Hong Kong Cybersecurity Risk
On 27 November 2014, the Securities and Futures Commission (“SFC”) issued a circular regarding cybersecurity threats facing the financial industry (“Circular”). Intending to alert licensed corporations, the SFC cites a recent occurrence of a massive cyber-attack on a financial institution where hackers stole information on its clients.
The Circular highlights that cybersecurity threats may stem from various business activities such as remote access, email access and internet trading, which may potentially impact licensed corporations irrespective of their size and mode of operation.
Referencing its published Code of Conduct and Internal Control Guidelines, the SFC reiterates that licensed corporations are required to ensure the integrity, security, availability, reliability and thoroughness of all information.In this regard, the SFC expects licensed corporations to conduct self-assessments of risks and controls to prevent any loss of firm or investor information due to cybersecurity threats.
To satisfactorily manage cybersecurity threats, licensed corporations are expected to:
- review their policies and procedures;
- assess their internal systems and identify potential risks;
- assess the need to enhance cybersecurity controls;
- consider the cybersecurity controls of third-party service providers; and
- ensure continuity of critical activities and systems.
The Circular is squarely in line with some overseas regulators who are also turning up the heat on cyber threats. For instance, the Securities and Exchange Commission (“SEC”) in January 2014 included cybersecurity in its examination priorities and issued an alert in April 2014 and the US government tasked the National Institute of Standards and Technology (“NIST”) with the creation of a Cyber Security Framework, which was released in February 2014. Click here to read the full SFC Circular.