Major Hong Kong Banks to Complete Cyber Defence Evaluation by Mid-2017

Around 30 banks in Hong Kong have been told by the Hong Kong Monetary Authority ("HKMA") to complete a cyber resilience assessment before the end of September next year. The HKMA said it had told all major retail banks, some selected global banks and a few smaller local banks that they would be the first to complete the C-RAF assessment, which assesses a bank's inherent risk and cyber "maturity".

The banks will take part in "phase one" of the HKMA's Cybersecurity Fortification Initiative, with the rest of local banks to follow suit at the end of 2018. The regulator said the reason for the phased approach was a concern raised by the industry during consultation that there might be a shortage of qualified assessors. 

Under the inherent risk assessment, banks would assess their cyber risk exposure based on a number of factors, such as the technologies they use to provide services, their usual service delivery channels, products and services offered, their organisational characteristics and their track record on defending against cyber attacks, the HKMA said. The result would then be mapped to the respective "required maturity level" of cyber resilience.

Under the maturity assessment banks will be required to assess and determine their "actual maturity level", which will be compared with the "required maturity level" of cyber resilience, the regulator said. Any gaps between the two will then be identified for improvement. 

The HKMA also said banks would have to complete the "iCAST" test by the end of June 2018. This test covers a bank's cyber resilience by simulating real-life cyber attacks, making use of relevant cyber intelligence. The HKMA said only banks with an inherent risk level of "medium" or "high"" are expected to conduct the test. 

The Cybersecurity Fortification Initiative was announced by the HKMA in May 2016 and consists of three pillars: the Cyber Resilience Assessment Framework ("C-RAF"), the Professional Development Programme ("PDP"), and the Cyber Intelligence Sharing Platform ("CISP").

The HKMA said the CISP was now ready for access by banks. The platform is one out of three parts of the HKMA's Cyber Fortification Initiative ("CFI"), which was announced by HKMA chief executive Norman Chan in May. 


North Asia editor for Thomson Reuters Regulatory Intelligence. He is based in Hong Kong.