Geopolitical risk management: operating effectively in China - Part 2

By Paul Caulfield, Chief Legal Officer, Third Bridge

The expanded anti-espionage law

The key takeaway from the People’s Republic of China’s amended Anti-Espionage Law is that the scope of “espionage” activity significantly expanded from spying on state secrets to a more amorphous, and thereby problematic, collection of “any document, data, materials or items related to national security or national interest.” In risk management, the adage is that one cannot manage what is not measured. One also cannot measure that which is not defined. 

As mentioned in part one of this blog series, practitioners, including Third Bridge, have been working on guidance to define what “sensitive” Chinese data entails. Two themes have emerged. First, is the data within certain industries or sectors, or does it contain particular hallmarks of accuracy or scale? Second, if leaked, tampered with or destroyed, might the information directly challenge the PRC’s narrative around its national security, economic operations, social stability or public health and safety? Where “yes”, companies should proceed with caution if not employ a hands-off approach entirely. 

This is different, not new

Sensitive data, even before the Espionage Act’s amendment, had been heavily regulated to limit loose dissemination. Transfer of important data from a “data controller” to a recipient has been subject to strict controls such as signing data transfer agreements, completing IT security audits over the recipient’s environment and masking data/data tagging procedures. Many of the requirements also follow the same path as the European Union’s General Data Protection Regulation that came into force in 2018.  

A major difference is that the transfer of sensitive data out of China requires government approval, currently. There are recent indications this may change. Until then, companies must not only have commensurate controls in place; they must also abide by a pre-certification process as to their data governance and cybersecurity controls. Operating in contravention of these requirements may be seen as a data breach or even rise to the level of “espionage” depending on the nature of the recipient and sensitivity of the data. As noted in the Financial Times, Gallup faced criticism earlier this year following one of its surveys that showed Americans’ favorable view of China had declined to a record low 15%¹https://www.ft.com/content/dff10673-f3e3-4117-8a71-cb57a9cc4ccb. In the expert network space, Capvision was accused of facilitating consultations with government officials for overseas clients. 

Our industry has been intently working to navigate these new risks, and we offer the following Third Bridge perspective to assist our clients and peers:

Defining the new guardrails

Third Bridge has always maintained certain operational and regulatory prohibitions. With regard to the current geopolitical climate, we have made it clear that we will not engage China specialists on projects involving the PRC’s: 

• Military or defense 
• Aerospace or satellites
• Security and surveillance, including geographical mapping, or
• Diplomatic strategies and political policies, including those involving Xinjiang, Taiwanese relations, Tibet or Uyghurs.

Our clients have largely agreed with these carve-outs, which came after a number of discussions with in-house and external China counsel and regulatory experts. Nevertheless, as we work through the near term we are ensuring that each client that requests has their own controls added into our processes.

Next, while not prohibited, Third Bridge has developed a number of enhanced controls around engaging with China specialists on the following China-related projects: 

• Oil and gas 
• Nuclear power and technology 
• Semiconductors and their components 
• Rapidly advancing high tech such as 5G and AI
• Manufacturing
• Electric vehicles, including research and manufacturing 
• Agriculture technology and storage
• Cybersecurity
• Transportation infrastructure
• Telecommunication networks and telecommunication security, and
• Dual-use technology involving, for example, drones

The controls: an overview

The key to managing projects within these sectors begins with increased transparency as clients, specialists and Third Bridge must collaborate to manage the collective risk. Any client consultation, for example, must disclose in advance and adhere to a detailed set of questions or topics that will be asked of a specialist. This must be included within the project description, which will also serve to underscore that no party has any intention or business reason to collect potentially sensitive data (or state secrets).

Third Bridge is also applying the following controls to its own proprietary content such as Maps, Discovery and Forum:

1) Know your end-user 

In banking, understanding the “ultimate beneficial owner” is a primary component of managing risks tied to financial transactions. Third Bridge deploys a similar strategy in understanding the ultimate end-user and the intended purpose of its investment-related research. This translates to our understanding and documenting the ultimate beneficiary and purpose of any consultation. While there may be instances where a client cannot disclose its end-client specifically, Third Bridge then will endeavor to obtain, at a minimum, a description of the end-client’s line of business, geographical presence and purpose. If these prove contentious or contrary to our outlined prohibitions, Third Bridge would decline the engagement. 

For example, Third Bridge will not work on any China-related projects where the end-client is another country’s government agency, an institution with influence over or responsibility for policy making, a political or quasi-political think-tank or private-sector, corporate intelligence or investigations firm. 

Moreover, consistent with Third Bridge’s pre-existing prohibitions, Third Bridge will also not facilitate any consultations where an end-client is or could be considered a direct competitor of the specialist’s employer. 

2) Enhanced specialist due diligence

Third Bridge maintains a bright line rule against engaging or facilitating consultations with Chinese government employees including throughout their first 12 months following their last government role. Working with recently employed government personnel should be considered as prohibited. 

Harder to define is how Third Bridge works with China employees affiliated with a state-owned-entity (SOE) or public institution. In these instances, Third Bridge screens the SOE or institution as well as the employee’s decision-making power and access to non-public information. Third Bridge then assesses these results against the potential risk of access to national secrets or sensitive data. This includes heightened sensitivities around China’s economy, social development and government-led science and technological advancements. In some instances, case-by-case guidance is expected, and that is where the importance of onsite counsel is paramount. 

Prior to any engagements, approved specialists are also then trained and acknowledge that they may not discuss or disclose any confidential or sensitive information.  

3) Lines of defense

Like our regulated clientele, Third Bridge maintains three lines of defense. This includes China-based staff who ensure our local, Mandarin policies fulfill both local requirements and global standards. As they may pertain to China, Third Bridge managers are required to review and approve the details and topics and questions when related to the higher-risk industries noted above.

Where a Third Bridge employee receives potentially problematic information, for example, they are equipped with language and tools to guide the specialist away from discussing such content further. Most importantly, they must also flag the concerning information, which Compliance as well as Third Bridge Operations and Editorial are able to redact prior to further dissemination. 

4) Notice provisions

Third Bridge makes a point to educate and remind its employees, specialists and clients of the new China-related guardrails through a variety of channels and throughout the lifecycle of a project. This includes acknowledgements that outline the prohibition against disclosing or discussing information relating to China’s national security and interests, non-public statistical data related to the Chinese economy or market, or any other sensitive data related to the Chinese economy or market. 

5) Audit trails

In May 2022, the US Securities and Exchange Commission emphasised a set of priorities that it expected supervised firms to adhere to, and documentation (audit trails) are critical to demonstrating compliance. Third Bridge, like its clients, adheres to these requirements. Unsurprisingly, such behaviors will also serve companies well within their operations and risk management of information related to China.  

For Third Bridge, documentation includes project pages, transcripts and other work product.  Employees have been trained to spot potentially prohibited information and “say something” if they “see something”. Managers and the Compliance team have, in turn, been provided with proper escalation methods in the event they receive such data. 

In our final installment of this three-part series, we offer examples of information that companies should largely treat as prohibited, and we conclude with compliance being at the heart of everything Third Bridge does.