Data Protection Report - Norton Rose Fulbright

The Hong Kong Monetary Authority (HKMA) is taking action to tackle cyber security in the banking sector in Hong Kong through the Cybersecurity Fortification Initiative (CFI) – a new comprehensive initiative announced on May 18, 2016, which aims to raise the level of cybersecurity of the banks in Hong Kong. This follows the Hong Kong Securities and Futures Commission’s (SFC) similar initiative of issuing the Circular to All Licensed Corporations on Cybersecurity (see our previous post).

The Cybersecurity Fortification Initiative

The aim of the CFI is to raise awareness of cybersecurity within Hong Kong financial institutions through a three-pronged approach:

  1. Cyber Resilience Assessment Framework: a cyber risk assessment tool for banks to assess their own risk profiles and determine their cyber security requirements;
  2. Professional Development Programme: a training and certification programme to increase the number of trained cyber security professionals in Hong Kong; and
  3. Cyber Intelligence Sharing Platform: a tool to allow banks to allow industry sharing and collaboration with respect to cyber threat intelligence.

To ensure swift implementation of the CFI, the HKMA will:

  1. issue a formal circular next week to all banks setting out that it is a supervisory requirement for them to implement the CFI; and
  2. cooperate with several organisations (including the Hong Kong Institute of Bankers, the Hong Kong Applied Science and Technology Research Institute and the Hong Kong Association of Banks) to roll out the initiatives over the next few months.

Our Take

The HKMA’s launch of the CFI, coupled with the SFC’s issuance of the cybersecurity circular, illustrates Hong Kong regulators’ continued and increasing focus on cybersecurity. Given the SFC’s and HKMA’s focus on cybersecurity, an organisation’s failure to take adequate protective measures could lead to disciplinary actions.

Once the formal circular is issued next week, we will prepare a more detailed analysis of the new cybersecurity requirements.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.