The (HKMA) has issued a circular to provide general guidance on proper cyber security risk management for authorised institutions in Hong Kong.

The circular says that the Board and senior management of an authorised institution are expected to play a proactive role in ensuring effective cyber security risk management in their institution, including the following areas:

Risk ownership and management accountability

• Ownership and management accountability of the risks connected to cyber attacks and the related risk management measures should be clearly established.
• Users at all levels should be alerted of their roles and responsibilities in defending against cyber attacks.

Periodic evaluations and monitoring of cyber security controls

• The Board should request that senior management periodically evaluates the adequacy of their institution’s cyber security controls against their institution’s own benchmark. If there are any material gaps, the senior management must either justify acceptance of the risks arising from the gaps or address those risks by establishing a concrete plan to improve their institution’s cyber security controls. The HKMA does not currently prescribe a benchmark that should be adopted. However, it expects authorised institutions providing services that are important to the public or to the functioning of Hong Kong’s financial systems to adopt a more stringent benchmark covering the areas of security controls contained in the list found in the annex to the circular entitled “A credible benchmark of cyber security controls”.
• The Board should also request periodic reports from the senior management to monitor the overall situation and any significant risks.

Industry collaboration and contingency planning

• Authorised institutions should explore opportunities to collaborate with other institutions and/or the Hong Kong police force in the timely gathering and sharing of cyber threat intelligence.
• Authorised institutions should improve and regularly test their incident response mechanism and business continuity plan to ensure that senior management is capable of dealing with cyber attacks, including the more catastrophic attacks.

Regular independent assessment and tests

• The responsible functions of an authorised institution (e.g. IT, technology risk management, etc.) should have sufficient cyber security expertise and resources to be able to conduct regular independent assessments and possibly penetration tests.

A copy of the HKMA’s circular is available. http://bit.ly/1OwdFZF