Regulator issues measures on IT outsourcing to strengthen risk management

China's banking and insurance regulator announced on Friday it has issued measures for the regulation of information technology outsourcing activities in banking and insurance institutions to further strengthen risk management in this area.

China's banking and insurance institutions have been making a transition in recent years to digitalization and have been continuously increasing their reliance on IT outsourcing services.

Some banks and insurers in the meantime do not have effective control over risk management, which has led to business interruption and sensitive information leaks from time to time.

In addition, the high concentration of IT outsourcing service providers in certain fields triggered concentration risks, an official of the China Banking and Insurance Regulatory Commission said.

By launching the regulatory measures, the CBIRC will promote banking and insurance institutions to establish and improve their IT outsourcing governance frameworks, strengthen the construction of IT outsourcing risk management systems, enhance risk management capabilities, and carry out digital transformation in a steady manner, the official said.

Banking and insurance institutions are not allowed to outsource IT management responsibilities and the primary responsibility of cyber security. They should strengthen protection of important data and the personal information of clients, according to the CBIRC.

The regulator required banking and insurance institutions to reduce their reliance on a few IT outsourcing service providers, conduct onsite inspections of offsite outsourcing services which meet the standards for important IT outsourcing activities, carry out comprehensive IT outsourcing risk management evaluation at least once a year, as well as conduct audit work on this type of outsourcing activities regularly.

jiangxueqing@chinadaily.com.cn