The Hong Kong Monetary Authority (HKMA) has today issued a circular requiring Hong Kong-regulated institutions to implement the HKMA's "Cybersecurity Fortification Initiative" (the Initiative), which consists of three distinct pillars: (1) risk assessment, (2) training and (3) intelligence sharing.
The Initiative has an obvious, direct impact on institutions that are Hong Kong-regulated, as it is now a supervisory requirement for those banks to implement the Initiative. UK institutions that do not operate in Hong Kong will nevertheless wish to give careful consideration to the Initiative, which provides a valuable insight into the increasingly joined-up approach of financial regulators around the world to the issue of cybersecurity.
1. Risk assessment
The first "pillar" of the Initiative is to establish a Cyber Resilience Assessment Framework (the Assessment Framework). Although still in consultation, HKMA has announced that the Assessment Framework will be a risk-based framework for banks to assess and benchmark their defences to and resilience against cyber-attacks. The Assessment Framework will have three limbs:
"Inherent risk assessment" will be a model of risk assessment looking at the organisational characteristics of different institutions to characterise them as "high", "medium" or "low" risk. These inherent risk ratings will then be used to set a "required maturity level" of cyber resilience against which the institution's actual maturity can be benchmarked.
"Maturity assessment" is a process to assess an institution's "actual maturity level" (which can then be compared to the institution's "required maturity level" to identify areas for improvement).
"Intelligence-led Cyber Attack Simulation Testing" will involve a series of simulation tests scenarios being run in addition to traditional penetration testing. These will replicate current real life cyber-attacks and can be used to assess further vulnerabilities which might need to be addressed to achieve a higher "actual maturity level".
Methodologies such as the Assessment Framework are likely to be of interest to UK banks, which will need to take account of cyber-risk in modelling their capital requirements.
Moreover, UK banks should expect an increased emphasis by UK financial regulators on cyber resilience assessment given the Financial Policy Committee's recommendations in July 2015 that UK financial regulators should:
establish arrangements to make vulnerability testing "one component of regular cyber resilience assessment within the UK financial system"; and
"consider how evolving capabilities in both defensive resilience and recovery would be best established across the financial system…."
The second "pillar" of the Initiative is called the "Professional Development Programme", which will be a training and certification programme, developed and delivered in conjunction with the Hong Kong Institute of Bankers and the Kong Applied Science and Technology Research Institute, to increase the supply of qualified cybersecurity professionals in Hong Kong.
HMKA has already announced that it will work closely with CREST, a UK cybersecurity certification body, to benchmark the Professional Development Programme against latest international standards.
Training cyber-security professionals in the UK was also a key emphasis of the UK Government's "National Cyber Security Plan", unveiled in November 2015, which will involve establishing an "Institute for Coding" and rolling out a new cyber skills programme (including mentoring for young people and new higher and degree level cyber apprenticeships).
3. Intelligence sharing
Finally, the Cyber Intelligence Sharing Platform will provide a platform for the banking sector to share intelligence on cyber-attacks (including detailed cyber-threat analysis report advisories and recommendations).
This mirrors the Cyber-security Information Sharing Partnership which was established as part of CERT-UK as a joint industry government initiative to share cyber threat and vulnerability information. A Europe-wide "Co-operation Network" will also be a key development when the European Union's Network and Information Security Directive ultimately comes into force.