Regulatory Update Cyber Security

Transcription

1 Regulatory Update Cyber Security Mr Brian Lee Division Head Hong Kong Monetary Authority 25 September 2015

2 Disclaimer This presentation is provided for training purposes and does not form part of the formal legal and regulatory requirements of the HKMA. The HKMA is the owner of the copyright and any other rights in the PowerPoint materials of this presentation. Such materials may not be reproduced for or distributed to third parties, or used for commercial purposes, without the HKMA s prior written consent.

3 Topics Landscape of cyber threats Supervisory guidance related to cyber security Onsite and offsite supervisory activities Industry initiatives

4 Topics Landscape of cyber threats Supervisory guidance related to cyber security Onsite and offsite supervisory activities Industry initiatives

5 Cyber Threats Landscape (1) How would your bank and you handle the following scenarios? What would be the impact? Massive data leakage of your bank s customers due to a hacking incident Prolonged disruptions to your bank s core banking system and online services caused by cyber attacks but recovery from the backup system has failed Locking of critical data of your bank by a ransomware of a hacker group, which holds your bank hostage

6 Cyber Threats Landscape (2) Cyber attacks are growing globally Cyber threat actors pose different risks Cyber criminals Hactivists Cyber terrorists State-sponsored hackers DDoS attacks of banks in Hong Kong are rising

7 Topics Landscape of cyber threats Supervisory guidance related to cyber security Onsite and offsite supervisory activities Industry initiatives

8 Supervisory Guidance (1) Information security has already been covered in the following guidelines SPM module TM-G-1 on technology risk management SPM module SA-2 on outsourcing Circular on Customer Data Protection Recent guidelines covering cyber security Revised SPM module TM-E-1 on e-banking Circular on cyber security risk management

9 Supervisory Guidance (2) TM-E-1 on e-banking Guidance covers various aspects such as customer security, system and network security for Internet banking and other controls Senior management should ensure that regular penetration tests are performed A penetration test should assess, at a minimum, the bank s Internet banking and any financial services delivered over the Internet or via a wireless network annually

10 Circular on Cyber Security (1) Board and senior management are expected to play a proactive role in ensuring effective cyber security risk management, covering at least Risk ownership and management accountability Periodic evaluations and monitoring of cyber security controls Industry collaboration and contingency planning Regular independent assessment and tests

11 Circular on Cyber Security (2) Risk ownership and management accountability Clear ownership and management accountability of cyber risks and measures, covering not only IT function Cooperation and strong security awareness and culture across a full spectrum of relevant users To include management, staff/contractors of banks or their banking group and relevant service providers Users at all levels should be alerted of their roles and responsibilities. They should be empowered and expected to escalate to the management their concerns

12 Circular on Cyber Security (3) Periodic evaluations and monitoring Senior management s periodic evaluations of cyber security controls, having regard to emerging threats and a credible benchmark endorsed by Board For any gaps identified out of periodic evaluations: Senior management s proper justifications and documentation of any risk acceptance Concrete implementation plan, supported by adequate staffing and financial resources, to uplift the cyber security controls

13 Circular on Cyber Security (4) Periodic evaluations and monitoring (cont d) The bank should determine benchmark that is endorsed by Board for periodic evaluations Benchmarks for more important banks should cover: Preventive and detective controls, such as registration, configuration and access controls of devices, software and networks; privileged user accounts; malware; application security; customer data; mobile devices; detection of unusual activities; service providers; user education Controls for dealing with contingency scenarios, such as incident management, system resilience and data recovery

14 Circular on Cyber Security (5) Periodic evaluations and monitoring (cont d) Board should demand periodic reports from senior management Overall situation and any significant risks identified out of periodic evaluations of banks cyber security controls Status of adherence to banks security policies by IT and other relevant functions on an ongoing basis

15 Circular on Cyber Security (6) Industry collaboration and contingency planning Senior management should designate relevant function(s) to explore appropriate opportunity of both sharing and gathering cyber threat intelligence in a timely manner Broader intelligence sharing among banks will enhance the industry s readiness Incident response mechanism and BCP that are properly enhanced and regularly tested, to deal with cyber attacks and even the more catastrophic ones

16 Circular on Cyber Security (7) Regular independent assessment and tests Sufficient cyber security expertise and resources for exercising effective and ongoing checks and balances Periodic evaluations and monitoring performed by senior management Contingency planning efforts Regular independent assessment Periodic penetration tests for more important banks

17 Circular on Cyber Security (8) Board and senior management should strengthen their oversight in those areas Some concrete progress (including periodic evaluations of cyber security controls) should start to be evidenced in Board meetings this year or early 2016 The HKMA will request banks to submit specific deliverables for assessing output or progress, if needed

18 Topics Landscape of cyber threats Supervisory guidance related to cyber security Onsite and offsite supervisory activities Industry initiatives

19 Onsite and Offsite Supervisory Activities (1) To reinforce the duties of Board and senior management and three lines of defense To seek documentary evidence and conduct sample checks to verify the representations made by Board, senior management and three lines of defense To look into oversight exercised by Board and senior management and why material deficiencies had remained undetected internally

20 Onsite and Offsite Supervisory Activities (2) To take supervisory actions if needed Prompt enhancement of Board and senior management oversight and the three lines of defense Review of accountability of the persons involved and appropriateness of disciplinary actions against the persons Slowdown or suspension of banks new IT-related initiatives External auditors validation of key rectification actions Other actions (e.g. review of CAMEL rating) as appropriate Supervisory consequences could be more costly than implementing the controls in the first place

21 Topics Landscape of cyber threats Supervisory guidance related to cyber security Onsite and offsite supervisory activities Industry initiatives

22 Industry Initiatives (1) Prevention, detection and responses to cyber attacks require collaboration within industry An industry-driven drill on general crisis management A table-top exercise to be held on 9 Oct 2015 Organized by Hong Kong Financial Services Business Continuity Management (HKFSBCM) Forum Not a regulatory exercise, and drill scenarios will not be disclosed before the exercise

23 Industry Initiatives (2) Further guidance may be needed for industry practitioners who conduct penetration tests Cooperation between the HKMA and Hong Kong Association of Banks: An industry minimum standard on Bring-Your-Own- Device (BYOD) issued in Oct 2014 to address the related information security risk Monitoring and addressing emerging cyber threats at the industry level, particularly in sharing threat intelligence

24 Q&A For further enquiries: Brian Lee and George Chou and Tsz-Wai Chiu and