Hong Kong banks caught in dilemma on sharing cyber data
The spotless results from a recent sector-wide crisis management test show banks still reluctant to share cyber data
When a bomb rocks a transport hub in Hong Kong, one of the densest clusters of banks and brokers on the globe, it is amazing that the city does not descend into financial chaos.
Odder still is how banking business hardly skips a beat when digital infection vines through the computing systems of the biggest lenders here.
Those were, at the very least, the finding from Hong Kong’s first industry-wide test on how banks hold up and push forward with business during a major crisis. The bombs, the cyber attacks and the so-called “anti-capitalist activitsts” were, of course, simulated during the drill. The near-flawless results, however, may underline a sector-wide and even global weakness in finance instead of banker invincibility.
“It was surprising to see that bombs didn’t affect the banks’ businesses,” said Kelvin Leung, a consultant who helped organise the test in October, and a director at a Big Four financial services firm.
Surprising, he says, because this was the first time the crisis management teams at banks faced these challenges in real time along side their peers. Running into to at least a few hitches would be expected.
What’s not surprising about the drill was that banks across the board opted out of sharing insight into the problems they ran into.
The event, which roped in 625 people from 25 banks, was aimed at bringing industry heads together while giving banks a sense of their own capacity to manage crises. In that sense, participants hailed it as a validation of crisis management skills.
But the findings at individual banks were self reported. The full results of the drill were shared only among the participating banks, not with the press. Even then, the firms did not share the challenges they faced while managing the faux crisis.
“There was very little sharing of what the takeaways were for individual crisis management teams,” said Willem Hoekstra, the chair of the Hong Kong Financial Services Business Continuity Management Forum, which organised the drill. “People don’t what to hang out their dirty laundry.”
When a bank’s unwashed garments include holes in its cyber security regime, there is little incentive and major risks for being the one that airs those out to competitors.
Experts have pointed out that when information on a bank’s cyber impartments leaks to the public, the firm can become targets for malicious hackers hoping to exploit the hole.
Benefits exist too - and may even outweight the risks if everyone shares. The cyber risks faced by one bank are most likely experienced sector wide. Sharing data on hacks could save banks time and money that would otherwise be spent at each bank as it tries to identify and stamp out problems.
Hong Kong’s regulators have recognised the need to get banks talking. In a circular issued in September, the Hong Kong Monetary Authority (HKMA) even called on industry leaders to put their heads together.
“In this connection, we believe that the broader the sharing of such intelligence among [regulated financial institutions], the more the banking industry will be ready to address the relevant risk,”
The problem of sharing is global and different regulators have taken up different means for dealing with it.
HKMA has not said who should take up the mantel. In Britain, the Bank of England has led the testing initiative, called CBEST, and hopes to derive cyber intelligence from the project. The United States is in the process of passing legislation, called the Cyber Information Sharing Act, that would require banks to share data on cyber security issues with the government.
In the next drill in Hong Kong, slated for 2017, a metric for measuring the effectiveness of the bank’s crisis management teams could be introduced, Hoekstra said. That very well could lower the flawlessness of the self-reported results. But it could also generate discussion on the industry-wide problems that no one wants to talk about.
As for who will lead a data-sharing project, Hoekstra said it is too early to tell.
“The ink is still wet on these results,” he said.