In a circular issued by the Hong Kong Monetary Authority (HKMA) on 15 September 2015 entitled “Cyber Security Risk Management” (Circular), the regulator has made clear its expectations that the board and senior management of Authorized Institutions (AIs) strengthen their oversight of AIs’ cyber security controls. HKMA expects the remaining meetings of the boards of AIs this year and next year to evidence “concrete progress” on this front. AIs will be required by HKMA to submit specific deliverables in order to assess the output or progress of the work done in this regard.
The board and senior management of AIs have responsibility for protecting sensitive information of customers and are expected to play a proactive role in ensuring effective cyber security risk management that covers at least the four main areas set out in the Circular. HKMA does not prescribe a specific international standard or sound practice document as a benchmark for evaluating AIs’ cyber security controls, but lists six international benchmarks in the annex to the Circular that AIs may consider adopting. A copy of the Circular can be accessed here.
HKMA’S VIEW ON CYBER SECURITY
HKMA believes AIs should already have in place controls and processes to manage technology risks in general, but cyber security risk management still warrants AIs’ special attention. Cyber security refers to the ability to protect or defend against cyber attacks and cyber attacks refer to attacks that target an institution’s IT systems and networks with an aim to disrupt, disable, destroy or maliciously control an IT system / network, to destroy the integrity of the institution’s data, or to steal information from it.
HKMA is of the view that conventional risk management philosophies and controls currently practiced by AIs might need to be adjusted or enhanced to address these risks. As a result, the Circular sets out four main areas of which the board and senior management of AIs are expected to ensure effective management.
(i) Risk ownership and management accountability
HKMA noted that users are usually the weakest link in cyber security controls and the initial targets of cyber attacks. Therefore, effective cyber security risk management should entail cooperation and strong security awareness and culture across a full spectrum of relevant users. This is particularly so when certain cyber security controls could result in inconvenience to the management or users.
(ii) Periodic evaluations and monitoring of cyber security controls
Boards of AIs should request that senior management periodically evaluate the adequacy of the AI’s cyber security controls, having regard to (a) emerging cyber threats, and (b) a credible benchmark of cyber security controls endorsed by the board. The Circular sets out in an annex a few benchmarks that AIs may consider adopting, which are:
- Control Objectives for Information and Related Technology (COBIT)
- SANS Top 20 Critical Security Controls (CSC)
- Information Security Forum – Standard of Good Practice for Information Security
- ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements
- ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security controls
- ISO/IEC 27035, Information technology – Security techniques – Information security incident management
(iii) Industry collaboration and contingency planning
AIs are expected to explore opportunities of collaborating with other institutions and/or the Police in both sharing and gathering cyber threat intelligence in a timely manner. Senior management is expected to designate relevant function(s) of the AI to undertake this task. To this end, the Police has on 1 January 2015 established the Cyber Security and Technology Crime Bureau to look after cyber security in Hong Kong, and a Cyber Security Centre was set up to enhance protection of critical infrastructures and strengthen resilience against cyber attacks.
(iv) Regular independent assessment and tests
HKMA considers that it is important that there are sufficient cyber security expertise and resources within the responsible function(s) of the AI (which could be the IT function, technology risk management function, internal audit function or other similar function(s)) to exercise effective and ongoing checks and balances against the evaluation and monitoring of cyber security controls carried out by the senior management, as well as the contingency planning efforts related to cyber attacks. Such checks and balances should include, amongst other things, regular independent assessment and possibly penetration tests.
HKMA expects the board and senior management of AIs to strengthen their oversight in the above four areas. Concrete progress should start to be evidenced in the remaining meeting(s) of the board in 2015 or otherwise in early 2016. In particular, the AIs’ cyber security controls should be evaluated against the credible benchmarks endorsed by the board as mentioned in (ii) above. Specific deliverables will be requested by HKMA to be submitted in order to assess the output or progress of work.
In our bulletin of 2 December 2014 (which can be accessed here), we pointed out that regulators will closely scrutinize the way that senior management are approaching the issue of cyber security. By issuing the Circular, HKMA has stated in unequivocal terms specific steps that the board and senior management should take and specific areas that they should focus their resources on.
It is expected that HKMA will soon start making enquiries to verify that AIs have taken or are taking all the necessary or expected actions with regard to cyber security risk management. It is therefore important that the board and senior management are able to appropriately evidence actions that the AIs have taken in this respect.