Hong Kong Regulators Aim to Boost Cybersecurity Defences

Hong Kong's banking regulator has launched a new cybersecurity initiative to improve defences at financial institutions in the territory, and will notify all banks next week that it will be considered a supervisory requirement to implement the initiative. Norman Chan, the chief executive of the Hong Kong Monetary Authority ("HKMA"), said the initiative was crucial to ensure Hong Kong remained a key international financial centre. 

Under the HKMA's Cybersecurity Fortification Initiative ("CFI"), the regulator will set up a Cyber Resilience Assessment Framework, a professional development programme to improve the talent pool, and a Cyber Intelligence Sharing Platform where banks and regulators can share details of cyber security attacks. 

Chan said the HKMA would start by issuing a formal circular next week to notify banks that it is a supervisory requirement to implement the initiative. This will be followed by a three-month consultation with the banking industry on the HKMA's proposals for the Cyber Resilience Assessment Framework. 

"What the Cyber Resilience Assessment Framework seeks to establish is a common risk-based framework for banks to assess their own risk profiles and then use these profiles to determine the level of defence and resilience that would be required to accord appropriate protection against cyber attacks, drawing references to the relevant international experiences and good practices," Chan said at a cyber security summit in Hong Kong this week. 

Once the risk profile of a bank is established, the HKMA will require the bank's senior management to put in place governance arrangements and processes to achieve the required level of cyber resilience, Chan said. 

"Specifically, the HKMA will examine how effectively a bank can detect and protect itself from attacks and, when the bank gets hit, how it will respond and how quickly it can recover," he said. "Clearly if there is a shortfall between what is needed and the actual preparedness, the HKMA will follow up with the bank to bring up the level of resilience as soon as practicable." 

The HKMA would also work with industry associations to develop a training and certification programme to increase the supply of qualified professionals in cybersecurity, he said. 

In collaboration with the Hong Kong Institute of Bankers ("HKIB") and the Hong Kong Applied Science and Technology Research Institute ("ASTRI"), a new training and certification programme in cybersecurity would be launched, he said, adding that the first training courses for cybersecurity practitioners should be ready by the end of the year. 

HKIB and ASTRI will also be involved in setting up the Cyber Intelligence Sharing Platform by the end of the year, Chan said. 

"Arrangements will be put in place to ensure that the platform will gather useful and relevant intelligence, including those communicated in the Chinese language," he said. "The platform would also ensure that users would feel comfortable with providing intelligence on cyber attacks without compromising proprietary information. Needless to say, access to the platform will be through secure channels with robust encryption and on a need-to-know basis."

While banks in Hong Kong have so far seen few serious cyberattacks, it was important to not be complacent given HongKong’s role as a preferred financial hub in Asia, Chan said. 

Earlier this year, the Securities and Futures Commission ("SFC") found a number of deficiencies after reviewing the cybersecurity at financial institutions in the territory, including inadequate cybersecurity risk assessment exercises, risk assessment of service providers, training, incident management arrangements and data protection programmes.

The securities regulator said financial institutions were expected to take appropriate measures to critically review and assess the effectiveness of their cybersecurity controls, and set out a number of suggested controls in a circular to the industry.

Jurisdictions: 

North Asia editor for Thomson Reuters Regulatory Intelligence. He is based in Hong Kong.