Information Technology and Communications Hong Kong Client Alert Comprehensive Guidance on Cybersecurity Controls Issued by SFC The Securities and Futures Commission (“SFC”), Hong Kong’s securities regulator, recently released comprehensive guidance on suggested cybersecurity controls within Licensed Corporations (“LCs”). Although it only applies to LCs regulated by the SFC, it represents the most comprehensive guidance issued by a Hong Kong authority on cybersecurity, and provides useful insight on how organisations can effectively guard against cybersecurity threats. The Circular to all Licensed Corporations on Cybersecurity (“Circular”) issued on 23 March 2016, followed a review by the SFC of the effectiveness of cybersecurity controls within certain larger sized LCs in Hong Kong. While the SFC’s review revealed most LCs had proactive cybersecurity control frameworks in place, deficiencies in five key areas were identified. Five Key Areas of Concern 1. Inadequate coverage of cybersecurity risk assessment exercises: The review found that standard cybersecurity risk assessments (such as control gap analysis and benchmarking) were often conducted on Internet-facing systems and infrastructure, rather than systems and networks residing in internal environments or other non- Internet facing systems, which could still be enticing targets for cyberattacks. Further, tests were only conducted against basic types of cyberattacks, and were not frequently updated to cover the latest threats. 2. Inadequate cybersecurity risk assessment of service providers: LCs were found to heavily rely on the attestations of service providers, rather than scrutinizing the scope, approach or results of their risk assessments. They did not take a proactive approach to integrate the systems and control environments supported by service providers into the LCs cybersecurity risk management frameworks. Formal procedures/guidelines detailing the requirements of conducting risk assessments or on-site audits were missing. 3. Insufficient cybersecurity awareness training: The cybersecurity awareness training provided to employees was not updated in accordance with the latest cybersecurity related issues. April 2016 Beijing Suite 3401, China World Office 2 China World Trade Centre 1 Jianguomenwai Dajie Beijing 100004, PRC Tel: +86 10 6535 3800 Fax: +86 10 6505 2309 Hong Kong 14th Floor, Hutchison House 10 Harcourt Road Central, Hong Kong Tel: +852 2846 1888 Fax: +852 2845 0476 Shanghai Unit 1601, Jin Mao Tower 88 Century Avenue, Pudong Shanghai 200121, PRC Tel: +86 21 6105 8558 Fax: +86 21 5047 0020 2 Baker & McKenzie | April 2016 4. Inadequate cybersecurity incident management arrangements: Cybersecurity incident response plans and drills were inadequate to address the latest cybersecurity threats. Some serious yet common cyber-attack scenarios were not covered in cybersecurity incident response plans, and Hong Kong was often not included in global drills/ simulation exercises. 5. Inadequate data protection programs: Data protection programs were inadequate to address the latest cybersecurity threats. For example, some LCs did not identify data flows, tailor processes and technologies to avoid data leakage or implement appropriate responses based on the sensitivity of data. Eight Suggested Cybersecurity Controls Following the review, the SFC identified eight areas where LCs could improve and update their cybersecurity controls. 1. Establish a strong governance framework to supervise cybersecurity management, including by ensuring cybersecurity is regularly covered in senior management meetings and all staff are regularly trained in the latest threats. 2. Implement a formalized cybersecurity management process for service providers, with cybersecurity requirements incorporated into agreements and require regular cybersecurity risk assessments. 3. Enhance security architecture to guard against advanced cyber-attacks, with respect to processes, networks and operating systems. Cybersecurity should be considered early in the software development cycle. Multi-tiered network defences and multi-layered security should be implemented, with security zones considered within networks. Privileged user access and additional safeguards to prevent execution of unauthorized applications should also be considered. 4. Formulate information protection programs to ensure sensitive information flow is protected, including (a) recertification to be performed periodically on removable media access (b) implementing mobile secure containers in staff mobile devices; and (c) enforcing data wipe functions to remove firm applications and information where loss of a mobile device is reported. 5. Strengthen threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities, including both for internet facing and internal systems. April 2016 | Baker & McKenzie 3 www.bakermckenzie.com Should you wish to obtain further information or want to discuss any issues raised in this alert with us, please contact: Susan Kendall +852 2846 2411 email@example.com Nancy Leigh +852 2846 1787 firstname.lastname@example.org Karen Man +852 2846 1004 email@example.com Paolo Sbuttoni +852 2846 1521 firstname.lastname@example.org 6. Enhance incident and crisis management procedures with more details of latest cyber-attack scenarios. 7. Establish adequate backup arrangements and a written contingency plan with the incorporation of the latest cybersecurity landscape, and such plans should be periodically tested. All backup tapes to be encrypted and physically protected. 8. Reinforce user access controls to ensure access to information is only granted to users on a need-to-know basis. Ensure secure remote access from external networks. Next steps The SFC urged LCs to recognize the importance of cybersecurity within their organisations. In view of their findings and suggestions, they recommended LCs ensure that: • Cybersecurity risks are comprehensively and effectively reviewed and assessed. • Any weaknesses identified are rectified. • The enhancement of cybersecurity controls are treated as a matter of priority within the organization. The Circular only applies to LCs and does not apply to other organizations. Nevertheless, if your company holds sensitive data or is in an industry vulnerable to cyberattacks, the Circular is a useful guide representing the best standard with respect to protecting data from cybersecurity incidents in Hong Kong. This publication has been prepared for clients and professional associates of Baker & McKenzie. Whilst every effort has been made to ensure accuracy, this publication is not an exhaustive analysis of the area of law discussed. Baker & McKenzie cannot accept responsibility for any loss incurred by any person acting or refraining from action as a result of the material in this publication. If you require any advice concerning individual problems or other expert assistance, we recommend that you consult a competent professional adviser. Unsubscribe To unsubscribe from our mailing list or to change your communication preferences, please contact email@example.com. © 2016 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.