Hong Kong Updates Cybersecurity Fortification InitiativeUpdated Version of Cybersecurity Framework Will Roll Out in January
The Hong Kong Monetary Authority’s Cybersecurity Fortification Initiative 2.0, an updated version of the framework designed to strengthen cyber resilience in the banking and financial sector, will officially roll out in January and be implemented over the following two years, officials say.
While the updated version of the cybersecurity framework will become official in January, banks and financial institutions in Hong Kong will have until December 2023 to complete most of the tasks required, including risk and maturity assessments as well as other auditing, officials say.
The Hong Kong Monetary Authority is Hong Kong's central banking institution responsible for ensuring the stability and integrity of the territory’s financial system. The agency launched its first Cybersecurity Fortification Initiative framework in 2016, as a response to an increasing number of cyber threats that struck financial institutions throughout the Asia-Pacific region during that time (see: Hong Kong Monetary Authority: A 3-Pronged Strategy for Secure Banking).
Arthur Yuen, the deputy chief executive of the Hong Kong Monetary Authority, noted that the updated version of the Cybersecurity Fortification Initiative reflects trends in both banking and cybersecurity that have happened over the past four years.
"We have therefore enhanced the Cybersecurity Fortification Initiative to reflect the latest trends in technology and incorporate recent developments in global cyber practices," Yuen says. "Enhancements have also been made to facilitate the development of the local talent pool for better management of cybersecurity risk. We believe Cybersecurity Fortification Initiative 2.0 will raise the cyber resilience of the banking sector to an even higher level."
Within the new framework, the three pillars of the original Cybersecurity Fortification Initiative will remain. These include: the Cyber Resilience Assessment Framework (C-RAF), the Professional Development Programme (PDP), and the Cyber Intelligence Sharing Platform (CISP).
All three pillars have various requirements for banks and financial institutions:
- The Cyber Resilience Assessment Framework seeks to establish a common risk-based framework for banks to assess their risk profiles and determine the level of defense and resilience required;
- The Professional Development Program offers training and certification programs in Hong Kong to increase the supply of qualified professionals in cybersecurity;
- The Cyber Intelligence Sharing Platform allows for the sharing of threat intelligence among banks as well as additional collaboration.
At the same time, the Hong Kong Monetary Authority has made additional changes to the three pillars. For example, the Cyber Resilience Assessment Framework has been updated to address newer ways of approaching incident response and recovery when it comes to responding to cyberthreats. At the same time, the Professional Development Program now has an expanded certification list to included equivalent qualifications from major overseas jurisdictions, according to officials.
In this way, the updated version of the Cybersecurity Fortification Initiative allows for more sharing of data and information between banks and financial institutions and allows these organizations to share threat intelligence more easily than before, says Jake Moore, a cybersecurity specialist at security firm ESET.
"Sharing best practice and development programs are essential to continually protect the banking industry," Moore says. "Sharing platforms is a perfect way of learning and understanding current threats and how to mitigate future attacks. But ever-evolving attacks need to be constantly monitored which could be supported by filling the cybersecurity skills gap."
Banks and other financial institutions will have nearly two years to implement all the new aspects of the Cybersecurity Fortification Initiative.
Organizations will be broken down into three separate groups. The first group will represent Hong Kong's major retail banks as well as select foreign bank branches and new authorized institutions that have not previously been subject to the Cyber Resilience Assessment Framework requirement, according to officials.
The rest of Hong Kong's banks and financial organizations will be divided between Group 2 and Group 3 depending on their scale of operation and cyber risk profile, according to the announcement.