Hong Kong companies and financial services institutions lag behind the US and Europe in cybersecurity measures as little emphasis is placed on security from a board-level perspective, according to industry experts. “Cybersecurity is not just an information technology problem, it is a CEO-level problem,” said Pierre Noel, chief security officer for Microsoft’s Enterprise Cybersecurity Group in Asia. “When you have a significant cybersecurity incident taking place, not only is IT impacted, operation, reputation and finance are impacted.” A Forrester study commissioned by Microsoft found that a majority of financial services institutions surveyed in Asia-Pacific, including Hong Kong, lacked adequate knowledge of regulatory requirements when it came to using more secure services such as cloud computing. Instead, many continue to rely on traditional methods such as in-house data servers. In particular, banks in Hong Kong tend to be more traditional and complacent when it comes to innovation and digital transformation, according to Forrester’s Research Director Frederic Giron. He said the banking sector in Hong Kong had lagged in their uptake of cloud technology adoption. “Not a lot of banks … are proactive or try to collaborate with regulators to shape cloud strategy,” said Giron. Darren Argyle, chief information security officer of UK-based financial technology firm Markit, believes that Hong Kong banks and companies fall behind the US and Europe in beefing up cybersecurity even as the number of cyberattacks have been on the rise globally. “Many [Hong Kong companies] look to meet the minimum of regulations, rather than taking a risk-based approach to security by understanding who might be the potential attackers and building security from that perspective,” said Argyle. He added that companies often view security as a cost of doing business, as cyber criminals increasingly target corporations in their attacks. One big challenge that Hong Kong faces is a cybersecurity skills gap, in which companies struggle to hire individuals who have enough skills to cover everything a company requires in terms of cybersecurity, according to Argyle. “Cybersecurity is a corporate governance issue, it is as much of a risk as financial, legal, or reputational risks,” said Argyle. “A breach ... could really impact a company’s reputation down the line.” “CEOs of financial companies are now starting to ask what [technology] is in place which assures that they can respond adequately during a breach,” he said. “But often, they only have a junior security person who has only ever lived in a world of technology, and finds it difficult to communicate the real risks in business terms to a board of directors.” The skills gap is more acute in Hong Kong than in other regions, said Argyle. One way to mitigate the skills gap in Hong Kong is for the government to invest heavily in cybersecurity and related security start-ups, thereby encouraging more Hongkongers to pursue a career in security, he said.