Data Protection Report - Norton Rose Fulbright

With its continued focus on cybersecurity, the Hong Kong Securities and Futures Commission (SFC) recently issued a circular to all its licensed corporations (LCs) identifying key areas of concern and suggesting cybersecurity controls.

Hong Kong does not have any overarching cybersecurity legislation, and industry-specific regulatory activity in relation to cybersecurity has been limited to date. The Hong Kong Monetary Authority and the SFC have been the most active regulators on the topic. The SFC’s circular is the most comprehensive statement on cybersecurity by a Hong Kong regulator to date.

Key Areas of Concern

The Circular to All Licensed Corporations on Cybersecurity (“Circular”) was issued by the SFC following its review of a number of large LCs. The Circular identifies the following key areas of concern:

  1. inadequate coverage of cybersecurity risk assessment exercises;
  2. inadequate cybersecurity risk assessment of service providers;
  3. insufficient cyber awareness training;
  4. inadequate cybersecurity incident management arrangements; and
  5. inadequate data protection programs.

Of particular note are the SFC’s findings that LCs are not:

  • properly assessing risks associated with mission critical systems and networks within its internal systems;
  • taking a “pro-active” approach with service providers to include them in risk management frameworks, but instead are relying on contractual assurances;
  • updating staff regarding the latest security threats;
  • addressing new threats through breach response plans or conducting drills to test the plans; and
  • including appropriate controls in data protection programs to monitor and protect data flows and respond to leakages.

Suggested Cybersecurity Controls

The Circular describes eight suggested controls:

  1. Establish a strong governance framework to supervise cybersecurity management;
  2. Implement a formalized cybersecurity management process for service providers;
  3. Enhance security architecture to guard against advanced cyber-attacks;
  4. Formulate information protection programs to ensure sensitive information flow is protected;
  5. Strengthen threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities;
  6. Enhance incident and crisis management procedures with more details of latest cyber-attack scenarios;
  7. Establish adequate backup arrangements and a written contingency plan with the incorporation of the latest cybersecurity landscape; and
  8. Reinforce user access controls to ensure access to information is only granted to users on a need-to-know basis.

Our Take

Although the SFC presents its cybersecurity controls as suggestions, these suggestions are prescriptive in nature and represent the SFC’s expectations for LCs. While the Circular is not a binding legal document, a LC’s failure to follow the suggestions could lead the SFC to investigate, and possibly sanction, the LC. Therefore, LCs may wish to compare the SFC’s suggested controls against their own current practices. The SFC’s emphasis is on LCs formalizing their internal governance on cybersecurity and practices regarding the protection of information, and ensuring that the LC has a framework in place to respond to threats and incidents. Following the SFC’s guidance is imperative for LCs in the current cyber risk environment.