Cybersecurity In Hong Kong - SFC’s Concerns And Recommended Controls And HKMA’S Cyber Security Programme.

6 April, 2016

The Securities and Futures Commission (SFC) issued a circular on 23 March 2016 (Circular) to all licensed corporations (LCs) following its recent review of cybersecurity within selected larger LCs. The Circular sets out the SFC’s key areas of concern and recommended cybersecurity controls which the LCs are expected to follow. Separately the Chief Executive of the Hong Kong Monetary Authority (HKMA) also recently announced the establishment of the Cyber Security Programme for the banking industry following the establishment of its Fintech Facilitation Office. These recent developments highlight the Hong Kong regulators’ collective focus on cybersecurity.

SFC’s key areas of concerns

Whilst the SFC found that most of the LCs under review have prioritised resources for maintaining cybersecurity controls, it identified the following key areas of concern:

Inadequate coverage of cybersecurity risk assessment exercises (eg, cybersecurity risk assessments do not cover the latest cybersecurity threat landscape);

Inadequate cybersecurity risk assessment of service providers (eg, lack of formal procedures or guidelines detailing requirements of conducting cybersecurity risk assessment or on-site audits on service providers);

Insufficient cybersecurity awareness training (eg, the content of the training is not updated with the latest cybersecurity related issues);

Inadequate cybersecurity incident management arrangements (eg, performing drills or simulation exercises on a global level without involving the local LCs in Hong Kong); and

Inadequate data protection programs (eg, failing to address the latest cybersecurity threat landscape).

Further details on the above areas of concern are set out in the Appendix to the Circular. LCs should take heed of these areas when reviewing their cybersecurity risks and implementing enhanced controls that are designed to counter such risks.

SFC’s suggested cybersecurity controls

Based on the key areas of concern identified and with reference to the sound and effective cybersecurity controls adopted by some larger sized LCs, the SFC sets out a detailed list of “suggested cybersecurity controls” which LCs should carefully consider. We have summarised below the most important “suggested cybersecurity controls” grouped under the following eight categories. For further details, please refer to the Appendix to the Circular.

Category		Key suggested cybersecurity controls
1.	Establish a strong governance framework to supervise cybersecurity management	Cybersecurity topics should be included as a regular agenda item in senior management level meetings to set the direction and cybersecurity strategy. Cybersecurity awareness training should be regularly provided to all staff and service providers (if applicable) followed by assessments.
2.	Implement a formalised cybersecurity management process for service providers	Cybersecurity risk management for service providers should be formalised and integrated into the LCs’ cybersecurity control frameworks. Incorporate cybersecurity requirements in agreements with service providers and perform on-going cybersecurity risk assessments / on-site audits when necessary.
3.	Enhance security architecture to guard against advanced cyber-attacks	Cybersecurity should be considered in the software development life cycle to allow early identification and remediation of security vulnerabilities prior to the launch of software (eg, involve security specialists at the beginning of the planning stage). Multi-tier network defences and multi-layered security should be implemented to enforce on-going monitoring and timely detection of abnormal system/network activities and user behaviour. Consider implementing additional safeguards (eg, application whitelisting) to prevent unauthorised applications being executed on users’ computers.
4.	Formulate information protection programs to ensure sensitive information flow is protected	Data protection programs should be established to ensure data flow of sensitive information has been defined, identified, documented and protected. Tailor solutions and underlying parameters to detect malicious activities by behavioural monitoring and by considering different types of cyber-attacks and applicable regulatory requirements.
5.	Strengthen threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities	Management should (i) supervise implementation of improvement initiatives when deficiencies are identified during cybersecurity risk assessment and (ii) make enquiries where there is any delayed implementation of improvement initiatives or prolonged period of implementation timelines. Simulate real-life cyber-attack scenarios and carry out the latest trends of cyber-attacks to validate effectiveness of cyber-attacks defence mechanisms.
6.	Enhance incident and crisis management procedures with more details of latest cyber-attack scenarios	Incident response plan and crisis management procedures should include cyber-attack scenarios which might seriously affect the business operations of LCs (eg, data loss) and be tested by regular drills.
7.	Establish adequate backup arrangements and a written contingency plan with the incorporation of the latest cybersecurity landscape	Establish and regularly review and update a written contingency plan to ensure latest cyber-attack scenarios are incorporated. Contingency plan with emergencies and disruptions related to cyber-attacks should be periodically tested with local stakeholders’ involvement. All backup tapes should be encrypted and protected physically.
8.	Reinforce user access controls to ensure access to information is only granted to users on a need-to-know basis	User access controls should be enforced to ensure user access rights are granted on a need-to-know basis with segregation of incompatible duties in place.

The SFC expects LCs to take appropriate measures (including seeking advice from external contracted vendors if they do not possess such expertise and/or resources in-house) to critically review and assess the effectiveness of their cybersecurity controls.

HKMA’s Cyber Security Programme

The Chief Executive of the HKMA announced in a public speech (in Chinese only) the establishment of its new Fintech Facilitation Office (FFO) on 21 March 2016. An English article by the HKMA based on the speech is available here. Given that one of the functions of the FFO is to promote research in Fintech solutions (with cybersecurity being of one of their two key topics for research), the HKMA is developing a Cyber Security Programme for the banking industry which shall include:

developing an assessment framework and model in respect of banks’ ability to address cybersecurity risks;
developing a training and certification programme for professional recognition of cybersecurity practitioners;
co-operating with the banking industry to establish a new platform for sharing of cybersecurity intelligence.
Details about the work progress of the FFO (which is expected to include the Cyber Security Programme) will be provided at the Cyber Security Framework Symposium in Hong Kong in mid-May.

Conclusions

Cybersecurity has been increasingly viewed by Hong Kong regulators as a matter of priority, in light of the ongoing occurrence of cybersecurity incidents across the financial services industry. Given the SFC’s specific focus on LCs’ “cybersecurity preparedness”, it is important for LCs to properly review their existing cybersecurity framework and controls to ensure that they have adopted the cybersecurity controls or practices recommended/required by the regulators.

In managing cybersecurity risks, senior management are reminded to take the specific steps outlined above (eg, cybersecurity topics should be regularly deliberated or reviewed at senior management meetings) and make sure that their actions are properly documented.

For further information, please contact:

Will Hallatt, Partner, Herbert Smith Freehills

will.hallatt@hsf.com

Cybersecurity In Hong Kong – SFC’s Concerns And Recommended Controls And HKMA’S Cyber Security Programme.

Malaysia – General Average And Salvage.

- Philip Teoh - Azmi & Associates, Azmi & Associates

Role Of Technology In Legal Service Delivery.

Process Optimisation In Legal Teams: Improving Workflow Efficiency.

Mastering Legal Contracts: Key Contract Law Terms And Agreements Explained.

UK – ONS Publishes Annual Gender Pay Gap Data For 2024.

Chambers Insolvency Guide 2024 On Macau SAR.

- Pedro Cortés - Lektou,

Quick Guide: IP Protection For Personalised Medicine.

Significant GDPR Enforcement In Ireland.

US – Six Years In The Making, DoD Releases Proposed Rule Requiring Disclosure Of Foreign Review Of Code For It, Cybersecurity, Critical Infrastructure, And Weapons System Products And Services.

US – SEC ESG Enforcement Is Still Alive.

CONVENTUS LAW

OTHERS

Cybersecurity In Hong Kong – SFC’s Concerns And Recommended Controls And HKMA’S Cyber Security Programme.

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

Footer

CONVENTUS LAW

OTHERS