Cybersecurity for All: SMEs and the New Law

Cyber attacks_resized.png

By: Beata Cichocka

Cybersecurity is not just a technology issue that affects a narrow range of technical businesses; it’s a critical business concern that affects corporate reputation, says Eric Schmidt of EventBank. “[Cybersecurity] has to go to the executive level because it is such an issue at this point,” Schmidt said. “It can’t be just the IT department handling it.”

While every company is at risk, SMEs are particularly prone to cyberattacks, as they fill the “sweet spot” between individuals, who own few valuable digital assets, and larger, more secure companies. SMEs may lack the awareness, institutional knowledge, and personnel resources that larger companies have to protect their information.

In fact, 50 percent of small businesses have been breached in the past 12 months, according to a report by Keeper Security and the Ponemon Institute. Once trust is lost, it’s extremely hard to get back. According to Peter Zysk of The Brunswick Group, an analysis of the daily stock prices of companies two quarters after they had been breached was, on average, 11 percent lower than before the breach. 

The Brunswick Global Survey indicates that, in contrast with relatively secure Americans, over 57 percent of Chinese consumers feel companies are not doing enough to protect them. Partly in response to these concerns, the Chinese government released the final draft of the Cybersecurity Law on Nov. 7, 2016. However, new law contains many problematic provisions for SMEs, including data localization requirements.

New Concerns and Risks

SMEs particularly rely on an open internet to connect to customers. A study published by Accenture in 2016 found that internet technology is responsible for “significantly increasing SMEs’ access to finance, through the development of innovative alternative financing mechanisms and also by reducing the risk and cost of servicing SMEs.” On top of this, data localization makes it harder to take advantage of big data-driven innovation, from which technological SMEs often benefit most. In this context, moves to fragment and control the internet are particularly worrying.

Schmidt points out the greatest impact of the new law will be in terms of cost, as SMEs will essentially have to double their server capacity to abide by the law. Some larger companies, such as Apple or Airbnb, have already begun to make the move to store data onshore. In contrast, SMEs might not be able to afford building costly data centers in multiple countries, and will likely have to find a Chinese-based data storage provider.

Next Steps for SMEs

Businesses hoping to continue in China must examine whether their products and services fit the criteria of the new law and what changes they might need to make, with technology businesses obviously facing the most challenges. But businesses in other sectors will also need a check-up of their technology use, possibly having to find new options for technology procurement in China, and evaluating them against functionality, performance, and security. Companies which previously enjoyed storing information, such as names of Chinese customers or contacts, on foreign-based cloud services will have to find new data storage solutions. Businesses operating in multiple countries will also need to evaluate the interoperability of the new onshore systems with offshore networked systems, Baker & McKenzie further advises.

Data localization regulations in other areas worldwide have resulted in a boom for companies providing innovative data storage solutions. There may be opportunities for third-party providers to get involved in China too, although the government still restricts foreign companies in terms of structure and capital requirements, and to a maximum of 49% joint venture. A few companies have already braved the Chinese market, including Microsoft, which teamed up with Chinese partner 21Vianet. SMEs, which may be particularly in need of these services, will be evaluating these options based on both their affordability and security.

Beata Cichocka is a communications intern at AmCham China.