banks’ China IT systems may be exacerbated if the FITC consultants and system integration providers that helped build the banks’ existing systems gradually elect to cede the market to local providers. Meanwhile, Chinese regulators will likely turn their sights to network security beyond the banking sector. In its Twelfth Five-year Plan for Information Security Industries (2011 to 2015) (信息安全产业”十二五”发展规划), MIIT identified e-government, e-commerce, e-healthcare, finance, energy, transportation and distance education as sectors where use of secure and controllable IT products and services should be enhanced. Some of these sectors may soon be the target of sector-specific efforts. We also expect that efforts to implement the broader “cyber security review” regime that PRC government officials proposed (see our September 2014 client alert) will continue. At this stage, it is unclear to what extent the detailed provisions of the Guideline and Catalogue in respect of the banking industry will guide future, more generally applicable legislation.

Many of the sub-categories of products identified in the Catalogue are rather generic, and many of the criteria applied to those categories might easily be adopted in other sectors or in a broader cybersecurity review regime. At the least, it is not difficult to see the same arguments that were made for imposing the restrictions on the banking industry being made in respect of some other industries, and so we anticipate that the discussions and lobbying in regard to the Guideline and Catalogue that are currently underway will have ramifications beyond the banking sector. WHAT THIS MEANS – NEXT STEPS FOR FITCS The rather vague and open-ended language used in the Guideline and Catalogue makes it difficult for FITCs to plan ahead. However, it is possible to identify several steps that FITCs will need to consider: i. Assess the risk.

FITCs will need to review the products and services they offer to banks in China in order to assess and quantify the risks inherent in complying with the Guideline and Catalogue (for example, the IPR risks involved with disclosing sensitive source code or the security risks inherent in replacing software with indigenously sourced alternatives). ii. Assess the costs of localizing. FITCs supplying almost every category of IT hardware and software listed in the Catalogue are required to operate R&D and service centers within China. Many FITCs will need to establish new PRC subsidiaries or repurpose their existing onshore affiliates in order to comply with this requirement.

Doing so may require a material investment in capital and management time. iii. Assess the market. FITCs will need to consider whether the value of the China banking market justifies the risk and costs identified under steps (i) and (ii). It may be that the banking sector constitutes a relatively small market segment for many FITCs.

The cost-benefit analysis would look very different if the rules are generalized to other industries. iv. Identify procedures. FITCs will need to identify the procedures involved in qualifying their products and services with CBRC and other relevant regulators. Some of these procedures already exist, and FITCs should seek advice from specialist, experienced counsel. Other procedures (for example, filing source code with CBRC) have not yet been established, and it may be sensible for FITCs to consider working with trade associations (see below). v. Consider forking.

In order to comply with the source code disclosure, indigenous innovation, and other requirements, we anticipate that some FITC vendors will seek to “fork” their product lines, creating specific versions for China that are likely, over time, to evolve away from the product lines used for the rest of the world. vi. Work with trade associations. Many FITCs are working closely with the China chapters of international trade associations (for example, United States Information Technology Office, also known as “USITO”) to stay abreast of the latest pronouncements from the CBRC and other relevant China regulators. In addition to disseminating information, such organizations have been seeking to engage the Chinese government in dialogue regarding how the Guideline and Catalogue will be interpreted and how best to implement key procedures (such as source code filing) in a manner that takes into account the legitimate concerns of FITCs. 1 In a notice that was issued in mid-April, the China Banking Regulatory Commission announced the suspension of implementation of the Banking Opinions.

It remains unclear what network security standards may be implemented in place of the Banking Opinions and what the timetable is for implementation of any such other standards. The Banking Opinions nonetheless remain a valuable guide regarding the thinking of regulators in relation to the network security of various types of information technology products and services. We are Morrison & Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. We’ve been included on The American Lawyer’s A-List for 11 straight years, and the Financial Times named the firm number six on its 2013 list of the 40 most innovative firms in the United States.

Chambers USA honored the firm as its sole 2014 Corporate/ M&A Client Service Award winner, and recognized us as both the 2013 Intellectual Property and Bankruptcy Firm of the Year. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger. 13 MoFo Global Procurement Quarterly, Spring 2015 © 2015 Morrison & Foerster LLP .