The China Securities Association (CSA) is currently surveying securities firms regarding their information technology status. It is understood that several years ago, the CSA rolled out a three-year plan for securities companies' IT development, which has now reached its completion date. The association is now assessing the implementation progress of this plan among brokers.
The survey covers the fulfillment of over 70 specific tasks. Key areas of inquiry include whether the average annual IT investment by securities firms meets or exceeds 10% of their average annual net profit or 7% of their average annual operating revenue. It also asks how many of their primary customer-facing mobile applications have obtained securities industry security certification.
The three-year plan, titled the "Securities Companies Network and Information Security Enhancement Plan (2023-2025)" (hereafter referred to as the "Security Enhancement Plan"), was introduced in June 2023. Its objective was to guide securities companies in strengthening their systems and capabilities for ensuring the secure and stable operation of networks and information systems. The plan aimed to elevate the overall level of network and information security in the capital markets and to prevent and mitigate related risks.
A drafting explanation for the Security Enhancement Plan noted that the first half of 2022 saw a relatively high frequency of cybersecurity incidents in the securities industry, which significantly impacted the safe and stable functioning of the capital markets. Persistent issues such as insufficient overall IT investment across the industry, outdated information system architectures, and a lack of IT management capability were identified as major constraints on information system security.
To address these challenges, the Security Enhancement Plan focused on fundamental and deep-seated problems commonly found in securities firms' network and information security capabilities. It outlined specific directions and requirements across six areas: technology governance capability, technology investment mechanisms, information system architecture planning and design, research and development testing efficiency and quality, system operation assurance capability, and network information security protection systems.
The plan defined 31 main tasks categorized into six groups. These included five tasks for continuously improving technology governance, two for establishing scientific and reasonable technology investment mechanisms, five for enhancing control over information system architecture planning, four for strengthening system R&D and testing management capabilities, seven for consolidating system operation assurance capabilities, and eight for健全ing the information security protection体系.
Recently, the CSA sent a document to securities companies titled "Letter on Conducting a Summary and Evaluation Survey for the Securities Companies Network and Information Security Three-Year Enhancement Plan (2023-2025)." The association stated that this survey is intended to continuously enhance the industry's network and information security safeguarding capabilities and to gain a clearer understanding of each firm's implementation status of the plan, in accordance with regulatory requirements for conducting summary assessments. Brokerage firms are required to carefully complete the relevant questionnaire based on their actual situations.
This comprehensive survey examines the outcomes and shortcomings of securities firms' information security development from multiple dimensions, including technology governance, technology investment, system architecture, security protection, emergency response, and compliance supervision. The evaluation employs a categorized approach, dividing the 71 tasks into two types: "mandatory tasks" and "encouraged tasks." Fifty-five tasks are mandatory, accounting for over 70% of the total and representing baseline requirements that brokers must fulfill. The remaining 16 are encouraged tasks, designed to guide well-resourced firms to further elevate their security standards.
Under the category of establishing a scientific and reasonable technology investment mechanism, there are two sub-items. The first involves reasonably increasing technology funding. Firms are encouraged to appropriately boost their technology capital expenditure. Conditionally capable companies are encouraged to ensure that their average annual IT investment for the years 2023-2025 is no less than 10% of their average net profit or 7% of their average operating revenue for the same period, while also guaranteeing sufficient funding dedicated specifically to network and information security. Accordingly, the CSA's survey asks: Is your firm's average annual IT investment for 2023-2025 no less than 10% of the average net profit for those three years? And is it no less than 7% of the average operating revenue for the same period?
Reports indicate that leading institutions such as CITIC Securities and Guotai Junan Securities maintained IT investment levels above 8% of their revenue for 2023-2024, significantly exceeding the "7% of average revenue" guideline. Some brokers even itemize security investments separately, with these allocations accounting for up to 25% of their total technology spending, focusing on advanced areas like zero-trust architecture and AI-powered security detection.
The second sub-item focuses on strengthening the technology talent team. Securities companies are expected to formulate talent development plans, encouraged to reasonably increase their investment in technology personnel, and continuously enrich their teams of IT professionals. Conditionally capable firms are encouraged to gradually increase the proportion of IT professionals to at least 7% of their total workforce, with information security professionals comprising at least 3% of the IT staff count, and no fewer than two individuals dedicated to this role. The survey inquires whether firms have met these requirements.
Regarding the完善ion of the APP certification mechanism, the CSA survey asks: How many primary customer-facing Apps does your firm operate? How many of these have obtained securities industry security certification?
Under the category of健全ing the information security protection体系, one sub-item involves完善ing the certification mechanism for mobile client application software. Securities firms are expected to fully understand the importance of security testing and certification for mobile apps. They should develop and operate their Apps with reference to industry security standards, and are encouraged to commission qualified third-party professional institutions to conduct App security certifications. This process helps identify potential security vulnerabilities promptly, ensuring that broker-operated Apps comply with national and industry information security standards in areas such as program development, personal information handling, data security, cryptographic application, and security management, thereby effectively protecting investors' personal information security.