Following the Securities and Futures Commission circular on Internet Trading – Information Security Management and System Adequacy on 26 November 2014, the Hong Kong Monetary Authority (HKMA) issued a circular to authorised institutions (AI) on 15 September 2015 (Circular) to highlight the management of cyber security risk. The HKMA notes that a one size fits all risk management may not be sufficient to deal with all types of cyber risks and certain conventional risk management philosophy and controls practised by AI may need to be adjusted or enhanced to address these risks.

Cyber security risk has been in the spotlight for a number of financial services regulators across the globe as an area of heightened risk, given the number of high profile attacks in the region and across the globe on financial institutions.

In particular, the board and senior management are expected to play a proactive role in ensuring effective cyber security risk management by covering at least the following areas:

Risk ownership and management accountability

AI should establish clear ownership and management accountability of risks (and related risk management measures) associated with cyber security breaches. There should be in place effective risk management entailing cooperation and strong security awareness and culture amongst all users.

Periodic evaluations and monitoring of cyber security controls

The board should request senior management to evaluate periodically the adequacy of the AI’s cybersecurity controls against emerging cyber threats and a credible benchmark endorsed by the board. If any material gaps are identified, the board should ensure that senior management properly justifies and documents any acceptance of risks arising from the gaps. Senior management should establish an implementation plan to enhance the AI’s cyber security controls if any risks are not accepted by the board or senior management. Senior management should also provide periodic reports to the board so as to allow the board to monitor the overall situation and identify any significant risks.

Industry collaboration and contingency planning

Senior management should explore appropriate opportunities to collaborate with other financial institutions and/or the police by sharing and gathering cyber threat intelligence. The AI’s incident response mechanism and business continuity plan should also be enhanced and regularly tested so that the senior management is capable of dealing with cyber security breaches and appropriately communicating with customers and relevant stakeholders.

Regular independent assessment and tests

AI should have sufficient cyber security expertise and resources within the relevant responsible functions in the AI to exercise effective checks and balances against evaluations and monitoring of cyber security controls carried out by the senior management and contingency planning efforts. Such checks and balances should entail regular independent assessment and penetration tests.

The board and senior management are expected to strengthen their oversight in the areas where there are weaknesses to demonstrate progress, including evaluating the AI’s cyber security controls against a benchmark, so that progress is documented in remaining board meetings this year or early next year. The HKMA may require an AI to produce specific deliverables to show progress. The HKMA has provided guidelines in the annex to the Circular on what AI should consider when determining the benchmark. AI should consider guidelines or guidance issued by HKMA or the banking industry associations, international standards or sound practices, relevant policies adopted by the banking group as a whole, and specific cyber-related risks relevant to the business and operations of the AI. The annex also includes a recommended list of international standards and examples that AI may wish to refer to for their own needs. The controls should cover controls that are preventive or detective in nature, as well as those that deal with contingency scenarios. Some examples of such controls are included in the Circular.  

On the 2 September 2015, the HKMA issued a revised module to its Supervisory Policy Manual - TM-E-1 “Risk Management of E-banking” (TM-E-1) - which in particular refers to the need for formal incident response and timely reporting, as well as adequate controls to promptly detect and respond to threats by cyber-attacks that might disrupt e-banking.

This latest Circular and the tenor of the revised TM-E-1 demonstrate the importance the HKMA is placing on the effective and proactive management of cyber security risk. Co-operation with other financial institutions in this space is not a new concept, and given the adept speed that hackers operate, the sophistication of the technology, and how a cybersecurity incident may not be detected for some time, these guidelines provide a clear indication from the HKMA how important it is that this risk is treated appropriately.