At the end of June 2016, while SWIFT (the worldwide financial messaging system) was disclosing substantial losses due to cyber-attacks, the authorities of Hong Kong were announcing new regulations for the financial institutions.
During the 2016 edition of the Cyber Security Summit – one of the main local cybersecurity events – the Hong Kong Monetary Authority (HKMA) announced the launch of its CyberSecurity Fortification Initiative (CFI), a multi-year approach to strengthen the security of local banks.
Here are the main points to keep in mind about this initiative, which brings best-of-breed cybersecurity international practices, but also an innovative approach to cyber threat intelligence.
A three-fold initiative to improve the level of security
The CFI is an initiative on which the HKMA has been working to strengthen cyber-resilience (i.e. the capacity to resist/survive cyber-attacks). It targets all the Authorized Institutions[1] (AIs), in other words the banks of Hong Kong. It is underpinned by three pillars:
1. Cyber Resilience Assessment Framework
This framework will have to be deployed by each bank, thus allowing the HKMA to “get a holistic view of the preparedness of individual AIs as well as the entire banking sector”. It consists of 3 steps:
- Inherent risk assessment: an evaluation of an institution’s riskiness. It includes technological and business factors that will require a good understanding of both areas. The risk level will be rated as High, Medium or Low.
- Maturity assessment: an evaluation of the institution’s actual level of maturity in terms of cybersecurity
- Intelligence-led Cyber Attack Simulation Testing (iCAST), only for banks with High or Medium risk level. The goal is to simulate cyber-attacks not only from a technical perspective, but also taking into account the “people” and “process” elements.
While all the details are not yet public, the first two steps are similar to the United States FFIEC Cybersecurity Assessment Tool, which has been deployed by many major banks since 2015. A matching has to be done between the risk level and the actual maturity level. In case of gaps, the bank will have to provide a roadmap to fill them.
iCAST is more innovative as a regulatory requirement, in the way that it does not only rely on penetration testing, but will also replicate real-life attacks, based on specific and up-to-date threat intelligence. This type of testing is referred to as “red team”. As of today, it is the most realistic way to test the actual security level of an organization.
2. Professional Development Programme
This programme aims at improving the overall skillset of security professionals, by implementing a certification scheme and trainings that will offer three levels of competence: “foundation”, “practitioner” and “expert”. The British CREST will be part of this professional development, and suitable arrangements will also be introduced to “ensure that relevant or equivalent experience and expertise in the cybersecurity field will be appropriately recognized”.
3. Cyber Intelligence Sharing Platform
In cyber-warfare, as in conventional warfare, threat intelligence has become key. Each company can develop its own skills and methods, but the very success of intelligence goes through sharing the information. Therefore, the HKMA is going to launch a Cyber Intelligence Sharing Platform, with access open to all the licensed banks in Hong Kong. Its goal will be to offer a secure and comfortable system to share relevant data, without compromising proprietary information.
What are the next steps for banks?
For banks in Hong Kong, few milestones were defined:
- Starting from end of May 2016, a three-month consultation has been launched by HKMA with the banking industry, in order to have feedbacks and comments on a draft version of the risk-based Cyber Resilience Assessment Framework.
- It is important to note that HKMA demands an involvement of the AIs’ Boards or senior management. The assessment will have to be conducted by “qualified professionals who possess the necessary knowledge and expertise”.
- HKMA has worked with the professional and public organizations to roll-out the first training courses and set-up the Cyber Intelligence Sharing Platform by the end of 2016.
Evolving standards in Hong Kong
This move by the HKMA falls within a rapidly evolving regulatory context in Hong Kong. Several game-changing approaches will indeed shape the future of information security in the coming years. Among others, we can list the recent circular on cybersecurity that targets organizations regulated by the Securities and Futures Commission (SFC), and the upcoming review of the data privacy laws.
With around 200 banks, Hong Kong clearly takes the full measure of the cybersecurity challenge in order to keep its position as a leading financial hub in Asia.
[1] An Authorized Institution in Hong Kong is an institution authorized under the Banking Ordinance to carry on the business of taking deposits. Hong Kong maintains a Three-tier Banking System, which comprises banks, restricted license banks and deposit-taking companies. Authorized Institutions are supervised by the HKMA.