Control Risks has seen a significant increase in activity across China relating to the Multi-Layer Protection Scheme (MLPS) certification. This cyber security standard, driven by national security and social stability concerns, mandates risk-driven cyber security controls and documented governance and oversight. Companies operating in China should evaluate their associated exposure and prepare for the MLPS certification process or face heightened compliance risks such as audits and police-led inspections.
Maturing regulation and increasing regulatory risk in China
Since the 2017 inception of the Cyber Security Law (CSL), China has rapidly developed its regulatory regime for technology and information handling. A series of standards and guidelines were introduced in 2018 and 2019 to further define the scope of the regulations and their requirements. In 2020, after two years of supporting regulations and the development of drafts for comment, regulators, particularly the Ministry of Public Security, are shifting their efforts to regulatory enforcement.
100%
The Multi-Layer Protection Scheme (MLPS) applies to virtually all organisations in China and is a significant cyber security compliance concern for domestic and international companies that operate in the country. At the end of 2019, a substantial update to the original MLPS was finalised. This second iteration of the MLPS, known as MLPS 2.0, was developed to fix what regulators saw as a significant problem in China’s rapid adoption of technology – poor cyber security. The regulation was developed and is enforced by the Ministry of Public Security (MPS) via its district-level Public Security Bureaus (PSB – the local police).
Growing concern from companies about MLPS certification
MLPS 2.0 is a complex technology standard that requires companies to assess the current state of their information and operations technology systems and the risks associated with them. While the standard is largely aligned with cyber security best practices, its scope is broader, covering management and governance, among other things, and its requirements are proscriptive. The control requirements are not limited to technology; they include business and management functions such as governance and human resources.
As with the earlier version of MLPS, it sets five levels for cyber security based on risk. The individual systems are provisionally assigned a “level” based on the potential impact of a data breach or system compromise. This is essentially an impact-based risk analysis and is one of the key differences in approach between Chinese and international cyber security standards.
Levels range from 1 to 5, with 5 reserved for sensitive government facilities and systems. The systems’ level will determine the security-control requirements across several domains. Higher levels have more stringent security requirements.
Systems classified as Level 2 or above require an independent assessment by a specialised, licensed Chinese audit firm. Once the auditor has attested that the classification is correct and the associated controls are compliant with the standard, final certification will be issued by the local district-level PSB.
The MLPS certification process presents two challenges to companies operating in China:
- Given the broad scope of the MLPS regulation, the “expert review” (i.e. third-party audit) can be invasive. The audit process is new and the auditors inexperienced. This may lead to unanticipated risks to information and operations.
- Failure to obtain an MLPS certification is not an option as it is mandatory. Not having a certification opens up firms to regulatory sanctions such as fines and, in extreme cases, its operating licenses. An incomplete or problematic certification process will bring more active regulatory oversight from the police, including inspections and more scrutiny of information and systems.
Control Risks has seen a significant increase in activity around MLPS certification across China. Local PSBs have contacted foreign companies and instructed them to pursue MLPS certification. The local PSBs have also informally given these firms notice of MLPS-related inspections and external cyber security tests, and major Chinese companies are undergoing the certification process.
The MLPS standard has been quickly adopted by other agencies and regulators as a means of establishing companies’ overall technology and information security. Although it is still too early to understand the penalties to which a company may be subjected, Control Risks understands some regulators have made business-licence renewal conditional on firms successfully attaining an MLPS 2.0 certification.
Foreign companies therefore urgently need to develop a clear understanding of what the certification process entails, the likely MLPS designations for their systems in China, and the security and operational requirements for MLPS on which they will be assessed.
While the level of regulatory activity around MLPS may appear surprising given that China is recovering from the impact of the COVID-19 pandemic, it underscores the importance of MLPS from a policy perspective. Since the inception of the CSL, Control Risks has focused on the policy drivers behind China’s technology and information regulatory regime. National security and social stability are key drivers for the CSL, and the MLPS standard is its most comprehensive manifestation.
In an increasingly uncertain world, China’s policy makers are moving decisively to mitigate the cyber security risks that they view as a threat to the economy, society, and national security. Given that the MLPS programme is the most mature and comprehensive regulation that aims to address general cyber security risks, it is both a critical initiative and a significant compliance concern for companies operating in China.