The Hong Kong Monetary Authority (HKMA) issued a press release on 18 May 2016 on the launch of a "Cybersecurity Fortification Initiative" (CFI), which is aimed at raising the level of cyber security of banks in Hong Kong. The HKMA also released a formal circular on 24 May 2016 setting out that it is a supervisory requirement for banks to implement the CFI.
Following the announcement of this initiative, the HKMA further issued a circular on 26 May 2016 reiterating the requirement for Authorised Institutions providing Internet banking services to further strengthen their security controls, in light of recent incidents involving unauthorised share trading transactions.
This initiative follows a previous circular issued by the HKMA on 15 September 2015 where it had made clear its expectations on the board and senior management of Authorised Institutions to strengthen their oversight of cyber security controls, as summarised in our earlier bulletin dated 5 November 2015. These recent developments emphasise the need for banks to enhance their internal cyber security controls to protect against cyber-attacks and adhere to these increased regulatory obligations and expectations.
Cyber Security Fortification Initiative
The CFI is a new, comprehensive initiative which aims to raise the level of cyber security of the banks in Hong Kong through a three-pronged approach:
- Cyber Resilience Assessment Framework (CRAF) – A new risk-based framework will be imposed for banks to assess their own risk profiles and determine the level of defence and resilience required;
- Professional Development Programme – A training and certification programme will be introduced to increase the supply of qualified professionals in cyber security, which is targeted to be rolled out by the end of this year; and
- Cyber Intelligence Sharing Platform – All banks are expected to join this new platform which will allow for the sharing of cyber threat intelligence among banks in order to enhance collaboration and uplift cyber resilience. According to the HKMA, the platform will also enable banks to share intelligence without compromising proprietary information.
The Chief Executive of the HKMA, Mr Norman Chan, also announced the CFI in his keynote address on 18 May 2016 at the Cyber Security Summit 2016.
Risk assessment under CRAF
The HKMA has recognised that the risk profiles of different banks may vary and it would be difficult to apply the same framework across different business models. Depending on the technology platforms of different banks, as well as the volume and value of banking transactions conducted on their banking systems, their systems would be subject to varied risks.
Hence, the HKMA has stated that the objective of CRAF is for banks to create a common risk-based framework to assess their own risk profiles, which they can then use to determine the level of defence and resilience that would be required to ensure that there is adequate protection against cyber-attacks. In the process, they would be able to draw upon other threat intelligence, relevant international experience and good practices as well.
CRAF consists of three steps:
- Inherent risk assessment
Under this first step, banks will have to determine their risk levels, taking into account various factors including current technology systems, delivery channels, products and technology services, organisational characteristics, and past track record. Any of three types of risk ratings (High, Medium or Low) will be assigned based on the assessment.
- Maturity assessment
Based on the risk rating, the sophistication of the bank's security system will be expected to match the associated risk levels (Advanced, Intermediate, and Baseline). The maturity assessment will cover seven domains:
- Situational awareness;
- Third party risk management;
- Response and recovery;
- Detection; and
- Roadmap for improvement
Any gaps between the assigned risk level and maturity assessment would then have to be rectified, with a roadmap for improvement designed to improve the bank's cyber security system. Banks who are assigned with "medium" or "high" risk ratings will also have to perform Intelligence-led Cyber Attack Simulation Testing, a simulation testing which will feature different types of test scenarios to test people, processes and technology.
The HKMA has stated that it will require the bank, under the guidance of the senior management, and, where appropriate, the board of directors, to put into place proper governance arrangements and processes to achieve the level of resilience in its cyber security system, commensurate with its risk profile. Boards should also request that senior management periodically evaluate the adequacy of the bank's cyber security controls, having regard to emerging cyber threats, and a credible benchmark of cyber security controls endorsed by the Board.
Hence, it is important that senior management and the board take the initiative to review their existing cyber security framework and controls and ensure that any suggested improvements and framework are implemented. With regard to this, banks should note the requirements/expectations of senior management in this area set out by the Hong Kong regulators as summarised in our previous bulletins of 2 December 2014, 5 November 2015 and 5 April 2016.
It should be noted that the onus is likely to be on the bank to take appropriate measures (including seeking advice from external contracted vendors if they do not possess such expertise and/or resources in-house) to critically review and assess the effectiveness of their cyber security controls. The HKMA has stated that they would consider IT professionals certified under the Professional Development Programme to satisfy the qualified professionals requirement to conduct the risk assessment.
The HKMA stated in its press release that it will be conducting a three-month consultation with the banking industry on CRAF, and will work with other institutes and associations to roll out the Professional Development Programme and the Cyber Intelligence Sharing Platform by the end of 2016.
Internet banking services
In the 26 May 2016 circular, the HKMA stated that they had received reports from banks in April 2016 on compromised security for several customers' Internet banking accounts, where unauthorised share trading transactions were conducted over these accounts. However, there were no fund transfers to unregistered third parties. The HKMA stated that they had held a series of discussions with banks to further strengthen their security controls, particularly with regard to share trading transactions.
The HKMA stressed that it expects banks to enhance their fraud monitoring mechanisms to keep up with new and emerging threats and fraudulent schemes. The HKMA stated that banks should step up in their efforts in raising customers' awareness of the security precautions that customers should take to mitigate risks, and conduct a review of their security controls to ensure that they remain robust and adequate.
The HKMA also stated that it will consider the following measures to be useful in preventing and detecting fraud:
- 2-factor authentication to be introduced for Internet share trading transactions;
- Offering to customers a daily share limit option;
- Enforcing difficult to guess passwords;
- Requiring customers to change their banking passwords on a daily basis;
- Stepping up monitoring of unusual Internet banking access attempts and transactions; and
- Implementing a challenge-response test to counter brute-force attacks.
In making it a supervisory requirement for banks to implement the CFI, the HKMA has made clear that cyber security risk management should be an important priority of senior management, and that banks should make efforts to ensure that they review and improve their cyber security systems, including their Internet banking and virtual share trading platforms, to ensure their resilience to cyber security attacks.
Banks with subsidiaries and branches in other countries should also consider how to coordinate such efforts across different jurisdictions, so as to ensure that vulnerabilities in processes and systems are addressed in their roadmaps for improvement and meet the regulatory requirements in different countries. In Singapore for instance, although the Technology Risk Management Guidelines issued by the Monetary Authority of Singapore (MAS) are not legally binding, the MAS has indicated that the degree of observance with such guidelines will affect the risk assessment, and accordingly the supervisory strategy for financial institutions.
Similarly, the HKMA will likely expect Authorised Institutions to produce evidence on concrete progress in strengthening their cyber security controls starting from this year, and may request for specific deliverables from time to time to assess their progress in implementing CRAF.