Both the Hong Kong Monetary Authority (MA) and the Securities and Futures Commission (SFC) have expressed concerns about data leakage and cybersecurity risks, and expect the participants they regulate to conduct a critical review of existing customer data controls and, where necessary, implement enhancement programmes. The MA expect all authorised institutions to do so by Q1 2015. In addition to relevant risk management principles and control measures in the MA’s Supervisory Policy Manual Modules, the MA’s circular dated 14 October 2014 focuses on the following:

Data security policies and effective awareness of policy compliance

  • Logical and adequate access controls of customer data
  • Controls over transmission of customer data
  • Controls over storage of customer data
  • Controls over personally-owned computing devices
  • Physical security controls over, and office environment, related to customer data
  • Controls over service providers involved with storage of and/or access to customer data
  • Effective and adequate periodic audits of customer data protection

The above should be considered when an authorized institution conducts its audit.

The SFC’s focus of attention, as indicated in its 27 November 2014 circular, is on ensuring a review of policies and procedures to manage cybersecurity threats, and identifying cybersecurity risks and critically assessing potential implications and major areas of vulnerability in IT systems used in business operations. The aim is for firms to prevent, detect, mitigate and manage the potential loss of the firms own and investors information or assets due to cybersecurity attacks. Failure to do so, open firms up to criticism from their regulators.

Explicit in the SFC’s circular (and apparent in materials referred to in the MA’s circular) is the requirement that senior management of the firm are to be responsible for the supervision of data management. Therefore in addition to the other relevant stakeholders within a firm – for example legal, compliance, IT – senior management should be consulted, approve policy changes and, where necessary, report to the board.