Hong Kong Monetary Authority: A 3-Pronged Strategy for Secure BankingSecurity Leaders Respond to HKMA's New Cybersecurity Policy
Responding to the series of cyberattacks on the financial sector across the Asia Pacific region, the Hong Kong Monetary Authority plans to raise the cybersecurity of its banking system through a three-pronged approach that emulates the model implemented by the U.K. and other nations.
HKMA's CFI will develop a risk-based framework for banks to help them put effective cyber defences and also help them tap the right cybersecurity professionals. The key aspect is to also establish an information sharing platform. The regulator has taken cue from UK's CREST framework in urging banks to protect against increasingly sophisticated cyberattacks on their core systems.
"If we wish to raise the cybersecurity of our banking system to a level commensurate with Hong Kong's position as the leading international financial centre in Asia, we cannot afford to go slow or lose time," says Norman T.L. Chan, Chief Executive of the HKMA. "In a spirit of cooperation to achieve this common goal, the HKMA, the banking industry and our partners will work closely together to implement the ambitious but necessary CFI."
Security critics argue that the security guidelines must be more stringent and clear so banks can operate in a cybersecure environment.
Clayton Jones, managing director-Asia Pacific at (ISC)², says the framework should be multi-partite because it has a long-term impact on the whole ecosystem.
"It's critical to know what the key banking issues the new framework's addressing are and how it's benchmarked against frameworks from other countries with a longer history and track record in stringent security guidelines," Jones says.
HKMA's Chan says the sophistication and impact of cyberattacks are increasing, and the board and senior management must play a proactive role in ensuring effective cybersecurity risk management in their institutions.
Further, the HKMA's been working closely with the banking sector to develop the CFI, which is underpinned by three pillars:
- A Cyber resilience Assessment Framework, which seeks to establish a common risk-based framework for banks to assess their own risk profiles and determine the level of defence and resilience required;
- A new Professional Development Programme - training and certification programme in Hong Kong - to increase supply of qualified professionals in cybersecurity; and
- A Cyber Intelligence Sharing Platform to be developed for sharing cyber threat intelligence among banks and enhance collaboration.
According to Chan, HKMA is working with the Hong Kong Applied Science and Technology Research Institute and the Hong Kong Institute of Bankers on the design of the Professional Development Programme, targeting to roll it out by the end of this year.
Carrie Leung, CEO at HKIB, says, "Cyber threats are a growing risk to the banking and financial services sector. It is time for us to take collective action to formulate strategies for tackling current and future threats. A key aspect is to build a strong talent pool and enhance the sector's cybersecurity system continuously."
Security practitioners welcome the move, but say the proposed framework may not necessarily suffice in addressing future threats. Hong Kong-based Vivian Poon, security practitioner from an investment bank, says this is not a new topic for top tier banks - which already have cyber resilience assessment programs - but would help the second tier banks in the country to raise cyber resilience standards.
"An ideal framework should include reviews of management of various areas like assets, controls, change, configuration, vulnerability, incident and business continuity," Poon says.
Shortcomings of the Draft
Security critics see shortcomings in the framework, saying cyber resilience is not a new concept; it's about the survivability of an organization's operations against threats.
S.C. Leung, practitioner and Asia-Pacific Advisory Council Member at (ISC)² maintains, "HKMA should make its framework industry-relevant and adaptable to the fast-changing security landscape. It should encompass people, technology, process and communication aspects of cyber governance."
Jones argues the framework is based on CREST, a UK government's initiative that makes no mention of application security and guidance on cloud services and associated vulnerabilities - a top-rated concern for banking practitioners.
"Since it's a work in progress, I assume the regulator will clearly mention the use of two-factor authentication mechanism and set daily limits on the volume of internet trading transactions for security," Poon says.
Practitioners argue that the framework fails to articulate the kind of issues they'd like addressed, whether it's open and internationally recognized. Also, they say there is no clarity on building skilled resources and developing cyber intelligence/visibility.
"We endeavour to make banking professionals better equipped to face cybersecurity challenges," Carrie Leung says. "In the long run, we hope banks will develop their own career frameworks aligning with this initiative and illustrate how it can support an individual's career development and progression."
What's Critical for Cybersecure Banking?
Chuan-Wei Hoo, Technical Advisor, Asia-Pacific at (ISC)² suggests banks must consider cyber visibility/intelligence, education of next generation, governance and thrust on public/private partnership.
"A simple way is to start a program with executive support, headed by a seasoned certified practitioner, supported by a team of professionals/practitioners. Certification will be key to consistency," Hoo says.
Leung of (ISC)² says cybersecurity must be reviewed in a holistic fashion. "The review can involve banks, the information security community and users, and generate easier outputs for adoption by banks, professionals and users."
Hoo recommends that HKMA develop "a pragmatic, adaptable and versatile program."
"Any cybersecurity policy, distinct from an IS policy, must have the buy-in of the senior management, supported by a team of professionals and practitioners," Hoo adds.
Poon reiterates that in a world of interconnecting networks, devices, people and organizations, traditional threats and attacks do not stop at firewalls or routers. "A cybersecure ecosystem requires strong awareness by all staff, top down, cyber strategies on prevention, detection and responses," she says. "And recruiting good security specialists is as important as recruiting c-level executives."