Hong Kong Monetary Authority looks to improve banks' cyber security


The banking regulator began a three-month consultation into the initiative on Tuesday, designed to ensure banks are ready to face online threats

The banking regulator is considering plans to require banks in the city to assess their resilience to cyber attacks and ways to train more qualified cybersecurity experts.

From Tuesday, the Hong Kong Monetary Authority began a three-month consultation into the initiative.

The latest policy drive, which was named the “Cybersecurity Fortification Initiative”, was announced after the authority’s chief executive Norman Chan Tak-lam said at the Cyber Security Summit last week that the city’s financial sector could not be complacent, even though there were very few cases of serious cyberattacks reported in the past in Hong Kong.

Giving more details about the initiative on Tuesday, Arthur Yuen, deputy chief executive of the Hong Kong Monetary Authority, said one aspect of the policy was to require banks to arrange certified professionals to assess their cyber resilience levels to see how prepared they are to face cyber threats.

The assessment would aim to cover 25 components, from staffing, training and data security to incident management and threat intelligence.

After the assessment, if gaps are found, banks will have to make plans for improvements.

When asked if the results of the assessments would be made public so people could know how secure their service providers are, Yuen replied that the authority did not have such plans at present.

“Information, if oversimplified, might have a negative effect,” Yuen said. “We don’t want the confidence in the city’s financial system to be shaken.”

Yuen added banks would be asked to take reasonable remedial action if necessary.

Separately, in light of a global shortage of cybersecurity experts, the authority said the initiative would also include working with the Hong Kong Applied Science and Technology Research Institute and the Hong Kong Institute of Bankers on designing accredited training programmes.

According to the authority, there were 11 million online banking accounts in the city last year, generating 17 million transactions worth HK$7.3 trillion on average per month.

While the authority said cases of cyberattacks causing actual or substantial disruption of services or losses were rare, it recorded 35 cases of fraudulent banking websites, applications and phishing emails last year.

It also recorded 19 cases of distributed denial-of-service (DDoS) attacks, which were malicious attempts to paralyse computer systems.

Under the current regulatory framework, the authority said banks are required to inform it incidents of cyberattacks they experienced.

The authority aims to elaborate further on the initiative by the end of this year after the consultation is completed.