Firms Should Always Assume They Have Been Hacked, HK Police Says

Firms should always assume that they have been the victims of cyber crime and that their systems have been hacked, a Hong Kong police official said. Dicky Wong, a Royal Hong Kong Police Force official, said cloud-based solutions were susceptible to cyber attacks and posed additional security concerns for businesses.

Speaking as a panelist at the Thomson Reuters Pan Asian Regulatory Summit on Wednesday, 9 November, Wong said that if companies did not know where their cloud was, they could not secure the data they were placing on it. 

"I am not a big fan of the cloud," he said. "The cloud is user-friendly, but where is it?"

Wong acknowledged that budgets were tight and that resources needed to be deployed sensibly and strategically for cyber security.

His co-panelist, Jeremy Pizzala, an EY financial services cyber security partner in Hong Kong, said firms should focus on protecting their most important assets. 

"Do not try and control, manage and protect everything," he said. "Take a crown jeweled view of what your key assets are. Is it your inter-bank settlement processes, or your SWIFT network or your customer data? Focus from that 'crown jewel', key assets point of view as a starting point."

Pizzala said that recent moves by insurance companies into digital business and their greater adoption of technological solutions had exposed some laxity, with some firms disregarding cyber security issues. 

"We strongly encourage all organisations … to be very concerned with cyber security issues and bake them into the plans early and upfront," he said. "Once you set up digital channels, it is tougher to go back and set up the controls you need to manage and protect data, and access it."

The ethereal nature of the cloud and the risk it poses for cyber crime is made worse by the multiple entities that businesses have to deal with and share their data with in Asia, the panelists said.

"Asia is highly disintermediated. The insurance market is a great example," said Leesa Soulodre, chief reputation risk officer at the RL Expert Group. "You have your own directly owned entities, your joint ventures ("JV"), your agents, brokers and licensees. How do you control the data that is stored across that network and protect your organisation?" 

Soulodre said that, ultimately, people and not technology were the financial sector's weakest link.

"From a compliance perspective, corporates are mandating [cyber security] compliance because they do not want to open themselves up to risk. Big corporations are exposed to more risks and regulations. Yet, those down the food chain must also comply," she said.

She said institutions should consider a number of issues before devising and implementing cybersecurity strategies and policies, including: "Is what we are about to do legal, ethical and acceptable? Is it defendable and is it sensible? And after I take that decision, does it change who I am and does that change who this organisation is?"


Ajay Shamdasani is a senior staff writer with Thomson Reuters Regulatory Intelligence in Hong Kong. He covers regulatory developments in Hong Kong, India and South Korea. He also writes about money laundering, fraud, corruption, data privacy and cybercrime.