Multi-layered cybersecurity regulation
Financial services businesses run a daily risk of non-compliance, fraud, error and regulatory action, coupled with reputational damage, as a result of cybersecurity issues. Regulators continue to grapple with a range of complex legal, regulatory and operational issues to arrive at a harmonised approach to this area.
The Asia Pacific region is a fragmented mix of multiple regulators (Hong Kong) and primary regulators (Singapore) and all points between, attempting to define cyber activity within the confines of their respective jurisdictions and cross border. This lends itself to a kaleidoscope of regulatory initiatives within jurisdictions and across jurisdictions.
Taking Hong Kong as an example – the following regulators have an interest in this area:
Securities and Futures Commission (SFC);
Hong Kong Monetary Authority (HKMA);
Office of the Commissioner of Insurance (to be replaced by the Independent Insurance Authority); and
Data Privacy Commissioner.
Before considering the impact of technology and cybersecurity issues, there is an overlap among the regulators, concerning, for example, the handling and movement of data in respect of securities or certain FX products and banks' management of their securities businesses. Add in the effects of technology-specific regulation and the situation becomes very complex, since technological frameworks, processes and solutions are fundamental to the operation of financial institutions in the markets.
Hong Kong SFC – many different requirements
The SFC has indicated increasing concern about cybersecurity. Licensed persons are expected to:
review and assess cybersecurity risks comprehensively and effectively;
rectify any weaknesses identified; and
treat the enhancement of their cybersecurity controls as a matter of priority.
There have been numerous circulars by the SFC on cyber-related issues1. These circulars, providing steers to the market as to regulator policy, supplement various items of "hard" guidance and requirements, such as the Code-based electronic trading and dark pool materials. There are also underlying statutory and regulatory requirements as regards adequacy of systems and controls and the role of senior management in protecting the licensee.
The SFC has additionally set up the Fintech Contact Point to enhance communication with businesses involved in the development and application of financial technology in Hong Kong. The Fintech Contact Point is operated by the Risk and Strategy Unit of the CEO's Office of the SFC.
All of the SFC materials sit alongside the HKMA's materials for banks and other HKMA-regulated institutions (such as stored value facilities, which operate electronically). The HKMA's "Cybersecurity Fortification Initiative" (CFI) is a recent initiative designed to raise the level of cybersecurity at banks in Hong Kong through:
a common risk based framework to assess risk profiles and determine the level of defence and resilience required;
a training and certification program for cybersecurity; and
a "Cyber Intelligence Sharing Platform" to allow sharing of cyber threat intelligence among banks to enhance collaboration and improve cyber resilience.
It is now a supervisory requirement for Hong Kong banks to implement the CFI.
The insurance and data privacy regulators are expected also to focus increasingly on this area.
Keeping pace of all the requirements
The wide range of regulatory initiatives in Hong Kong alone that are aimed at cybersecurity issues, which have overlapping features vertically (the extent to which statute, regulation, guidance and public pronouncements inter connect seamlessly) and horizontally (across regulators and jurisdictions) requires careful navigation for complex financial services organisations.
1. Circular to All Brokers – Tips on Protection of Online Trading Accounts dated 29 January 2016; Circular to All Licensed Corporations on Internet Trading – Internet Trading Self-Assessment Checklist dated 11 June 2015; Circular to Licensed Corporations – Mitigating Cybersecurity Risks dated 27 November 2014; Circular to All Licensed Corporations on Internet Trading – Information Security Management and System Adequacy dated 26 November 2014; and Circular to All Licensed Corporations on Internet Trading – Reducing Internet Hacking Risks dated 27 January 2014.