China State Hacking Risks & Measures

UPDATED 24-03-28: To reflect a) The impending date of the policy change come next week, and b) reported UK/US sanctions. Originally published 24-01-25.

In response to increased alleged hacking attempts by alleged state actors based allegedly in and around the PRC, we have taken the steps below to counteract what the UK and US governments regard as a serious and pervasive cyber threat.

Whilst the threat at this stage is officially reported on democratic institutions, we can confirm that we have a reasonable level of confidence that these attacks extend to UK businesses.

So, from April 1st 2024 “Enhanced Measures” will apply as follows:

1. All email data will be encrypted with private keys communicated via a separate known tokenised method. Open email has never been our preferred method of sensitive communication, but its use will cease.

2. No confidential or user data will be sent in plain email wrappers. There will be no exceptions to this.

3. All email to and from a source traced to China will be stripped of content and blocked.

4. TikTok is prohibited on company devices, or devices that access company or client data. TikTok is a Chinese company that currently is mandated to cooperate with Chinese intelligence services.

5. As Article 7 obligates Chinese individuals, organisations, and institutions to support national intelligence work and Article 14 gives the Chinese intelligence agencies the authority to enforce such cooperation, we will not engage in commercial activity with any person or organisation operating in or under the auspices of the PRC.

6. We will not act as a data processor nor agent of a data processor for any organisation based in or operating out of the PRC or its jurisdiction.

7. Furthermore, to preempt what are, in our opinion, likely changes to UK legislation regarding how UK businesses and persons deal with any funds or economic resources owned, held or controlled by persons or companies linked with the PRC, we will not transact any business with those entities.

This is an extension of our 2022 corporate policy first applied to the sovereign state of Russia and companies operating under the influence of that state.

For the avoidance of doubt. Where there is the suspicion of involvement by a hostile state, we will not engage in commercial activity of any kind.