Guiding Opinions concerning Using Secure and Controllable Information Technology and Strengthening Cybersecurity and Informatization in the Banking Sector
China Banking Regulatory Commission, National Development and Reform Commission, Ministry of Science and Technology, Ministry of Industry and Information Technology
All Banking Regulatory Bureaus, all provincial (autonomous region, municipal and plan-listed city) development and reform commissions, science and technology offices (committees, bureaus), controlling bodies for industry and information technology, all policy banks, all State-owned commercial banks, shareholding-type commercial banks, financial asset management companies, savings banks, all provincial-level rural credit cooperatives, trust companies directly subordinate to banking supervision commissions, enterprise groups’ financial companies, finance and lease companies:
In order to further implement the strategy of innovation driving development, enhance the banking sector’s security protection capacity and informatization levels, promote the deepening of reform and transformation of development in the banking sector, and stimulate the development of new strategic industries, hereby, the following Guiding Opinions concerning the use of secure and controllable information technology and strengthening cybersecurity and informatization in the banking sector are put forward.
I, General objectives
Establish long-term mechanisms for the use of secure and controllable information technology in the banking sector, formulate supplementing policies, establish driving platforms, forcefully expand the use of information technologies that can satisfy the information security needs of the banking sector, in which technological risks, outsourcing risks and supply chain risks are controllable. By 2019, grasp core knowledge and key technologies for informatization in the banking sector; ensure that key network and infrastructure in the banking sector is arranged rationally, and that the concentration of risk in key equipment and services is effectively dissolved; secure and controllable technology in the banking sector is to reach a utilization rate of about 75 per cent, and the cybersecurity protection capability in the banking sector is to clearly strengthen; informatization levels are to increase steadily, in order to ever better protect the rights and interests of consumers and safeguard economic and social security and stability.
II, Guiding principles
(1) Persist in openness and cooperation. Be tolerant and open-minded, bring together the wisdom and strength from all sides, give preference to use technologies and solutions with strong openness, high transparency and broad usage, give preference to choosing bodies that are willing to engage in cooperation in the areas of core knowledge and key technology, and avoid reliance on one single product or technology.
(2) Encourage indigenous innovation. Fully understand the importance of the strategy of innovation driving development, encourage original innovation, integration innovation and re-innovation after import, build efficient and firm common key technology supply systems, and grasp core informatization knowledge and crucial technologies in the banking sector.
(3) Give rein to the role of markets. Accelerate the establishment of efficient innovation systems, arouse the vigour of all kinds of innovation subjects, foster and drive markets with the informatization demands of the banking sector, stimulate the transformation of the banking sector’s development through the development of the information industry, actively grasp development opportunities for new technologies, promote the innovative development of informatization in banks, and stimulate the expansion and strengthening of the information industry.
(4) Strengthen coordination and cooperation. Comprehensively plan matters, strengthen coordination and cooperation between policy, industry, scholarship and research, build a beneficial interactive environment for the research, development and application of secure and controllable information technology, shape a virtuous circle of “demand pull, industrial push and research drive”.
III, Tasks and requirements
(1) Perfect information, science and technology governance mechanisms. The banking sector and financial bodies shall make enhancing their network security protection capabilities and informatization capabilities into strategic objectives, and bring the use of secure and controllable information technology into strategic plans; establish structures and systems directed towards security and controllability, as well as indigenous innovation, clarify objectives, policies and division of duties; strengthen the innovation of organizational construction and talent fostering, and protect innovation resources; move forward with indigenous design of integrated frameworks, the indigenous research and development of core applications, the indigenous control of core knowledge, the indigenous application of key technologies and other such focus tasks in an orderly manner.
(2) Optimize information system structures. The banking sector and financial bodies shall establish secure, reliable, efficient, open and elastic information system frameworks, they shall fully consider security and controllability in the process of framework planning and design; grasp the power to choose key technologies, and avoid reliance on single technologies and products in the area of key information and network infrastructure. Plan and construct systemic frameworks for business continuity from a strategic angle, there shall at least be one kind of data-level or application-level business continuity plan for storage, back-up, archival and disaster-proofing, etc., based on secure and controllable information technology frameworks.
(3) Give priority to the use of secure and controllable information technology. The banking sector and financial bodies shall objectively evaluate their own informatization needs and information technology risks, carry out differential analysis, and formulate plans to move application forward on an annual basis; establish scientific and rational conceptions for information technology and product selection, choose technologies and products matches to the informatization needs of that work unit, and avoid stubborn pursuit of size and perfectionism. In information processing segments involving sensitive user data, priority shall be given to the use of secure and reliable information technologies and services with controllable risk, the current focus is to be on vigorous progress in areas such as network facilities, storage, middle and low-end servers, information security, operational services, word processing software and other such areas, exploration and trials must be strengthened in areas such as operating systems, databases, etc.; from 2015 onwards, all financial bodies in the banking sector must increase their use of secure and controllable technology with a proportion of no less than 15% per year, and achieve an overall proportion of no less than 75% in 2019 (technologies and products adopted in 2014 are included in the numbers for 2015).
(4) Vigorously promote indigenous innovation in information technology. The banking sector and financial bodies shall vigorously try out and use secure, reliable and indigenously innovated information technologies, put forwards demands for improvement through usage, and strengthen the adaptability and robustness of innovative technologies; and explore the acceleration of the adoption, shake-down, adaptation and systemic optimization of indigenously innovated information technologies through uniform standards, comprehensive product planning, joint tackling of key problems, trials, demonstrations, etc. If, in the process of technology selection, secure and reliable indigenously innovated products and technologies exist, at least one group of these products and technologies will be entered into the selection and survey process; suppliers providing exclusive equipment or integrated solutions shall be required to at least use one secure and reliable indigenously innovated product or technology for the software or hardware used in their plans.
(5) Vigorously participate in research and development of secure and controllable information technologies. The banking sector and financial bodies shall strengthen collaboration with industry bodies, universities and scientific research bodies, jointly carry out research, development and production of key technologies, focus in key issues of the usage of secure and controllable information technologies in the banking sector, carry out technological collaboration, implement technological transformation, and shape high-quality scientific and technological achievements valuable for extension across the sector; strengthen research in core applications and basic frameworks, operating systems, databases, intermediate parts, specialized equipment for the banking sector and other such areas, focus on making breakthroughs in key technologies inhibiting the development of security and controllability. From 2015 onwards, financial bodies in the banking sector shall arrange for no less than 5% of the annual informatization budget to be especially used to support long-term, innovative and programmatic research concerning security and controllability involving that body, and to support that body’s grasp of key informatization knowledge and skills.
(6) Strengthen the construction of intellectual property rights protection and standards. The banking sector and financial bodies shall strengthen their consciousness of intellectual property protection, and timely apply for technology patent protection of all research achievements; they shall vigorously participate in the research and formulation of all kinds of technological standards, and move forward the standardization and patenting of secure and controllable information technologies.
IV, Major measures
(1) Establish information security examination and risk assessment systems in the banking sector. Establish supplementary policies suited to the information security demands of the banking sector, on the basis of State policies concerning cybersecurity inspection, establish cybersecurity examination standards for the banking sector, and strengthen the security monitoring of information technologies and products exclusively used in the banking sector; establish regularized risk assessment systems, establish risk identification, assessment and control mechanisms for information technology in the process of application in the banking sector, strengthen surveys of functioning, capacity and security; closely follow the situation of application of secure and controllable information technology, establish error databases and risk databases, and incessantly stimulate the perfection of technology through application in the sector.
(2) Establish platforms for secure and controllable information technology to land and move ahead in the banking sector. Build strategic alliances for innovation in secure and controllable information technology in the banking sector, build technology laboratories and State project laboratories, research and unearth opportunities and requirements for the use of secure and controllable information technologies in the banking sector, coordinate among financial bodies in the banking sector, information technology enterprises, universities, research bodies, etc., to jointly move the research and expansion of secure and controllable information technology forward.
(3) Organize and carry out demonstration projects for secure and controllable information technology in the banking sector. Organize and carry out applied demonstrations of secure and controllable information technology in the banking sector, and organize and promote the banking sector to launch research on security and controllability aimed at the long-term, in integration with other projects on national information security, State plans concerning science and technology and State financial support; strengthen interdepartmental coordination, strengthen policy coordination, strengthen support for the banking sector to use secure and controllable technology, incessantly perfect secure and controllable information technology in the banking sector, and create market space for secure and controllable information technology.
(4) Formulate guidelines to move forward the use of secure and controllable technology in the banking sector. With the support of strategic alliances for innovation in secure and controllable information technology for the banking sector, technology laboratories and State project laboratories, analyse the usage requirements of the banking sector, resolve common problems, successively formulate guidelines to move matters forward, and make more detailed the areas to move forward in, focus information technologies and products, as well as plans of action. All levels’ controlling bodies for industry and information technology shall recommend appropriate technologies, products, services and model solutions, to promote the linkage of requirements.
(5) Sustained supervision and evaluation. Establish supervision and evaluation mechanisms for the usage of secure and controllable information technology in the banking sector, evaluate the maturity of security and controllability capabilities through the adoption rates of secure and controllable technology, indigenous control rates of important systems, the usage rates of indigenously innovated information technology and other such indicators; annually assess the usage situation of secure and controllable information technology in the banking sector and financial bodies, and include the assessment outcomes in the information science and technology supervision and management grading of bodies included in the supervision, management and grading system.
3 September 2014.