Guideline on Cybersecurity for Hong Kong authorised insurers will come into effect on 1 January 2020

Last Friday, the Hong Kong Insurance Authority published its Guideline on Cybersecurity (GL 20) for authorised insurers. GL 20 will take effect on 1 January 2020.

Cybersecurity is a global regulatory focus and a top priority area for the Insurance Authority, given the growing exposure to cyber risk as a result of increased digital connectivity.

Continue reading

Cryptoassets – what should the second line of defence be focussing on?

First published on Thomson Reuters Regulatory Intelligence on 12 June 2019 (this version includes updates as at 28 June 2019).

In our first article on cryptoassets we discussed considerations for boards and senior management. This second article considers regulatory risks specific to cryptoassets which the second line of defence (i.e. compliance and risk functions) within the three lines of defence (TLOD) model of compliance should consider.

Continue reading

Crypto asset compliance in an uncertain regulatory environment

First published on Thomson Reuters Regulatory Intelligence on 10 May 2019.

Authors: Clive Cunningham and Wendy Saunders

This is the first in a series of articles looking at crypto-assets (encompassing exchange tokens, security tokens, and utility tokens) through the lens of prevailing regulatory expectations of governance and risk management in the UK. In the absence of a specific regime for crypto assets, the legal and regulatory environment remains uncertain. Some crypto assets fall within the current regulatory regime; others do not. UK policymakers are in the process of clarifying the current perimeter and may expand it in the future.

Continue reading

EU adopts new sanctions framework targeting external cyber-attacks

Authors: Susannah Cogman, Daniel Hudson and Hannah Lau

On 17 May, the EU adopted legislation which will enable it to impose sanctions against persons and entities who engage in cyber-attacks against the EU and its member states. The sanctions will be designed “to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the EU and its Member States”. The new regime underlines a clear commitment by the EU to continue to strengthen its capability to address its “[concern] at the rise of malicious behaviour in cyberspace”.

BACKGROUND

In recent years, the EU has taken a series of actions to tackle cyber threats. On 19 June 2017, the EU developed a framework for a joint response to malicious cyber threats (known as the “Cyber Diplomacy Toolbox”), and subsequent implementing guidelines envisaged sanctions as one of the tools available. The timing of the announcement of the new regime is also notable given its proximity to the EU Parliament elections which started on 23 May.

Reported concerns amongst officials from the EU and certain member states in the past have related to hacking incidents or threats linked to China, Russia and North Korea. However, the legislation explicitly states that the imposition of sanctions against a person or entity does not amount to attribution of responsibility to a third state, which is a political decision.

SCOPE OF THE SANCTIONS REGIME

The sanctions will target persons involved in cyber-attacks with a significant effect which constitute an external threat to the EU and/or its member states. It also covers attempted attacks with a potentially significant effect.

“External”

Cyber-attacks constituting an external threat include those which:

  1. originate, or are carried out, from outside the EU;
  2. use infrastructure outside the EU;
  3. are carried out by any person or entity established or operating outside the EU; or
  4. are carried out with the support, at the direction of or under the control of any person or entity operating outside the EU.

“Threat to member states or the EU”

Attacks which are a threat to member states are envisaged to be cyber-attacks targeting: (a) critical infrastructure; (b) social and economic services (such as in the energy, health and financial markets sector); (c) critical state functions (such as areas of defence and public elections); and (d) classified information.

Threats to the EU include cyber-attacks carried out against its various institutions and its common security and defence policy (“CFSP”). The legislation also reserves the right to apply sanctions in relation to cyber-attacks against third States and international organisations where deemed necessary to achieve CFSP objectives, giving it a potentially broad scope.

“Significant effect”

Whether an attack has a “significant effect” will depend on a range of factors including the scale of disruption, the number of persons or entities concerned, the loss caused, and the nature of the data stolen.

Who can be penalised

There is a broad scope for those who could be listed. The sanctions could target individuals or entities who:

  1. carry out (attempted) cyber-attacks;
  2. provide financial, technical or material support for such attacks including facilitating such attacks by action or omission; or
  3. are associated with those in (a) or (b) above.

The type of sanctions imposed

The sanctions available will include a ban on any listed persons from travelling to the EU and asset freezes. EU persons and entities will also be forbidden from making funds or economic resources available directly or indirectly to those listed.

PRACTICAL CONSIDERATIONS

The new regime emphasises the continuing willingness of the EU to use sanctions to address concerns, noting the similarity of these sanctions to recent EU sanctions aimed at targeting the use of chemical weapons. While no one has yet been listed under this framework, there is a continuing need for companies to ensure that they have thorough, up-to-date and ongoing screening to identify any listed persons they might directly or indirectly deal with.

It is noted that the UK government has said that in the event of a “no deal” Brexit, it will look to carry over all EU sanctions through regulations made under the Sanctions and Anti-Money Laundering Act 2018, in order to ensure a smooth transition. These UK regulations will come into force on 11 June 2019.

Susannah Cogman
Susannah Cogman
Partner, London
+44 20 7466 2580
Daniel Hudson
Daniel Hudson
Partner, London
+44 20 7466 2470
Hannah Lau
Hannah Lau
Associate, London
+44 20 7466 2314

Andrew Moir
Andrew Moir
Partner, London
+44 20 7466 2773
Elena Hogg
Elena Hogg
Associate, London
+44 20 7466 2590

Hong Kong SFC publishes consultation conclusions and guidelines for reducing and mitigating hacking risks related to internet trading

On 27 October 2017, the Securities and Futures Commission (SFC) in Hong Kong issued a circular and Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (Guidelines), which require all licensed or registered persons engaged in internet trading to implement 20 baseline requirements to enhance their cybersecurity resilience and reduce and mitigate hacking risks. The Guidelines were issued following the SFC’s publication of their conclusions on the related consultation on the same day. Continue reading

Hong Kong SFC closes consultation on proposed guidelines to reduce and mitigate hacking risks related to internet trading

On 7 July 2017, the consultation by the Securities and Futures Commission (SFC) on proposals to reduce and mitigate hacking risks associated with internet trading closed. The consultation follows on from the SFC’s thematic review of the resilience to hacking risks of brokers engaged in internet trading (internet brokers) in late 2016.  The SFC aims to publish its consultation conclusions by September or October 2017.  Internet brokers will then be allowed 6 months to implement the new requirements.

Continue reading

China Cyber Security Law: Latest Developments

China's Cyber Security Law (CSL) came into force on 1 June 2017. To read the summary of the key systems required to be implemented and their current status prepared by our teams in China and Sydney, click here.  The bulletin also includes information about draft Measures for the Security Assessment of Export of Personal Information and Important Data, and draft Guidelines for data export security assessment.

Managing risk: a disputes perspective (2017)

Herbert Smith Freehills recently held its annual disputes client conference exploring some key legal and compliance risks facing major corporates. Following opening remarks by Mark Shillito, head of dispute resolution for the UK and US, there were presentations on cyber security, Brexit, insurance, class actions, decision analysis, privilege and internal investigations.

A summary of the conference from our Litigation team is below – if reading the full version of this post, you can jump down to read more detail on any of the sessions by clicking on the relevant heading.

Continue reading

China’s Draft Data Localisation Measures: what you should watch out for

The Cyberspace Administration of China (CAC) has published its Measures for the Security Assessment for Personal Information and Important Data Exported Abroad (Draft for Comments) (Draft Measures) on 11 April 2017. The Draft Measures, if enacted, will become the first regulation to impose general data localisation obligations in China.

Continue reading

New US Cyber Security sanctions targeting Russia

On 29 December 2016, President Obama signed an Executive Order entitled "Taking Additional Steps To Address The National Emergency With Respect To Significant Malicious Cyber-Enabled Activities".  In an official statement, President Obama said that the Executive Order was issued "in response to the Russian government's aggressive harassment of U.S. officials and cyber operations aimed at the U.S. Election".

Continue reading