High alert: there is a growing awareness of cybercrime in Hong Kong as estimated financial losses by banks soar by 50 per cent in past year
Present platform, whereby banks share knowledge of threats across the region, is likely to be expanded to other financial institutions
Hong Kong is a target for cybercrime – a threat that will grow, say risk advisory experts. Technology crimes caused an estimated financial loss of HK$1.8 billion last year, a 50 per cent increase from 2014.
“Hong Kong was ranked the ninth most targeted economy for cybercriminals in the banking sector for the first quarter of this year,” says Ricky Cheng, director of risk advisory services at BDO.
Hong Kong is targeted by organised cybercriminals, says Eugene Ha, deputy managing partner at Grant Thornton. “Illegal activities always follow the money. Even though the number of cybercrime cases has not drastically increased, financial losses from cybercrime have increased by 50 per cent.”
Control and governance are the key factors in combating cybercrime. In May, the Hong Kong Monetary Authority (HKMA) launched the Cybersecurity Fortification Initiative (CFI), a move welcomed by professionals.
The CFI provides guidelines for banks to follow, according to their size and scope.
“It allows banks to evaluate their existing security status against the framework so as to comply with the HKMA standards. The framework also provides a common language/protocol for all stakeholders to communicate more effectively,” Ha says.
“The HKMA has tested the water in the banking sector,” Cheng adds.
At a corporate level, there is a growing awareness of the threats posed, Ha says. “A few clients have indicated that their IT budget for security and risk management would not decrease and some even said that they would try to allocate more funds from other areas. Most firms have implemented their own security protection – multilayer firewalls, intrusion detection system, antimalware systems and data loss prevention systems are common among Hong Kong enterprises.”
People and processes are equally important in protection from “backdoor” cyber attacks, Cheng says. “Investing [solely] in threat and detection systems may not fully protect organisations from evolving cyber attacks. Awareness training can be a more effective way to avoid this type of attack.”
This is an area that firms in Hong Kong have traditionally invested too little in, according to Ha.
“We are looking forward to seeing more companies investing in enhancing the technical skills of the IT team, as well as the staff awareness of cyber security and the corporate governance of the management,” he says.
To address this, the CFI has introduced a Professional Development Programme (PDP) and a Cyber Intelligence Sharing Platform (CISP). The PDP offers advanced skills for qualified security professionals, Ha says.
It points to a more sustained and long-term answer to the issue. “With this type of training and certification programme, the supply of qualified professionals in cybersecurity will increase,” he adds.
CISP is a platform for banks to stay informed of what is happening across the region. “Even though it is currently restricted to the users from HKMA, police and the banking sectors, we anticipate it will be extended to other financial institutions,” Cheng says.
Banks should start preparing for the new policies by training staff, Ha adds. “Other enterprises should welcome this CFI, as it lays the foundation of a cybersecurity protection framework for all.”