The Board of the International Organization of Securities Commissions (IOSCO) published a report on cybersecurity issues on 6 April 2016.

The report states that cyber risk is not “just another risk,” but rather a unique, highly complex and rapidly evolving phenomenon, and suggests that this topic requires swift and sustained attention by regulators and market participants.

The report, Cyber Security in Securities Markets – An International Perspective, provides a review of the different regulatory approaches related to cybersecurity and the potential tools available to regulators to respond to cyber risk. The report also describes some of the practices adopted by market participants.

On 23 March 2016, the Securities and Futures Commission in Hong Kong (SFC) issued a circular to licensed corporations (LCs) on cybersecurity.

Cybersecurity is increasingly being viewed by the SFC as a matter of priority given the ongoing occurrences of cyber-attacks and cybersecurity incidents being reported across the financial services industry. The frequency and sophistication of cyber-attacks appear to be increasing. The SFC has recently conducted a series of reviews of the cybersecurity within selected larger sized LCs.

While the SFC’s reviews revealed that most of the larger sized LCs have prioritised resources dedicated to strengthening their cybersecurity control frameworks and to anticipating cybersecurity threats in a pro-active manner, there are still deficiencies within LCs in fully recognising that cybersecurity risks constitute genuine and significant threats to their businesses, and in addressing these threats.

LCs should recognise the importance of cybersecurity within their organisations by ensuring that:

  1. the review and assessment of their cybersecurity risks have been, or are in the process of being, comprehensively and effectively undertaken;
  2. any weaknesses identified as a consequence of such review and assessment have been, or are in the process of being, rectified; and
  3. the enhancement of their cybersecurity controls is being treated as a matter of priority.

The circular sets out key areas of concern arising out of the SFC’s reviews. LCs should pay close attention to, and recognise the importance of, these areas of concern when reviewing their cybersecurity risks and when implementing enhanced controls that are designed to counter such risks.

Key areas of concern

  1. Inadequate coverage of cybersecurity risk assessment exercises;
  2. Inadequate cybersecurity risk assessment of service providers;
  3. Insufficient cybersecurity awareness training;
  4. Inadequate cybersecurity incident management arrangements; and
  5. Inadequate data protection programs.

The circular also identifies a number of sound and effective cybersecurity controls and defensive mechanisms that have been adopted by some larger sized LCs.

The SFC intends to focus on LCs’ cybersecurity preparedness given the persistence of threats and the continuing need for LCs to improve their cybersecurity defences.

The circular reminds LCs that they are expected to take appropriate measures (including seeking advice from external contracted vendors if they do not possess such expertise and/or resources in-house) to critically review and assess the effectiveness of the cybersecurity controls they have in place.