Compliance Alone Won’t Help in Age of Cyber Breaches, Hong Kong FinTech Event Told

Reliance on outdated compliance processes which fail to take into account advances in technology is likely to pose significant problems for firms at a time of frequent cyber attacks, officials said. 

Many of the regulations governing today's financial markets were drafted decades ago and firms now had to cope with rapid technological change to maintain compliance, panellists told the Fintech O-2-O Global Summit held in Hong Kongon 28 September. 

"A lot of these laws and regulations were created 20 years ago in an age of filing cabinets, in the early 1990s, before we had USB sticks and machines taking to each other," said Carolyn Bigg, of counsel to law firm DLA Piper in Hong Kong. "Do not rely on the fact that you have got a bare minimum compliance programme in accordance with laws to stay ahead of [cyber] threats. It just will not be enough."

As the relationship between financial services and technology increases, so does the threat of cyber attacks such as hacking, as seen with the report that hackers had stolen information from around 500 million Yahoo email accounts in 2014.

Even where firms have strong cyber security defences, a common weakness can be the human aspect, panellists said. 

"We rely on others to safeguard us against such [cyber crime] risks, but we cannot, because we are human, so we are not dependable to some extent," said Eric Meyer, chief executive of Apvera, an insider threat intelligence platform business in Singapore

Better training and improving processes were needed but this was far from easy, Meyer said.

Clamping Down too Hard is Counterproductive

Cyber security is a multidisciplinary enterprise at modern banking and financial institutions. It involves staff from legal, compliance, information technology and security departments but requires oversight and support from boards or directors and senior managers.

Bigg said cyber security was a combination of operations, contractual obligations and legal and compliance regulatory mandates, although practical steps could be taken to make the process less complex and cumbersome.

"There is a risk of trying to shut down too much. By being too restrictive, individuals can get so frustrated that they bypass the system completely and start sending sensitive information via their Gmail accounts. That creates bigger risks than just shutting things down, so it is thinking much bigger about compliance risks as to what is more practical," she said.

Under certain circumstances, Bigg said, it was better to encrypt data rather than making computer systems and information transfer mechanisms difficult to use.

Big banks have long had security teams, policies and processes in place but the emergence of fintech has created challenges for smaller firms.

Bigg said the small- and medium-sized enterprises (SMEs) and fintech start-ups often took a different approach to cyber security from the banks which they were either competing with trying to sell to. In those scenarios, the risks centred on the data and interface of the two different-sized firms working together, she said. 

Reporting Breaches

The panellists said it was important to consider the options available after a cyber breach because many jurisdictions require such incidents to be reported soon afterwards. Under new EU data protection regulations which will become effective in 2018, for example, firms will have to report data security incidents within 72 hours.

Bigg said similar laws would emerge in the Asia-Pacific region. "It is not a case of should they report [being hacked] but more a case of when. The law is changing and other countries will soon follow suit," she said.

Andrew Wong of Astri, a Hong Kong-government-funded research and development institute, said under local law, banks had to report any such incidents to the police, but whether they needed to disclose them to the general public was "another matter".

Meyer said such disclosures were necessary and would benefit firms in their preparations to thwart future cyber attacks. "Can we do something with that data? If we can force the industry to provide this information, it will help us address the issue," he said.

Having incident response systems built into compliance programmes and testing them regularly was critical, the panellists said. These needed board and shareholder oversight so they could be escalated and rectified when problems emerged.

"When these things go wrong, it is not just the stock exchanges, but [also] financial regulators and policymakers [who] are saying this is a board-level accountability issue," Bigg said. "Shareholders will also be demanding answers if you do not handle such matters properly."

Jurisdictions: 

Ajay Shamdasani is a senior staff writer with Thomson Reuters Regulatory Intelligence in Hong Kong. He covers regulatory developments in Hong Kong, India and South Korea. He also writes about money laundering, fraud, corruption, data privacy and cybercrime.