Security is key as hackers strike
The Hong Kong stock exchange's website should be among the most secure in our city, yet it has been assailed by cyber criminals two days in a row. Investors are understandably still bristling about Wednesday's precautionary suspension of trading in seven companies, three of them blue chips, which came as the firms were about to release sensitive information. No leading financial centre can afford to have data breaches, so there has to be a high-profile response. Putting the best possible protection in place is not only a matter of priority, but also of reputation.
Doing so will be challenging, to say the least. HKEx is not the first exchange to be subjected to hacking attacks, nor will it be the last; the London, Nasdaq and Zimbabwe exchanges have already been victims this year. They join a long list of governments, institutions and corporations, from the US Senate to Google, Sony, Lockheed Martin and the International Monetary Fund. The central government revealed this week that the nation suffered 500,000 cyber attacks last year, half from overseas. For each new breach that is plugged, there is always another hacker searching for a new hole. The internet, for all its conveniences, is ever-changing and so is the ingenuity of those trying to carry out criminal acts. HKEx will have to pour substantial financial resources into shoring up its website defences. There may be a need for a rethink; legislators had warned before the launch of the hacked website, HKExnews.hk, that its being the exchange's only platform for the release by companies of price-sensitive information made it vulnerable. As a short-term safeguard, it now intends to use newspaper adverts to tell people which firms will be making announcements.
But that is only the bare minimum for Hong Kong. Authorities have to take the lead, ensuring that the police investigation has every means to try to track down the culprits. HKEx chief executive Charles Li Xiaojia was quick to be transparent about the attacks, but that is a rarity in our city, where it is unusual for companies to admit website security failings, despite this being a common occurrence elsewhere in the business world. But while they need to be as open as possible to customers and clients, they also have to ensure that budgets adequately reflect the web-based threats they face.
More broadly for Hong Kong, there may be a need to centralise internet security operations. The Hong Kong Productivity Council's computer emergency response team monitors threats, and issues warnings, but companies and individuals have to deal with threats themselves. A specialist strike team, closely linked to law enforcement bodies, may be necessary. In light of what our city faces, it is a matter the government should explore. A financial centre of our standing has to have the best possible security in place.