The Hong Kong Monetary Authority (the HKMA) last month issued a circular on the new supervisory requirement for 'authorised institutions' (ie those banks regulated by the HKMA) to implement the Cybersecurity Fortification Initiative (CFI), an initiative to reduce the risk of cyber security attacks in the banking sector in Hong Kong.

Without a doubt, cybersecurity is an issue of vital importance to all industries, but those in regulated sectors face even greater scrutiny. Across Asia, regulatory bodies are already focusing on increasing and evolving cybersecurity risks and the trends, and are encouraging more robust approaches to cybersecurity amongst organisations. Alongside HKMA’s announcement of the CFI, the Securities and Futures Commission in Hong Kong, the Hong Kong Privacy Commissioner and the Monetary Authority of Singapore have in the last 12 - 24 months all highlighted the importance of an appropriate level of vigilance and cohesive approach to the risks inherent in cyber attacks. In particular, at the SFC Regulatory Forum in February 2016, it was discussed that the SFC will share with the financial services industry on deficiencies and goods practices on managing cybersecurity risks; and the MAS launched the Singapore Cyber Risk Management Project at the Asia Cyber Risk Summit in May.

It is within this context of Asia-wide commitment to confronting the issue of cybersecurity that the HKMA has introduced the CFI. The three-part approach to CFI consists of the following:

  • A Cyber Resilience Assessment Framework will be introduced, being the central element of the CFI, to ensure banks have comprehensive and consistent frameworks in place to combat cybersecurity. The framework will be subject to an initial three-month consultation with the banking industry.
  • A Professional Development Programme will be considered, consisting of a training and certification programme in Hong Kong designed to increase the number of qualified cybersecurity professionals. The HKMA will work with the Hong Kong Applied Science and Technology Research Institute and the Hong Kong Institute of Bankers and the programme is scheduled to launch by the end of 2016.
  • A Cyber Intelligence Sharing Platform, a platform designed to allow the banking sector to share cyber threat intelligence in order to better prepare for cyber attacks, will be developed. The HKMA will work with the Hong Kong Association of Banks and the Hong Kong Applied Science and Technology Research Institute to establish this by the end of 2016.

Authorised institutions are encouraged to pay close attention to the draft Cyber Resilience Assessment Framework and to participate in the consultation process. It is also vital that authorised institutions begin to review their corporate governance and risk response strategies as the CFI is anticipated to launch by the second half of 2017 at the latest.

As the HKMA’s Chief Executive, Norman Chan Tak-lam, commented at the Cyber Security Summit, although the sector has so far had relatively few incidents of serious cyber attacks, it is important to ‘stay ahead of the game’ in fighting cybercrime.

We will continue to monitor developments in this regard and provide our clients with updates. In the meantime, if you would like further information on cybersecurity laws in Asia Pacific or elsewhere, our data privacy and cybersecurity team would be pleased to hear from you.

In a Flash: A lesson in Cybersecurity

DLA Piper has developed a cybersecurity film, In a Flash: A lesson in cybersecurity. The film examines cyber governance, cyber-risk management, incident response, regulatory issues, managing internal investigations and the repercussions of failing to be prepared. This film allows for interactive discussions during various segments of the film with additional remarks from leading DLA Piper lawyers.

View the In a Flash: A lesson in cybersecurity trailer here.