Banks and financial institutions are among the most coveted prey of cybercriminals, who use methods of both alarming simplicity and increasing sophistication to access highly sensitive data.
Worldwide, online fraud is believed to cost as much as US$400 billion each year and the banking sector faces up to 300 per cent more attacks than other industries.
Recent events emphasise this challenging new reality. In the last two years, notable banks and financial services firms have suffered cyberattacks, ranging from distributed denial of service (DDoS) attacks to millions of customer records being compromised by hackers and theft via the SWIFT global payments network – the international system through which banks transfer billions of dollars every day. As a result, SWIFT is on the front foot, urging its user base of 11,000 financial institutions to upgrade their systems.
Hong Kong is not immune to high-profile cyberattacks. In 2015, attacks rose significantly in Hong Kong, when reports of hacking reached almost 5,000 incidents – up 43 per cent year-on-year – according to the Hong Kong Computer Emergency Response Team Coordination Centre. Last year, the Hong Kong Monetary Authority (HKMA) was alerted to 20 cases related to DDoS attempts on banks in the city. There were only three such attacks in 2014.
Amid these ever-developing threats, Hong Kong’s financial sector has unveiled a new initiative intended to respond to the dangers of cybercrime. The Cybersecurity Fortification Initiative (CFI) was formally announced on May 18 last year at the Cyber Security Summit 2016. The CFI is a partnership that combines the resources of a number of organisations, including The Hong Kong Institute of Bankers (HKIB), the Hong Kong Applied Science and Technology Research Institute (ASTRI), the Hong Kong Police Force, and the Hong Kong Monetary Authority (HKMA).
Norman Chan, chief executive of the HKMA, addressed the summit and noted how connectivity was vital to the banking sector. “It would be hard to contemplate how a retail bank [could] survive a single day if the internet or digital banking services [were] down for whatever reasons,” he said.
Warning that there was no room for complacency, Chan outlined the three pillars of the CFI. The first is a Cyber Resilience Assessment Framework, which assesses the risk profile of individual banks and ensures appropriate resilience measures are implemented to protect the bank’s assets and data, and those of its customers.
The second is a Professional Development Programme, which develops training and certification in Hong Kong to increase the supply of qualified cybersecurity professionals. HKIB and ASTRI are working in partnership to run a content-based training course – CREST Registered Tester and CREST Certified Tester Infrastructure – designed to enable participants to understand the techniques used in both basic and advanced ethical-hacking activities. The course will also provide the opportunity to gain hands-on experience with a variety of tools applicable to all phases of an ethical-hacking engagement (see below for details).
The final pillar is the Cyber Intelligence Sharing Platform, which is accessible to 200 authorised institutions in Hong Kong. This will allow banks to collaborate by proactively sharing information and intelligence of cyberattacks or the imminent threats of such attacks. Chan said the timeliness of receiving alerts or warnings from a commonly shared intelligence platform would be of immense help for banks to prepare for cyberattacks even before they are launched.
Banks in Hong Kong are not alone in the rapid drive to improve risk-management frameworks and to counter potential cyberattacks. Recent research by professional services firm Accenture details the full extent of the global concern by banks and the justification for beefing up cybersecurity frameworks. According to Accenture’s “Cyber Security: Confronting the Threat” report, 67 per cent of executives in the banking sector believe the likelihood of an attack is “very” or “extremely” high.
In line with this, spending on cybersecurity platforms by banks has spiked globally. ICT research company Gartner stated in 2016 that global spending on cybersecurity could hit US$77 billion that year, up 8 per cent from 2015. This number will only increase; Gartner estimates that the amount that banks and other firms are poised to pay by 2018 could surpass US$100 billion for the first time.
The establishment of the CFI follows on a circular issued last year by the Securities and Futures Commission (SFC) to all its licensed corporations, which identified key areas of concern and suggested cybersecurity controls. While other bodies such as the HKMA have been active regulators on the topic, the circular was the most comprehensive statement on cybersecurity by a local regulator to date.
Specifically, the circular identified the following key areas of concern: inadequate coverage of cybersecurity risk assessment exercises; inadequate cybersecurity risk assessment of service providers; insufficient cyber-awareness training; inadequate cybersecurity incident management arrangements; and inadequate data protection programmes. Examining similar circulars issued by global regulators, it is clear that Hong Kong shares many vulnerabilities with other mature banking sectors. However, the reaction of regulators and banks to a major cyberattack is yet to be seen.
Fostering the dialogue on cybersecurity is a step in the right direction, but is only part of the solution. Action by all members of the financial services community will play a more combative role in thwarting a major attack on Hong Kong’s banks.
CREST Registered Tester and CREST Certified Tester Infrastructure
Date February 13-17, 2017 (5 days)
Time 9.30am-5.30pm
Venue Hong Kong Science Park
Language English
Enquiries:
Tel 2153 7877 / 2153 7865
Email programme@hkib.org