The Ministry of Finance and the Cyberspace Administration of China recently jointly drafted and issued the “Interim Measures for the Management of Data Security in Accounting Firms (Draft for Solicitation of Comments)”, aiming to strengthen the management of data security in accounting firms and regulate their data processing activities.
It is remembered that in May of this year, the Ministry of Finance, the State-owned Assets Supervision and Administration Commission of the State Council, and the China Securities Regulatory Commission jointly issued the “Measures for the Selection of Accounting Firms for State-owned Enterprises and Listed Companies”, in which information security management was listed as one of the evaluation factors for selecting accounting firms. It explicitly requires state-owned enterprises and listed companies to strengthen the review of the information security management capabilities of accounting firms when selecting them. Separate clauses should be set in the selection contracts to clarify the responsibilities and requirements for information security protection. Accounting firms should fulfill their obligations of information security protection and regulate data processing activities in accordance with laws, regulations, and contracts.
If the above measures start from the customer side to drive accounting firms to enhance security management capabilities and curb industry vicious competition, then the issuance of the “Measures” this time further directly stipulates the data security obligations of accounting firms in their daily business operations.
Specifically, the “Measures” will affect the relevant data processing activities involved in the audit business and cross-border audit business conducted by accounting firms established in China, including: providing audit services to listed companies and non-listed state-owned financial institutions, central enterprises, etc.; and conducting cross-border audit business.
The “data” focused on by the “Measures” refers to any information records obtained from external sources or generated internally by accounting firms in the process of performing audit business, whether in electronic or other forms.
The “Measures” stipulate that the chief partner (chief accountant) of the accounting firm is the person responsible for data security in the firm. It mainly emphasizes three obligations:
1.Data Localization
Storage Location: The audit work papers and related data of accounting firms should be stored domestically and not backed up overseas.
Storage Period-related information systems, databases, network equipment, network security equipment, etc., should set up and enable access log recording functions. Logs should be stored domestically, and the retention period for user login and access logs should not be less than ten years, and the retention period for other logs should not be less than six months.
Storage Operations and Maintenance: The encryption devices for audit work papers and related data should be set up and maintained domestically by domestic teams, and the keys should be stored domestically.
2. Data Classification and Grading
Accounting firms should establish classification and grading requirements for audit materials through business agreements, etc., with the audited entities. The requirements for classification and grading of audit materials should be consistent with the requirements for classification and grading of relevant materials of the audited entities.
Core Data: Accounting firms should establish a core data protection mechanism, set up internal dedicated space storage through dedicated servers or accounting firm private cloud platforms, use technologies such as encrypted virtual private networks for transmission, establish authorization and recording mechanisms for the storage, reading, and transfer of core data, and ensure effective operation.
Important Data: Accounting firms should formulate and implement standardized processing procedures, store them in information systems isolated from the Internet, and strictly control the range of personnel who have access.
General Data: Accounting firms should adopt role-based authorization access control and authorize according to the principle of least privilege.
3. Data Exit
Audit work papers formed domestically should be stored domestically. If they need to be taken abroad, approval procedures should be handled in accordance with relevant national regulations.
Provisions shall not be included in business agreements or similar contracts, such as accounting firms providing domestic project data to overseas regulatory agencies.
版权归原作者所有,如若转载,请注明出处:https://www.ciocso.com/article/472991.html
