14 June, 2019
On 24 May 2019, the Hong Kong Monetary Authority (HKMA) issued an alert regarding eight cyber security incidents involving a total sum of HK$70,000 (Alert). Based on our previous experience in advising clients on similar cyber security incidents, one usual practice of cyber criminals is to launch trial attacks, or diversionary attacks, before they embark on the more significant one. The Alert is a timely reminder to banks and the public to stay vigilant, and to not assume that lightning cannot strike twice. This bulletin will discuss our observations on these incidents.
Introduction
From the Alert, three banks reported eight cases of unauthorised payment transactions of a total of HK$70,000 over a period of three weeks. It is suspected that the cyber criminals have stolen the customers’ internet banking login passwords to perform the transactions. Upon the initiation of the payment transactions by the criminals, the relevant banks sent notifications to customers as required by the HKMA’s regulations. After receiving the notifications, the customers contacted their bank to report suspected unauthorized access. The affected banks and customers have reported the cases to the Police. Some of the customers have already been compensated by the relevant banks while others’ cases were still being processed.
We will discuss below three observations:
- banks’ reporting obligations;
- two factor authentication (2FA – for details see here); and
- customer compensation.
Banks’ Reporting Obligations
It appears from the Alert that the HKMA was made aware of the incidents as a result of reports filed by the relevant banks. In this respect, banks are reminded of their obligations to report all significant operational incidents to the HKMA in a timely matter using HKMA’s prescribed form. It is important to note that the HKMA expects a “same-day report” to be filed, and therefore a reportable cyber incident should be reported within the same day the bank discovers the incident.
In the present case, the relevant banks were under an obligation to file reports to the HKMA on the day they received the notification from the customer about the suspected unauthorized payment transactions.
The Alert did not mention whether the relevant banks had reported the incidents to any other authorities. However, banks should always consider making a report to the Privacy Commissioner for Personal Data (PCPD) in similar situations. While it is not a statutory requirement on banks (as data users) to inform the PCPD about a data breach incident[1] concerning personal data held by them, banks are nevertheless advised by the authorities to do so as a recommended practice for proper handling of such incident. For more details, please see the Guidance Note issued by the PCPD.
Two Factor Authentication
The Alert does not provide details of the security technology used by the relevant banks, but it is telling that the cyber criminals were able to circumvent the security systems of three different banks and successfully completed the relevant transactions. However, the HKMA announced on 14 June 2018 that the maximum transaction limit for small-value payments conducted via internet banking without 2FA be raised to HK$10,000 per day per account. As a result, 2FA may not have been utilized in the circumstances of these transactions, although in such circumstances some banks may still have utilized alternative security protocols.
It is important for banks to keep up to date with the latest cyber threats and adjust their security posture accordingly. Technology which was once considered to be the industry standard and secure may now become outdated and vulnerable.
Customer Compensation
The Alert mentioned that some of the customers have already been compensated by the relevant banks. By compensation, we believe it means that the relevant banks have made a refund to the relevant customers by restoring their accounts to the position before the unauthorised payment transactions.
Such refund was made in accordance with the Code of Banking Practice (CBP) jointly issued by the Hong Kong Association of Banks and the DTC Association. The CBP provides that customers should not be held responsible for any direct loss suffered by him or her as a result of unauthorised e-banking transactions unless he or she acts fraudulently or with gross negligence.
As mentioned above, the cyber criminals were suspected to have stolen the customers’ internet banking login password and as a result successfully gained access to the customers’ bank accounts and carried out the unauthorised transfers. It is unclear from the Alert how the banks could satisfy themselves within such a short period of time that the customers did not act fraudulently or with gross negligence. In particular, the CBP expressly provides that the following conduct may amount to gross negligence on the part of the customers:
- failure to take reasonable steps to keep any device or secret code used for accessing e-banking services secure and secret (paragraphs 46.1 and 48.2, CBP)
- failure to safeguard properly his device(s) or secret code(s) for accessing the e-banking service(paragraph 48.1, CBP)
Having said the above, it is appreciated that banks may make a commercial decision to refund the affected customers particularly when the amount involved is relatively small. However, it is important to also appreciate that such decision may become precedents that would return to prejudice the bank’s position in the future.
Conclusions
In a speech given on 24 January 2019, Mr Arthur Yuen, Deputy Chief Executive of the HKMA mentioned that there was a growing level of cyber risks and that one of the key work priorities of the HKMA for 2019 is cyber resilience and recovery.
Apart from the issues outlined above, the incidents referred to in the Alert serve as a good reminder for banks to review their existing cyber resilience and recovery plans. It would be unwise for senior management of banks to regard this as an IT issue only and simply pass the Alert to the banks’ IT Department to handle.
To properly address all issues arising from a cyber security incident, banks should engage external legal counsel who have experience in assisting banks to handle actual cyber attacks, especially those counsel with jurisdictional presences that match the banks’. Cyber attacks experienced in one location are likely to be felt in others, and each regulator requires a slightly different approach.
Overall, apart from staying vigilant, it is very important that banks be diligent and systematic in approaching and handling a cyber security incident.
John Siu, Partner, Eversheds Sutherland
johnsiu@eversheds-sutherland.com
[1] A data breach is defined as a suspected breach of data security of personal data held by data user, by exposing the data to the risk of unauthorized or accidental access, processing, erasure, loss or use.
