industries, continuously monitor data security risks, issue risk alerts to the industry, formulate emergency plans for data security incidents in the banking and insurance industries, and handle data security risk events. Establish a joint prevention and control management mechanism with the national data security management department, implement data security information sharing, risk monitoring and early warning, and data security incident handling. Article 73 For data sharing, entrusted processing, transfer transactions, and data transfer involving batch-sensitive data levels or above, banks and insurance institutions should report to the China Banking and Insurance Regulatory Commission or its dispatched agencies 20 working days before processing or signing the contract, unless otherwise provided by laws or administrative regulations. Article 74 Banks and insurance institutions should submit a data security risk assessment report for the previous year to the China Banking and Insurance Regulatory Commission or its dispatched agencies by January 15th of each year. The report should include data security governance, technical protection, data security risk monitoring and disposal measures, data security incidents and disposal, entrustment and joint handling, data outbound, data security assessment and review, data security-related complaints and handling situations, etc. Article 75 The China Banking and Insurance Regulatory Commission and its dispatched agencies conduct on-site inspections and event investigations on the data security protection of banks and insurance institutions, and investigate units and individuals suspected of illegal or irregular activities according to law. On-site inspections and event investigations may be assisted by relevant professional technical institutions or audit institutions at the national or industry level. Article 76 If a bank or insurance institution violates the requirements of these measures, the China Banking and Insurance Regulatory Commission or its dispatched agencies may, depending on the circumstances of the violation, take regulatory measures such as risk prompts, supervisory talks, supervisory reports, orders for corrections, or suspend or terminate services for systems or applications involved in irregular handling. For third-party institutions that violate major laws and regulations, or fail to report or disclose data security incidents and cases in a timely manner, or generate significant data security risks, events, or cases, industry reports should be issued, and banks and insurance institutions should be ordered to suspend or terminate cooperation. Article 77 If a bank financial institution violates these measures, the China Banking and Insurance Regulatory Commission and its dispatched agencies may, in accordance with the relevant provisions of the Banking Supervision and Management Law of the People's Republic of China, order the bank financial institution to make corrections and impose fines of more than 200,000 and up to 500,000 yuan; for particularly serious cases or cases where corrections are not made within the deadline, they may be ordered to suspend operations for rectification or have their operating license revoked. Depending on the circumstances of the violation, the persons directly in charge of the bank financial institution and other individuals directly responsible may be given disciplinary actions; if the actions of the bank financial institution do not constitute a crime, the persons directly in charge, senior management, and other individuals directly responsible may receive warnings and fines of more than 50,000 and up to 500,000 yuan; the persons directly in charge may have their qualifications to hold office suspended for a certain period of time up to a lifetime, and the persons directly in charge, senior management, and other individuals directly responsible may be prohibited from working in the banking industry for a certain period of time up to a lifetime. If a crime is committed, criminal responsibility shall be investigated according to law. If an insurance financial institution violates these measures, the China Banking and Insurance Regulatory Commission and its dispatched agencies may, in accordance with the relevant provisions of the Insurance Law of the People's Republic of China, order the insurance financial institution to make corrections and impose fines of more than 5,000 and up to 30,000 yuan; in severe cases, their business scope may be restricted, they may be ordered to stop accepting new business, or their business license may be revoked. Depending on the circumstances of the violation, the directors and other individuals directly responsible may be given warnings and fined more than 1,000 and up to 10,000 yuan; in serious cases, their qualifications may be revoked. If a crime is committed, criminal responsibility shall be investigated according to law. In the implementation process, in case of revisions to the Banking Supervision and Management Law of the People's Republic of China and the Insurance Law of the People's Republic of China, the revised provisions shall prevail. Article 78 Bank of China Association, China InsuranceIndustry associations and other industry organizations should assist in guiding member units to improve their data security management level through promotion, training, self-discipline, coordination, and service.Chapter IX Supplementary Provisions Article 79 This Regulation shall be interpreted and revised by the State Administration of Financial Supervision and Administration. Article 80 Other banking financial institutions, insurance financial institutions, financial holding companies approved by the State Administration of Financial Supervision and Administration, as well as units managed by the Administration shall comply with this Regulation. Financial organizations approved by local financial management departments shall also comply with this Regulation. Article 81 This Regulation shall come into effect from the date of promulgation, and the "Bank and Insurance Institution Data Security Measures" (CBIRC Document [2022] No. 118) shall be abolished simultaneously. This article is excerpted from the official website of the State Administration of Financial Supervision and Administration, edited by GMTEight: Chen Xiaoyi.