Accounting firms should conduct risk assessments of clients to avoid falling foul of China’s cybersecurity law

A new cybersecurity law to be implemented across China in June will target critical information infrastructure (CII) and network providers, increasing the depth that operators must work with crime and national security investigations.

“Bigger accounting firms with diversified services lines such as big data or cloud computing would be subject to the new cybersecurity law,” says BDO senior manager of Risk Advisory Ricky Liu. “Accounting firms and all other businesses need to conduct risk assessments of their clients and business partners to reduce the likelihood of unknowingly aiding in illegal cyber activities,” Liu adds.

The law has a wide and vague scope that means many come under its umbrella. “The ambiguity that lies in the language would allow regulators to expand the scope when deemed necessary, and we therefore believe that accounting firms fall under scope, as a lot of sensitive client data are being transferred, reviewed and retained by accounting firms,” says Jason Yau, partner, Technology and Management Consulting, RSM Hong Kong.

Indeed firms that serve clients from a variety of industries should stay extra vigilant, says BDO director and head of Risk Advisory Ricky Cheng. “There is a risk of indirect association with a client who violates the China cybersecurity law, potentially resulting in the accounting firm being asked to provide sensitive client information”, says Cheng.

Firms may need to carry out risk assessments for clients, and put standard operating procedures in place, particularly for those engaged in cross-border data transfer, or in critical infrastructure, with a non-exhaustive list including information services, energy, transportation, water, finance, scientific research, manufacturing, medical and health, and social security.

CII operators must store personal information and important business data inside China, and may be subject to an additional security assessment if they want to transfer data outside of China. In the face of this new legislation, accounting firms will need to take a proactive stance.