Prepare or Beware: Strengthening Cyber Resilience in Hong Kong

What you need to know

• Cyber security is a growing legal and regulatory risk management issue for businesses. Financial institutions across various jurisdictions, including Hong Kong, have been the target   of a number of recent cyber attacks.
• Hong Kong regulators are increasingly focused on cyber security, particularly in the banking sector. In May 2016, the Hong Kong Monetary Authority (HKMA) launched a new  "Cybersecurity Fortification Initiative", which includes a common framework of cyber security controls across financial institutions. Once finalised, compliance with the framework will be a supervisory requirement for Authorised Institutions. 

What you should do

• If they have not done so already, Authorised Institutions should conduct a comprehensive review of their current cyber security controls and maintain an audit trail of any changes   made in light of the HKMA's new cyber security initiative.
• Preparation is key. Cyber security impacts on a range of areas within your business, including legal, regulatory, operational and reputational risk.  Involve technical and legal expertise in  the development and review of your cyber security strategy, including contingency planning,  to ensure a comprehensive and co-ordinated approach in the event of a cyber attack taking place.

• Ensure engagement at all levels of your organisation on the implementation and monitoring    of your cyber security strategy. This should include both the Board and senior management who, in the eyes of regulators, bear ultimate responsibility for the adequacy of systems and controls.

Increasing importance of strengthening cyber security

Statistics indicate that financial losses from cyber attacks in Hong Kong increased approximately 51 per cent to HK$1.82 billion in 2015, despite the number of computer crime cases¹ increasing by only 1.2 per cent to 6,778 cases.¹ The use of new technology storing sensitive information has made the financial services industry a major target for cyber crime. 

In the past 18 months, three significant cyber attacks have highlighted the importance of financial institutions strengthening their cyber security controls. In January 2015, cyber attackers used the inter-bank transfer SWIFT messaging system to effect transfers of US$12 million from Banco del Austro, an Ecuadorian bank, primarily into bank accounts located in Hong Kong. Proceedings instituted in early 2015 in Hong Kong to recover the funds transferred are still ongoing. Banco del Austro filed separate proceedings in the New York Federal Court in May 2016 against another intermediary, alleging a failure to notice red flags associated with the transactions. A second attack purporting to transfer more than €1 million from Tien Phong Commercial Joint Stock Bank, a Vietnamese commercial bank, was attempted and apparently prevented in December 2015.

More recently, in February 2016, the SWIFT credentials of Bangladesh Bank, the Central bank of Bangladesh, were used by hackers to send instructions to transfer US$951 million from Bangladesh's Bank's account with the Federal Reserve Bank of New York to accounts located in various jurisdictions. Funds totalling US$101 million were ultimately recovered from accounts in the Philippines and Sri Lanka, with remaining transactions amounting to US$850 million blocked by the Federal Reserve Bank of New York.

These attacks demonstrate not only the increasing sophistication of cyber criminals, but also the global nature of cyber security risk. There is little doubt that Hong Kong, as an international financial centre, will continue to be targeted or used as a conduit for transferring the proceeds of cyber crime.

Hong Kong regulatory framework for cyber security in the banking sector

In May 2016, the HKMA announced the development of a new Cybersecurity Fortification Initiative. In its circular, the HKMA stated that compliance with the initiative, once finalised, will become a supervisory requirement for Authorised Institutions. The initiative consists of three pillars: 

(a) a Cyber Resilience Assessment Framework (Framework); 

(b) a Professional Development Programme, a certification programme to increase the number of cyber security professionals in Hong Kong; and 

(c) a Cyber Intelligence Sharing Platform for Authorised Institutions to share information regarding cyber security threats.

The Framework outlines a common risk-based framework for all Authorised Institutions to benchmark the adequacy of their cyber security controls. The Framework establishes an Authorised Institution's inherent risk rating ("low", "medium" or "high") based on factors including technologies and delivery channels used by the Authorised Institution, activities, products and services offered, organisational characteristics and track record on cyber threats. Each inherent risk level is then mapped to a requisite maturity level of cyber resilience ("baseline", "intermediate" and "advanced") across seven areas, including situational awareness, third party risk management, identification, detection, protection, response and recovery and governance. To the extent that gaps exist between the inherent risk and requisite maturity levels, Authorised Institutions must produce a roadmap for improvement of their cyber security controls. The Framework was recently released to Authorised Institutions in draft format for a three month consultation.  No date for implementation of the final Framework has yet been set. Once finalised, Authorised Institutions will be required to carry out their cyber resilience assessment using the Framework, unless an equally effective framework is available.

The HKMA has stated that cyber resilience assessments should be carried out by professionals certified under the Professional Development Programme or with comparable expertise. The Professional Development Programme and the Cyber Intelligence Sharing Platform are expected to be implemented by the end of 2016.

The approach taken by the HKMA in developing a cyber resilience framework that applies to all of Hong Kong's Authorised Institutions is arguably more advanced in regulating the private sector than some of those being developed elsewhere. For example, the European Network and Information Security Directive recently adopted by the European Union applies across a number of different industry sectors, but its operative requirements will only apply to financial institutions whose services are critical for societal or economic stability (e.g. stock exchanges, central payment clearing systems etc). While regulators in the United Kingdom and EU therefore currently have to look to more general data protection and financial services regulations to enforce minimum regulatory standards around cyber security, the HKMA will be able to rely on the initiative and Framework as supervisory obligations of Authorised Institutions in Hong Kong. Other regulators may adopt a similar approach to the HKMA in the near future.

What should financial institutions do?

Financial institutions should familiarise themselves with the draft Framework and review their existing cyber security strategy accordingly. More generally, in view of the evolving nature of cyber attacks, financial institutions should ensure that they monitor new developments and periodically test the effectiveness of their cyber security controls.  The HKMA has indicated that it expects the Board to request senior management to evaluate and report on the adequacy of financial controls. Senior management should identify and inform the Board of any material gaps in cyber security and devise a concrete implementation plan, with adequate staffing and resources allocated to address the issue.

Cyber security awareness and prevention should also be a priority across all business lines among staff, contractors, other offices and service providers. Regular communication of new cyber threats and training will assist in ensuring a strong cyber security culture within your organisation.

Contingency planning must take into account the range of possible consequences of a cyber attack for your business. Financial institutions should review the adequacy of their data recovery capabilities to ensure minimal disruption to business operations. By disabling or destroying your IT networks or data, cyber attacks can impact upon your ability to fulfil contractual obligations to customers, counterparties and service providers. An audit of your key existing contractual arrangements (in particular force majeure clauses, business continuity and disaster recovery clauses and notification requirements in the event of a cyber attack) is therefore important in determining how to manage your ongoing business relationships in the event of a cyber attack. Going forward, you may wish to ensure that new contractual documentation is drafted to address cyber security risk, whether explicitly or implicitly.

Once a cyber attack has occurred, financial institutions should report the incident to law enforcement authorities and also consider any regulatory obligations to report the attack, for example, to the HKMA as the primary banking regulator in Hong Kong. Depending on the nature of the attack, be prepared for further regulatory scrutiny of the overall adequacy of your IT systems and cyber resilience. To the extent that the attack has resulted in the loss of personal data, financial institutions should notify those who are affected and consider reporting the matter to the Privacy Commissioner for Personal Data. While not a strict legal requirement, notifying the breach may limit reputational damage in the event that the cyber attack becomes public. If the financial institution is listed on the Hong Kong Stock Exchange, it may have to publicly disclose the cyber attack in an HKEx announcement (for example, as inside information), depending on the severity and consequences of the attack. Similar disclosure requirements may apply to institutions listed on other stock exchanges. You should also determine whether you need to notify other stakeholders, for example customers, service providers and contractual counterparties, and how best to do so.

Conclusion

The increasing number of cyber attacks on the banking industry has highlighted the importance of strengthening cyber security. In light of the HKMA initiative, Authorised Institutions should conduct a comprehensive review of their current cyber security controls and maintain an audit trail of any changes made accordingly. Cyber attacks can have wide-ranging legal and regulatory consequences and may also impact your business reputation and operational continuity. Preparation is therefore key. Ensure that all levels of your organisation, including the Board and senior management, are actively engaged in implementing and continuously monitoring your cyber security strategy. Any gaps in protection should be identified and steps taken to enhance security controls should be documented. Involvement of technical expertise and legal counsel at an early stage will also assist in developing an effective cyber security strategy and ensuring a comprehensive and co-ordinated response to minimise the impact of any cyber attack on your business.

^[1] See "Computer Related Crime: Statistics" at http://www.infosec.gov.hk/english/crime/statistics.html (Accessed on 30 May 2016)