11 April, 2016
The Securities and Futures Commission ("SFC") in Hong Kong has recently reviewed the cyber security environment of a number of larger sized licensed corporations ("LCs"). The SFC has shared its findings, including its concerns from these reviews, in a circular released on 23 March 2016.
The SFC identified the following key areas of concern that have arisen from its reviews:
- inadequate coverage of cyber security risk assessment exercises;
- inadequate cyber security risk assessment of service providers;
- insufficient cyber security awareness training;
- inadequate cyber security incident management arrangements; and
- inadequate data protection programs.
Worth highlighting in this list are the SFC's comments around the inadequacies of cyber security risk assessment of service providers and data protection programs. LCs did not seem to have adopted a proactive approach to integrate the risks associated with a service provider's systems into its own cyber security risk management framework. Rather, LCs appeared to rely on attestations from the service provider and did not conduct regular cyber security audits. With regard to data protection, LCs lacked controls and procedures to record and curtail internal and external data flows, and data was not being categorised (and consequently, not being protected) according to their particular characteristics (e.g. sensitive information, personal information etc). Further details of the areas of concern are set out in an appendix to the circular.
Nevertheless, the SFC noted that some LCs had in place a number of sound and effective cyber security controls and defensive mechanisms. The SFC has recommended that all LCs consider implementing similar controls, and has set out detailed recommendations in an appendix to the circular. We note that although they are described as "suggestions", the measures set out by the SFC are fairly prescriptive in nature.
The SFC has made it clear that cyber security within a LC "is increasingly being viewed … as a matter of priority given the ongoing occurrence of cyber security incidents being reported across the financial services industry". The SFC expects LCs to take appropriate measures to assess the effectiveness of existing cyber security controls.
To view a copy of the SFC circular, please click here.
To view a copy of the Appendix detailing key areas of concerns and recommended cyber security controls, please click here.
For further information, please contact:
Kyle Wombolt, Partner, Herbert Smith Freehills
kyle.wombolt@hsf.com
