This latest regulatory proposal comes at a time when a number of western investment banks and asset managers are expanding their business in China, either by setting up wholly-owned firms or by taking a bigger share in existing joint ventures. 

Following the new policy, on April 29, the China Securities Regulatory Commission (CSRC) released the draft Administrative Measures for the Management of Network Security in the Securities and Futures Industry and also offered a month-long public consultation on the proposals. 

According to the draft rules, it will become mandatory for investment banks, asset managers, and futures companies willing to invest in China to share data with CSRC, allow regulator-led testing and help set up a centralized data backup center. 

The draft also states that CSRC could conduct penetration-testing -- a simulated cyber attack against the operational system -- and system scanning on securities, futures, and fund firms. 

"The real risks to firms due to the potentially disruptive nature of penetration testing and the sensitivity of testing results. Testing systems and applications without operational context could create significant disruption to firm operations,” ASIFMA noted. 

The institution has laid out a number of reasons for sharing data with the center, but the cyber researchers’ group is concerned passing on sensitive data will make companies in the sector more vulnerable to "hackers and other bad actors". 

Moreover, a number of international banks and asset managers are also not backing the plan or setting up a centralized data backup center. 

"This not only poses huge risks to all core institutions and operating institutions on an individual basis but also brings significant systemic risks for the sector in China and globally given the inter-connectedness of the global financial sector if the data is compromised or leaked," the ASIFMA letter said. 

However, at present, the government did not set any timeline for the final issuance of the rules or for their implementation.