The letter comes just weeks after a 24 August letter by the Monetary Authority of Singapore (the “MAS”) warning Singaporean-regulated financial institutions of the importance of improving on their intrusion detection measures as part of cyber security defence planning.
The regulatory focus on cyber security issues in two of Asia’s leading financial services hubs highlights that even though financial institutions in Hong Kong and Singapore are already subject to fairly detailed and comprehensive technology and risk management regulation, cyber risk raises unprecedented challenges and justifies going above and beyond specific regulatory requirements.
The HKMA’s letter notes that the “frequency, stealth, sophistication and potential impact” of cyber security attacks are on the rise. Coupling this with the increasingly varied motivations and affiliations of hackers, the regulator is concerned that conventional risk management controls and philosophies practised by financial institutions need to be adjusted in order to meet the emerging challenges.
Risk ownership and management accountability: Authorized institutions are expected to ensure that cyber risk management is applied not just to technology functions, but to business operations more generally. The letter also notes that human factors are often the weakest link in cyber counter-measures, and that management accountability and a culture of security awareness across the organization are key to driving behaviours that support a secure environment.
Periodic evaluations and monitoring of cyber security controls: The letter urges management to regularly evaluate cyber security plans having regard to emerging threats and apply adequate financial resources to ensure effective implementation of necessary improvements to processes and systems.
Industry collaboration and contingency planning: Authorized institutions are encouraged to collaborate with other institutions and the police in gathering and sharing cyber threat intelligence in order to help others prepare for and defend against attacks. Business continuity plans are to be enhanced and regularly tested to address cyber security threats and risks.
Regular independent assessments and tests: Authorized institutions are expected to have sufficient cyber security expertise and resources in relevant functions to evaluate and monitor controls. Independent assessments are expected to be part of the precautionary measures.
The HKMA expects the boards of authorized institutions to evaluate the current state of their institutions on these points and take steps to ensure concrete progress this year or by early 2016. The letter explains that the HKMA will, if there is a need, request authorized institutions to submit specific deliverables that will allow the regulator to assess progress.
An annex to the letter provides authorized institutions with some suggested standards for the purpose of benchmarking their cyber security controls. The annex cites the HKMA’s Supervisory Policy Modules relating to technology and data management, but at the same time suggests that authorized institutions need to look beyond to industry association guidance and international standards, noting that the relevance of existing or new standards may change as technology and cyber threats change. The annex includes reference to a number of independent standards, such as the ISO/IEC 27000 family of information technology security standards.
The letter is a clear indication that the HKMA believes further planning and investment is needed in order to ensure that authorized institutions are up to the challenge of the escalating cyber threat. At the same time, the letter implies that the HKMA’s existing technology risk management regulations do not fully address what is expected of authorized institutions and that further collaboration and expertise is needed in order to define and achieve adequate standards.
The assessment of the nature and scale of cyber threats and the making of decisions as to appropriate technical and operational measures to address these risks are not legal or regulatory points in their own right, but these recent letters from the Hong Kong and Singapore regulators point the way to some important issues for in-house lawyers, including:
Managing Human Factors – the Weakest Link: It is clear that many cyber attacks are initiated or contributed to by human elements, such as spear phishing attacks and weak password protection. The accelerating growth of mobile banking and payments, cloud computing and innovations such as “bring your own device” (“BYOD”) exacerbate the risk profile for financial institutions. Monitoring of employee usage of business systems is essential to counter-act these vulnerabilities, but strategies on this front raise data privacy and employment law issues. Now that comprehensive “European-style” data privacy regulation applies across much of the Asia-Pacific region, monitoring must be proportionate to the risks and be adequately notified to impacted employees, unless grounds for covert monitoring are made out. Similarly, the use of advanced technologies such as biometric security measures will no doubt improve security, but at the same time will involve handling increasing volumes of highly sensitive personal data. Appropriate privacy impact assessments will be required.
Third Party Risks: The HKMA is clear that effective cyber security planning necessitates a holistic approach, and this must include interactions with third party vendors and, even more fundamentally, with outsourced service providers. Both the HKMA and the MAS have detailed material outsourcing guidelines that must be adhered to and it will be important to ensure that contractual arrangements with vendors adequately support the institution’s cyber security policies and procedures.
Cyber Attacks – the Response: Cyber readiness planning is a multi-disciplinary exercise that involves many stakeholders across the organization, from IT and operations through to human resources and public relations. Legal and compliance clearly have important roles to play, from helping to quantify exposures through to strategies to deal with regulatory compliance, potential third party liabilities and potential intellectual property, employment and criminal law aspects. Data breach notification requirements have not historically been a feature of the Asia data privacy landscape, but there are now mandatory breach notification requirements in force in over a half dozen jurisdictions in Asia. Good cyber planning means being ready to react in good time from a legal and compliance point of view.
We expect that regulators across the region will be applying increasing focus to cyber security threats in the coming months. We are still a long way from the establishment of international standards that comprehensively address cyber readiness planning. Closer co-operation amongst regulators will hopefully become part of the solution on this front. In the meantime, financial institutions are well-advised to closely monitor compliance against existing regulations and guidelines, and – bearing in mind the HKMA’s suggestion that these are not a complete answer to the problem – consider whether accountability to stakeholders requires more.