THEOS Cybernova
THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.
Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.
Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.
THEOS Cybernova
Carolyn Bigg: Navigating China Data, Cyber and AI Laws
From incident response to red teaming, many global teams touch systems and data in China without realising the legal tripwires. In this live CIO Summit conversation, THEOS Cyber CEO Paul Jackson speaks with DLA Piper’s Carolyn Bigg about the realities of operating in China’s data and cyber landscape. Topics include why consent is foundational, why remote access counts as a cross-border transfer, volume thresholds that trigger filings or approvals, and new breach notification measures with four-hour reporting for higher-severity incidents and mandatory 30-day remediation reporting. They also cover local technical standards beyond ISO 27001, provincial CAC dynamics, operational risks such as license exposure, and the unique AI environment in China where toolsets, policy aims, and threat models differ from the West. A clear, practical primer for CISOs, legal, and operations leaders who need to plan before the crisis.
Disclaimer: This episode provides general information. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. Organisations should consult counsel for guidance.
Production Credits:
Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio
This week on the Theo's Cybernova podcast.
Speaker 2:With China. Their regulatory framework changes almost weekly at times and it all basically sums up in you need to know your data. The two themes are two C's consent and cross-border data transfers. There isn't an automatic right, in the lack of consent, to be able to go and get that data and remote access it from outside of China. To be able to go and get that data and remote access it from outside of China, what may become a small investigation into a relatively containable incident suddenly escalates into an investigation into your entire governance programme in China. The laws in Asia, they're not to stop the use of data, they're to stop the abuse of data the theos cybernova podcast hosted by paul jackson.
Speaker 1:Welcome to season two of theos cybernova with me, paul jackson. Today I have a very special guest. We're coming live from the CIO Summit, the Chief Information Officer Summit, in the heart of Mong Kok in Hong Kong sunny Hong Kong. Today it's a beautiful day here as we look out of the window and we're gearing up for what is going to be a pretty amazing conference run by our friends at the Market Intelligence Group. Paul Sito, jocelyn Chung and the team do a great job of running these events and we're pleased to be here today. So the topic I have today for you is a fascinating one. So I'm here today with Carolyn Bigg, and Carolyn is a Global Co-Chair of the Data Privacy and Cyber Security Practice at DLA Piper Law Firm. Now, it's a real pleasure to have you here with me today, carolyn, and an honour. Thank you so much for joining me today.
Speaker 2:Thanks, paul, it's great to be here.
Speaker 1:So, carolyn, I saw you present at a similar conference organised by MIG a couple of months ago and you presented on the data transfer issues between China and well anywhere the legal issues, complexities of managing data in China, which is a, you know, a big elephant in the room for many of us working here in Asia, and I have never seen a bunch of CISOs in the audience scribble so many notes as they did during your amazing presentation. It was full of such valuable insights and you know I think I speak for everybody that the session today is going to be extremely enlightening.
Speaker 2:Thanks, paul. That's very kind. And what's interesting is we did that session a few months ago and we were talking about navigating China's data regulations in 2025. And a few months later, we have even more to talk about, because that's the way with China their regulatory framework changes almost weekly at times.
Speaker 1:I agree, and you know what triggered this conversation today was I picked up on a recent. Well, just the other day you posted on LinkedIn about you know updates again, because it's constantly changing, isn't it? And you know it was a fascinating update that you gave on LinkedIn and certainly very pertinent to my role.
Speaker 2:Thank you. So 1st of November is going to be a key date for everyone who has data in or from China. There are three big updates coming on the 1st of November. One to do with actually helpfully classification of sensitive personal data, which is a topical to itself in China, completely different to the rest of the world. What is sensitive?
Speaker 2:We have another update coming about classification of important data, which is a non-personal data data category, and we're seeing around the world in the EU, but China's probably leading the way regulating other types of data, not just personal data PII. And then the third update coming, which is one I think we're going to talk about more, is notifying breaches in China. There's been some really interesting developments. We have some new measures coming into play, which gives some clarification, but we've also had some recent cases that show there are. It's not just a case of saying we need to notify, let's notify. It's a question of looking at your overall governance program and potentially, notifying immediately might open more of a can of worms for you than not. So it's an interesting conundrum and lots to talk about.
Speaker 1:It's fascinating and I'm going to kick off with a very personal question because, as you know, theoscyber, we're involved in incident response, we're involved in testing cybersecurity, the ethical hackers, and we often get asked can're involved in, you know, incident response? We're involved in testing cyber security, the ethical hackers, and we often get asked can you work in China? And we do from time to time, but it's to me it's a little bit of a gray area, right, what we can and cannot do, because a lot of the work we do in incident response is remote. You know we use, you know, cloud-based tools, but essentially we're going into China and we are potentially looking at well information data right.
Speaker 1:So let's start with the incident response side of things, and what kind of advice would you give to companies like ours? You know when we're planning ahead for you know, maybe responding to an incident in China and we're outside China.
Speaker 2:So planning ahead is you've hit the nail on the head. It's absolutely critical. There are two really key themes that you need to keep in mind when it comes to China data, and it all basically sums up in you need to know your data, you need to have mapped your data out, classified it against the different types of data that you have in China, and if you know that, that will get you a long way in understanding what you can and can't do. The two themes are two C's consent and cross-border data transfers. Consent is critical.
Speaker 2:So if you talk about data in China, personal data, if you're coming to this from an Asia or China perspective, data is defined and thought of very differently to other parts of the world, is defined and thought of very differently to other parts of the world. So in Europe, data privacy or data is a fundamental right to privacy, to a private life. That's not the case in America. A lot of the American data laws are coming at it from a fear of social media platforms, hence their focus on ad tech. It's not that privacy right, it's a different way of thinking about data. And in China and in Asia, it's different. Again, it's not that privacy right, it's a different way of thinking about data, and in China and in Asia it's different. Again, it's an asset, data is an asset, and the reason for focusing on that is because people will more readily share their data in Asia in return for something, whether it's convenience or hyper personalization or, candidly, even for something to be cheaper.
Speaker 2:But because of that way of thinking about data, consent is critical. It really comes down to a choice, a black and white. Have you consented to your data being used? And that is particularly critical when it comes to data crossing the border. And remote access is data transfer from a Chinese perspective. So it's not a case of physically moving data from one server to another across geographical lines. It a remote access is a transfer of personal data, and in China you need separate consent from that from the individual if we're talking about personal data. So you have a general consent to processing personal data and you need a separate tick box or click. I'm consenting to my data effectively leaving mainland China, and other tick boxes as well. So that's the first thing. I would make sure that your privacy notice covers adequately that data may leave, that you may be processing data outside of China with service providers for investigation purposes, for incident response purposes and get that consent. That gets you a long way.
Speaker 1:Unfortunately, a lot of the companies we deal with don't have that foresight.
Speaker 2:No.
Speaker 1:And now, of course, we'd urge them to contact you and DLA. Fiber to get that foresight, to get that foresight, but the odds are that we get suddenly an emergency from a client who has operations in China and maybe an incident has occurred on their systems in China and they don't have this pre-preparedness. So what are our options as a company to actually, you know, immediately because it's got to be fast immediately leap, and you know it's in the best interest of the company and in cybersecurity as a whole.
Speaker 2:Right, it's difficult In China.
Speaker 2:We don't have some of these exemptions you might see in other countries and other jurisdictions, so there isn't an automatic right, in the lack of consent, to be able to go and get that data and remote access it from outside of China.
Speaker 2:So it may be you have to get on a plane, which is fine, but, as you say, it takes time and costs money and in an incident mode, when you're all hands on deck as quickly as possible, it slows things down. So that's why I think everyone listening please plan ahead, know what data you've got and get those consents. For personal data, there are other categories of data there in China, as I mentioned earlier, that are regulated. So we have categories like important data and state secrets and some data regulated by industry regulators, and for many of those and for certain types of personal data, you have to have taken some additional steps for the data to leave China. In some cases you have to go and get regulator approval, usually from the CAC, but sometimes from your industry regulator, and for a small subset of data, a small subset of data, that data can't leave China at all.
Speaker 1:Right.
Speaker 2:So that comes back to my original point of you have to know your data.
Speaker 1:And I think you know, obviously we get involved in a lot of crisis preparedness planning and very few companies are actually thinking of these kind of things when they have operations in China, obviously. But you know it's such an important element because there's so much to consider and you don't want to be doing that during a crisis.
Speaker 2:You really don't and if you've got an incident involving personal data. Coming on to my second C of cross-border data transfers, you have to have done this assessment upfront as to the volume of data that you've got leaving China in a year. If it hits certain volume thresholds, you may need to be signing some standard contractual clauses and filing them with the regulator, or you may need to go and get approval because you've got a large volume of data each year leaving mainland China or being remote access from outside of China. There are some really helpful exemptions that came into force and they have put some exemptions around certain categories of data needing to go through either this filing or approval. So certain lower volumes of data. Helpfully, hr data is largely out of scope. Data that's crossing to fulfil cross-border contracts is out of scope.
Speaker 2:So we could talk for hours about the intricacies of it, but really the point is don't assume that in an incident, because it's an emergency, the Chinese law allows that data to leave. That doesn't necessarily mean you don't take a risk-based decision. Actually we have to temporarily while we fly people in. But what it does lead on to is then, if you do have to notify or you do face an investigation. You're not just going to be tackled about how you manage that incident. You're going to be questioned about why have you not got the right consents in place, done your assessments about cross-border transfers, made a filing, got the approval and now now with those processing large volumes of personal data, registering your DPO, and so what may become a small investigation into a relatively containable incident suddenly escalates into an investigation into your entire governance program in China, and actually there's been a couple of cases recently with multinationals facing exactly that and facing fines.
Speaker 1:Can you talk a little bit?
Speaker 2:about that? Not really, but it's been really interesting to see We've been saying this for a long time and what's been really interesting is seeing the regulators support what we've been saying that actually that preparation part is key and it goes on to then that decision about whether to notify and when as well.
Speaker 1:Yeah, it's the old cliche announcer prevention right.
Speaker 2:Absolutely.
Speaker 1:Yeah. So on a similar sort of note, though, we also do a lot of penetration testing, red team, ethical hacking type work, and we often get asked to test systems in China. Now, this is obviously not such a crisis driven thing, so we can prepare and plan. But again, is it just similar guidance, because when you're testing you're really well, you shouldn't really be taking any data out. You know it's more. You know testing the applications, the systems that are in existence in China. Is there any issues with that? Do you see?
Speaker 2:The same issues about where you are accessing the data, from whether you're allowed to, whether it's an unethical preparedness hacking or it's a real life threat actor.
Speaker 2:The situation's the same. Yeah, I think it's incredibly sensible to be doing all of what you're saying in preparation. What I would just add also in China, just to complicate things even more is that there are literally hundreds of technical standards around cybersecurity. It's a very heavily regulated area and I'm a humble lawyer, so I'm not technical, so I'm not on top of hundreds and hundreds of technical standards from TC260. But there are lots, and just saying you have compliance with NIST 2, iso 27001, will only get you so far when it comes to China. So, yes, I think the other thing to bear in mind in China when it comes to that preparation is making sure you're testing against the local standards and not just international standards as well Right Now one thing I'm curious about, because quite obviously you're very British, just like myself, and the Chinese laws are obviously published first and foremost in Chinese although of course they do publish them in English as well, first and foremost in Chinese, although of course they do publish them in English as well.
Speaker 1:Now, how do you navigate this? Because I'm sure there are nuances between the Chinese language versions and the published English versions, because law is a complicated beast. I mean, I know from being a former police officer how complicated and how nuanced and how grey sometimes law can be. So how do you navigate that side? Because I'm sure there must be slight differences or nuances between the Chinese versions of the laws and the English.
Speaker 2:There are, and really, with hindsight, my French and German A-level have ended up completely useless living in Hong Kong for nearly 17 years and I have Siu Siu Kondong Wa, but no Mandarin.
Speaker 2:Oh, that was very good I have, uh, an amazing team, uh, my team uh, across greater china who are actually looking at that nuance, and I think that's really important.
Speaker 2:An english translation of chinese characters is not going to get you there, particularly if you're looking at that law with a common law or a western civil code mindset you, you start trying to read things into it that just aren't there.
Speaker 2:The other complication is that chinese laws, the actual law themselves, are very high level, very, very high level, so the detail of what you need to do to comply, uh how to comply, may not come for weeks, months or even years afterwards and it comes quite piecemeal. So you were mentioning earlier, there's an update in the last few days about breach notification. These laws are not changing the law, they're adding to, and so I'd really encourage those who think an English translation of a law, even if it may have been published officially by the CAC or the Chinese government, is the national level, central CAC are thinking, but the provincial level CAC in wherever you're based, whether Shanghai, pudong or Beijing or Guangzhou, and they can have different views about some of these things as well, and you also have to look at it as a matter of policy. We all know that data and cyber law is fundamentally driven by policy and trade and geopolitics, and so much of navigating China's data and cyber regulations. You have to keep that front of mind as well.
Speaker 1:Got it, yeah, and I'm not sure we should touch on geopolitics too much.
Speaker 2:It will change by tomorrow and I'm not sure we should touch on geopolitics too much.
Speaker 1:It will change by tomorrow, you know that's very true. But yeah, I mean look whenever I try to read the Chinese cybersecurity laws etc my eyes just start to cross, and it's extremely wordy and complicated.
Speaker 2:And the framework's complicated. We've got the cybersecurity law, the data security law, the personal information protection law, but then, underneath that, we have so many guidelines and measures and standards, and we can't forget about things like archiving laws and e-commerce laws and consumer protection laws and criminal laws, and I could go on and on and on. There are so many different laws we have to think about and I would always say don't ask what the law is, ask what the compliance obligations are.
Speaker 1:Right, right. So before we go on, to talk a little bit about what you're going to be presenting today spoiler for anybody who's attending today, but also it's great for those who are unable to attend today and hear you in person. But you describe yourself as a humble lawyer. I would describe you as a rock star in this world.
Speaker 2:Oh, thank you.
Speaker 1:But how did you get into this? Because you're not technical by background, are you? And I mean, tell us a little bit about what made you come to Hong Kong in the first place, and you know how did you get into the cyber side of things?
Speaker 2:Well, I've been a. I qualified as a lawyer gosh a very long time ago now, but I started my training contract as a lawyer in London on the 9-11, which means that every year it comes around and I reflect on many things being the 9-11. But I do reflect on that was the day I signed my training contract and started becoming a lawyer. And started becoming a lawyer and I trained at a firm in London and one of the lawyers at the firm was the guru on data protection law at the time the old data protection expert.
Speaker 2:Peter Carey, who I'm still in touch with and he was the rock star in UK data protection at the time and, as a result, the firm I was working for at the time and training with were doing some of the first big data protection cases in the UK. And I joke and look back now and think I was lucky at that time, as I was, you know, after a few years asked to speak about data protection, I was lucky to get five minutes at the end of a three-hour client training session. No one really cared, uh, but I cared and I was interested and I worked with some of the partners there to set up microsites and, yeah, one of the one of the cases that the firm was doing was the if you're of a certain age and british the infamous case involving katherine zeta, jones and michael d Michael Douglas's wedding photos.
Speaker 1:Oh yes.
Speaker 2:And certain popular magazines who should or should not have published the photos, and there was a very small data protection element of that case and that's really how I got there.
Speaker 2:It was the dot-com bust, having had the dot-com boom, and so from a very early age as a lawyer, I was looking at e-commerce online, what was happening online and attitudes to data changing, and so I moved to Hong Kong in early 2009. We moved over here then to join a different firm and I have been so fortunate to be in this part of the world where, as one of my colleagues says, all the cool stuff happens and data protection law, even in 2009 in Asia was small. Maybe a handful of countries had data protection laws, but for various reasons, pretty much every jurisdiction in Asia now has protection laws, and China's been a continued focus because it's China. It's such a large economy, such an important market for many multinationals Now, with its biggest companies going global knees going global. So that's that's how I'm here and I'm just so grateful. Who would have thought 22 years ago that I could have a practice focused entirely on data and cyber?
Speaker 2:so I'm incredibly fortunate and be a global co-chair, but I do think I I did a history degree and was always very focused on international relations and I do think that policy trade aspect of driving data law is what keeps me really interested.
Speaker 1:That's fascinating. So you talked to. I just want to touch quickly on the data privacy laws because we are here in Hong Kong and it's always a pet topic of mine. This because you know, when I was a cop back in the day around 1995, at that time I was in charge of a unit that had to deal with the new mobile phone operators that were all given licenses in around 1995. And data privacy law just came in so we had to negotiate with the companies how to get information from them related to intelligence police work.
Speaker 2:Yes.
Speaker 1:And the law hasn't really changed since then, has it? You know it's not much, there's been a few amendments, but we now have probably one of the longest standing data privacy laws but one of the weakest in terms of you know.
Speaker 2:It's definitely the oldest and the least, at least that hasn't evolved and developed as much as other laws have.
Speaker 2:So some of the I describe it as a very straightforward data protection law. It really does follow the old EU directive, the old UK Act, which, as we know, has evolved into GDPR, and even countries like Malaysia and Taiwan and Japan that had old, quite straightforward data protection laws. There's been a greater evolution of their laws than Hong Kong, but Hong Kong is a business friendly jurisdiction and what I would say is that data protection laws in Asia some of the newer laws may look like GDPR, but the reality is how they're enforced, how they're interpreted, how they're applied, is not. It is not GDPR. They are much more straightforward and streamlined and it goes back to the points I was making earlier that data is an asset and the laws in Asia, including in Hong Kong, are to stop the worst abuse of data. They're not to stop the use of data. They're to stop the abuse of data and that reflects the very commercial, business focused mindset of Asia. So I wouldn't say they are not ex-cop.
Speaker 1:I'd love to see these enforced more because, honestly, there's not much impetus for companies here to be, you know, to invest heavily in cybersecurity, because the penalties just aren't happening. You know, the stick isn't there.
Speaker 2:That's true. That's true, but actually the consequences are different. The consequences are, yeah, perhaps not the big fines, the mega fines that hit the news when you hear about from the UK or Europe, and they're not the class actions that we're hearing about coming from the US and now Australia. The risks are different. The risks are operational, contractual and actually economic and strategic. I would always say that data and cyber is primarily a operational resiliency issue. It's not a compliance issue.
Speaker 2:The fact that businesses nowadays are so fundamentally reliant on data and IT systems, a cyber instance an existential threat to some businesses, and we have many examples of that. So in asia, the risk is is that the risk is also, if you don't get data and cyber right, you can't use that data, that incredibly valuable asset that you have, in the way that you could to strategically or even commercially bottom line line grow your business. It all comes with planning. If you set up your data governance framework correctly, making sure you're within the confines of the legal frameworks you're operating, but what you can do within those legal frameworks in Asia is more than you could in, say, europe. So not having a proper data governance program, not having the correct cybersecurity, may stop you from using data for AI or machine sorry, data analytics or not being able to properly and quickly respond to a cyber incident, or not being able to sell your business because the value is decreased, because you haven't got the rights to use the data you thought you had or you've suffered cyber attacks Right.
Speaker 2:So I would say there's that. There's also the risk of losing operating licenses in Asia, which is not a threat we see, not a risk we see elsewhere in the world, whereas in Asia it does happen. A cyber or a data incident is a very good backdoor for regulators in Asia to look broader across your company and the threat of withdrawing your right to do business in a country is real and that has knock on consequences legally from a contract point of view. You're providing goods and services and you lose your operating license or you can't operate because you can't access your data or your cyber. That can be a huge contractual risk as well. So, while we may think it's not so much of a concern in Asia, I think the risks are really different and it's really worth paying attention to those and not just thinking, oh well, I won't get a big farm.
Speaker 1:Right, right. Well, let's turn to your presentations that you did at the recent conference and the one today, because I'm not obviously going to ask you to do the whole presentation for our audience here. They should have turned up to this conference if they wanted to, but you know, I know you're very approachable and you know you're happy for people to reach out to you and you know, and talk to you about these issues, because they are complex and we're certainly not going to cover all the points that you're going to be covering. But what are the highlights, would you say, for this kind of audience, I know, in our pre-conversation? Of course, to me, close to my heart is the update on breach notification that you alluded to earlier.
Speaker 1:So maybe you can run us through some of the highlights rather than the entire presentation.
Speaker 2:Of course. So I think, from a navigating China data perspective, we've already touched on all the key points To bring it right up to date. Yes, there are new breach notification rules and, as I said, this is not replacing what's in China. This is clarifying. It applies to those operating networks in China and's really broad. It can be as simple as a website or providing services via networks in China. So anyone that's got any sort of infrastructure website WeChat mini program in China needs to pay attention, and what it's now done helpfully is classify instance into four categories.
Speaker 2:They're called I'm sure they have much catchier names in Chinese, but English translation particularly significant incidents, significant incidents, major incidents and general incidents, and there's a whole heap of guidance that's been published as to what falls in those four categories, and it's the usual volume, impact length, nature of the data, nature of the system, all of those sorts of things. What's now changed is for those first three categories, so not general incidents, but the ones above it. You have to report those within four hours.
Speaker 1:Within four hours.
Speaker 2:Within four hours, and it's even quicker if you're a critical infrastructure operator in China and you're already subject to strict cyber notification rules. It can be as quick as one hour in certain circumstances.
Speaker 1:So I guess we're going to have to sort of wait and see as to how they define when you recognize, because I think the key here and we've seen this in a lot of jurisdictions is well, yeah, ok, you've got four hours to report, but what about? You know the time needed to actually clarify whether it meets that threshold or not?
Speaker 2:There is that, and I'd say across Asia generally, and we can't talk specifically about this.
Speaker 2:We're going to have to wait and see how they interpret it, but in Asia there tends to be much more of an acceptance that you do need to assess whether an incident falls within a definition of a reportable incident. Now you've got to classify it and you're going to have to, I think in advance, build all of this into your incident response plans to help with that process. You've also got to report to the police in certain circumstances, which everyone always knew you really had to do in China most of the time. How do you do that? It varies from almost local province to almost police station and you get a very different reaction in different parts of China.
Speaker 1:Well, I know what it's like in Hong Kong.
Speaker 2:Yeah, and there are clearly designated channels now for the local CAC branches for reporting to them, including WeChat and all the usual communications channels in China, which is super helpful. The four hours is going to be a challenge. It really really is. The likelihood is most multinational vendors will not be rushing to update their contracts to commit to telling you within under four hours of an incident and these general incidents while it's not got this particular threshold for reporting under these new measures, there are already existing lots of measures in China under this really complex framework we talked about where you may still have to report them. And bear in mind, in China we're talking about it's all to do with network security and cybersecurity. It's not necessarily specific to personal data, so you have to think of it a bit more broadly, whereas I think a lot of people coming from Europe will still be thinking of this more from a data point of view rather than a cyber perspective.
Speaker 2:There is mandatory remediation within 30 days, in that you don't have to have necessarily been able to remediate it within 30 days, but you have to have thoroughly assessed it, done a root cause analysis, identify the remediation steps. You're taking lessons, learned all of these sorts of things and you have to put that in a report again. That has to be filed with the regulator. You have to put that in a report again. That has to be filed with the regulator. So it's a much greater degree of transparency and onus on the company to let the Chinese authorities know, and we've seen that a lot in China. You come and tell us about your cross-border data transfers. You come and tell us about who your data protection officer is. So it's a lot more work for companies. But I go back to my earlier point. This may be here, this may be the requirement, but it really is a conversation, a decision that needs to be taken at the time, taking into account the whole state of your data and cyber governance program in China.
Speaker 1:It's all. Resilience, it's all preparation. And I know we keep hammering that. But you know, obviously that's a key message that we always give as well. You know you've got to be ready for a crisis, ready for an incident, and that doesn't just involve the technology, it involves understanding your responsibilities under the various laws and regulations that they are in the jurisdictions they operate in and then just to touch on today.
Speaker 2:Later today I'm going to be speaking about managing, uh, cyber and data risk uh in the context of ai correct, because the theme of this conference, naturally in the, in the current landscape, is of course focused on ai.
Speaker 1:So I'm curious yeah, again, yeah it's.
Speaker 2:It's a really interesting one when it comes to Greater China because, again, the regulations and the policy and reasoning have on multinational businesses, even though it's not in Europe but in China.
Speaker 2:Ai regulations has been very focused on generative AI, and it's generative AI if it's publicly facing is incredibly heavily regulated. So, again, people are now turning their minds to how do we address cybersecurity when it comes to AI and we're going to be talking about that a bit more later on in the conference but from a China perspective, and actually an Asia perspective, is again understanding what the actual risks are from a China regulatory perspective, which are different to risks under Western AI, and that's not just from the regulations. The focus, the intent is different. It's actually because the platforms are different as well. So a lot of the Western platforms AI tools are either blocked in China or they may be accessible, perhaps via VPN, perhaps not, perhaps more generally accessible, but they haven't got these licenses. You need to operate Gen AI platforms and so you're operating completely different infrastructure. So, as you know, paul, the cybersecurity doubles, quadruples, because you're operating such different platforms with such different risks of course um, you know local language, chinese language tools.
Speaker 2:We know some of them are familiar to the western world, some of them aren't, and with your local teams you may be using ai tools that are local in china rather than the western ones. So that to me seems like a really difficult challenge for those involved with cybersecurity preparation and monitoring to get their head around.
Speaker 1:A hundred percent and you know I talk to many of my connections, obviously, in the cybersecurity world here in Hong Kong and one of the biggest challenges I think of AI usage is understanding how to prevent employees from either deliberately or accidentally uploading sensitive data to these AI platforms. And you're absolutely right when you're talking about using different platforms that you must use in China. Then that complexity, the whole landscape, broadens considerably and you know, in the role of a CISO, trying to understand how to control data whilst allowing use of these technologies, it's a massive headache it really is.
Speaker 2:So you're already thinking about contractually, what data can we use commercially from a commercial sensitive sensitivity perspective. What data can we use personal data, all these things but then you've got to factor in, as we were talking about earlier, the different types of regulated data in china and the platforms you're using. Are you allowed to use them in China? And also, what are the threats? What are the cyber threats in China which could, as we see in this part of the world, the threats and the trends can be quite different, as you know, to what you see in other parts of the world. So it's going to be a really challenging one. And I think it's going to be particularly challenging again when it comes to third parties who will be used to cyber risks, with the very familiar Western AI platforms, but not so much with the Chinese ones.
Speaker 1:Right. Well, I think you know our listeners have a lot of food for thought with this and, to be honest, you know we just scraped the surface of what you're going to be talking about today. A few spoilers in there, perhaps, but you know, I really urge those listening who have operations or interest in this part of the world to reach out to Carolyn, because she has a wealth of knowledge and information, as you can already tell, on this subject and I, for one, I'm looking forward to your presentation in a couple of hours here at the MIG conference. But I always close our podcast by asking our guests because I'm a music lover, right, and I'm just fascinated by what my guests in the various industries and demographics what they're actually listening to, what's on your turntable. So, carolyn, what are you currently listening to music-wise?
Speaker 2:Well, don't hate me, but I tend to listen to comedy and cricket, so tms is often on my, my turn table cricket fan um so often tms, often comedy podcasts and and comedy programs like radio 4 and, of course, the theos cybernova podcast absolutely. But if you, I do love music as well. I was a real sort of indie kid in the 90s with all the cool Britannia type things, but I really love funk and acid jazz and disco. So I was listening to the Brand New Heavies on the way here this morning.
Speaker 1:Excellent choice. All right, good to know. All right, look, carolyn, thank you so much for spending a bit of your valuable time with me this morning. I think you've given the listeners a heck of a lot to think about and perhaps you've scared them a bit. But no, thank you so much for joining us today and, as I say, I look forward to hearing more from you in the conference. Thank you, carolyn. Thanks, paul. Theos Cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.
Speaker 2:The Theos Cybernova Podcast.