China's National Financial Regulatory Administration has released draft measures for public consultation that would set a dedicated cybersecurity management framework for banking institutions, insurance institutions and financial holding companies. The draft is intended to strengthen supervisory oversight of cybersecurity and critical information infrastructure in these sectors and is designed to dovetail with the broader draft financial industry cybersecurity management rules published for consultation on July 3. The draft contains eight chapters and 72 articles covering cybersecurity governance, cybersecurity development and operational management, cybersecurity risk monitoring, incident response and handling, critical information infrastructure management, and supervision. It is framed as an implementation measure for existing higher-level laws and regulations, including the Cybersecurity Law, Data Security Law, Personal Information Protection Law and rules on the protection of critical information infrastructure. It also incorporates supervisory practice from recent years and reflects sector-specific features by emphasizing group-wide unified management, coordination between technology and business functions, and joint governance across the three lines of defense. The framework applies a graded and classified approach, with stricter requirements for critical information infrastructure management. The National Financial Regulatory Administration said it will review feedback, further revise the draft and issue the measures in due course.