Skip to content

Cyber-related risks and requirements increasingly programmed into the Asian agenda

In addition to the ongoing rumbling risks of business uncertainty in relation to "too-big-to-fail", aggressive enforcement activity (linked with quasi-enforcement supervisory activity) and a range of issues concerning OTC derivatives reform, there is currently increasing interest in Asia in "techie" issues and how they contribute to financial risk.

In Hong Kong for example we have seen enhanced sensitivity in two areas: IT systems and what can be loosely referred to as "cyber-crime" – essentially, the risks created by bad systems and bad players.

On bad systems, there are numerous considerations for financial institutions:

  • Structural: given the incoming resolution and recovery regime, major institutions need to be properly "resolvable", ie operating as a coherent business structure capable of being dissected in times of trouble to ensure continuance of critical services and functions. This inevitably means that IT systems must be capable of identification, understanding and management to allow resolution to occur when necessary.

Large organisations with long histories, where there has been piecemeal development of systems with legacies, bolt-ons and general opacity, risk being required by regulators to undergo structural change if not handled internally. This has become clear from the present, albeit still early, stages of the regime change.

  • Convoluted and anachronistic systems can lead to major glitches in services during normal business, with the potential self-reporting requirements, regulatory investigations and other consequences.
  • This is true not just of the hardware, but also programming, where for example algorithms and programmed trades can create havoc if mis-managed. Recent Hong Kong electronic trading regulations have sought to ensure in particular the buy-in of senior management and the proper design and monitoring of electronic trading systems.
  • Regulators are increasingly focused on proper data management of information flows from regulated entities to regulators, ie the right levels of information from the right entities to the right parts of the regulator's operations. This is considered with a view to enhancing the regulators' ability to supervise institutions, and to manage the risks of there being gaps in coverage which would allow problems to fester within an institution. This is mirrored with an increased focus on senior management having to oversee their business in a more informed and dynamic fashion (and having the accompanying responsibilities to do so). There is no indication yet of any formal mirroring of the FCA senior managers' regime, but there is clear interest in how that performs and the Securities and Futures Commission's view in Hong Kong that the regime as currently formulated broadly encompasses those expectations and requirements in any event.
  • On bad players, there is an increasing sense of alarm in the context of not only one-off "strikes" on systems and their ability to disrupt financial systems and services, but also the potential for "sleeping" attacks, where perpetrators worm their way into a system and lurk there (possibly for months), siphoning off client information and price-sensitive information. Both have a significant place in risk management going forward, and demand increased resources to combat them – business continuity policies and procedures must take these risks into account, personnel management must ensure that the right people are in place in the organisation to build appropriate defences, monitor them and handle any fall-out from attacks, including dealing with the inevitable reputational consequences of a major incursion.

Inevitably, where there is an attack, detection can result in costly and time-consuming internal and regulatory investigations, and regulatory action in the form of fines, reparation and required system changes (by way of remediation).

Firms must be fully apprised of the regulatory regime in place in the relevant jurisdiction, for example on electronic transactions in Hong Kong, and how the "non-electronic" regulatory environment impacts on the technological elements, including self-reporting, data privacy and confidentiality, the relationship with market manipulation as well as potential money laundering issues.

Asian businesses need to ensure they have fully integrated their tech systems, policies and controls into their overall risk management activities with a view to protecting themselves and their clients from attacks (and from the expensive regulatory consequences of attacks). Other disasters in the "real world", such as oil spills, and risk and reputation management in the aftermath of those disasters, should be analysed to consider any lessons that can be learned as regards the risk management of financial institutions.

Legal and Regulatory Risk Note