The Securities and Futures Commission (“SFC”), Hong Kong’s securities regulator, recently released comprehensive guidance on suggested cybersecurity controls within Licensed Corporations (“LCs”). Although it only applies to LCs regulated by the SFC, it represents the most comprehensive guidance issued by a Hong Kong authority on cybersecurity, and provides useful insight on how organisations can effectively guard against cybersecurity threats.
The Circular to all Licensed Corporations on Cybersecurity (“Circular”) issued on 23 March 2016, followed a review by the SFC of the effectiveness of cybersecurity controls within certain larger sized LCs in Hong Kong.
While the SFC’s review revealed most LCs had proactive cybersecurity control frameworks in place, deficiencies in five key areas were identified.
Five Key Areas of Concern
- Inadequate coverage of cybersecurity risk assessment exercises: The review found that standard cybersecurity risk assessments (such as control gap analysis and benchmarking) were often conducted on Internet-facing systems and infrastructure, rather than systems and networks residing in internal environments or other non-Internet facing systems, which could still be enticing targets for cyberattacks. Further, tests were only conducted against basic types of cyberattacks, and were not frequently updated to cover the latest threats.
Inadequate cybersecurity risk assessment of service providers: LCs were found to heavily rely on the attestations of service providers, rather than scrutinizing the scope, approach or results of their risk assessments. They did not take a proactive approach to integrate the systems and control environments supported by service providers into the LCs cybersecurity risk management frameworks. Formal procedures/guidelines detailing the requirements of conducting risk assessments or on-site audits were missing.
Insufficient cybersecurity awareness training: The cybersecurity awareness training provided to employees was not updated in accordance with the latest cybersecurity related issues.
Inadequate cybersecurity incident management arrangements: Cybersecurity incident response plans and drills were inadequate to address the latest cybersecurity threats. Some serious yet common cyber-attack scenarios were not covered in cybersecurity incident response plans, and Hong Kong was often not included in global drills/ simulation exercises.
Inadequate data protection programs: Data protection programs were inadequate to address the latest cybersecurity threats. For example, some LCs did not identify data flows, tailor processes and technologies to avoid data leakage or implement appropriate responses based on the sensitivity of data.
Eight Suggested Cybersecurity Controls
Following the review, the SFC identified eight areas where LCs could improve and update their cybersecurity controls.
- Establish a strong governance framework to supervise cybersecurity management, including by ensuring cybersecurity is regularly covered in senior management meetings and all staff are regularly trained in the latest threats.
Implement a formalized cybersecurity management process for service providers, with cybersecurity requirements incorporated into agreements and require regular cybersecurity risk assessments.
Enhance security architecture to guard against advanced cyber-attacks, with respect to processes, networks and operating systems. Cybersecurity should be considered early in the software development cycle. Multi-tiered network defences and multi-layered security should be implemented, with security zones considered within networks. Privileged user access and additional safeguards to prevent execution of unauthorized applications should also be considered.
Formulate information protection programs to ensure sensitive information flow is protected, including (a) recertification to be performed periodically on removable media access (b) implementing mobile secure containers in staff mobile devices; and (c) enforcing data wipe functions to remove firm applications and information where loss of a mobile device is reported.
Strengthen threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities, including both for internet facing and internal systems.
Enhance incident and crisis management procedures with more details of latest cyber-attack scenarios.
Establish adequate backup arrangements and a written contingency plan with the incorporation of the latest cybersecurity landscape, and such plans should be periodically tested. All backup tapes to be encrypted and physically protected.
Reinforce user access controls to ensure access to information is only granted to users on a need-to-know basis. Ensure secure remote access from external networks.
The SFC urged LCs to recognize the importance of cybersecurity within their organisations. In view of their findings and suggestions, they recommended LCs ensure that:
- Cybersecurity risks are comprehensively and effectively reviewed and assessed.
- Any weaknesses identified are rectified.
- The enhancement of cybersecurity controls are treated as a matter of priority within the organization.
The Circular only applies to LCs and does not apply to other organizations. Nevertheless, if your company holds sensitive data or is in an industry vulnerable to cyberattacks, the Circular is a useful guide representing the best standard with respect to protecting data from cybersecurity incidents in Hong Kong.