FSDC Paper No.

49

Cybersecurity Strategy for

Hong Kong’s Financial Services Industry

June 2021
Content

Executive Summary 1

Cyberspace Safety – a Significant and Growing Issue Globally 2

Is Hong Kong an Obvious Target? 5

Cyber risk level of, and impact on, Hong Kong 5
Hong Kong’s cybersecurity preparedness 8
Hong Kong should maintain a cyber-safe yet business-friendly environment 9
From precaution to business opportunities for Hong Kong 11

Hong Kong Is Keeping Pace but Not a Leader 13

Cybersecurity policy & strategy 14
Legal & regulatory frameworks – financial industry specific 14
Cybersecurity culture 16
Cybersecurity education, training & skills 17

Recommendations 20
Policy level 21
Legal and regulatory level 22
Operational level 24

Conclusion 27

Annex – Jurisdictional Survey of Cybersecurity Frameworks 28

Executive Summary
Cybersecurity, or Cyberspace safety, is a cross-industry, cross-boundary subject matter. Among
others, financial services industry is a key target of cybercriminals, who have caused tremendous
economic, regulatory and reputational harm over the years. As an international financial centre,
Hong Kong draws an increasing number of cybercrimes; and to prevent, address and handle cyber
risks, the level of readiness among financial institutions in the city is generally on an upward trend.

With developments in the post-COVID-19 era – including licensed virtual financial services, increasing
reliance on cloud and online collaboration tools, etc. – the future cyber universe will become more
complex, presenting a more urgent need to combat cyber risks.

Based on a comparison on cybersecurity framework of Hong Kong against other jurisdictions’

(including Australia, the European Union (“EU”), Japan, Mainland China, Singapore and the United
States (“US”)), we have summarised as to how Hong Kong fares internationally on four key dimensions –
(i) cybersecurity policy and strategy; (ii) legal and regulatory frameworks; (iii) cybersecurity culture (and
society); and (iv) cybersecurity education, training and skills.

Hong Kong is keeping up with its peers, but yet to be a leader in the cyberspace safety field. To
enhance the city’s cyber resilience, we recommend –

On the policy level –

• to develop a dedicated cyberspace safety roadmap with policy priorities for Hong Kong;

On the legal and regulatory level –

• to develop cyberspace protection legislation;

• to harmonise regulations across the financial sector;

On the operational level –

• to enhance talent development; and

• to operationalise preparedness at industry level through industry-wide stress test and data
recovery enhancement.

Going hand in hand with these recommendations, both the public and private sectors are encouraged
to be fully engaged in the process so that Hong Kong can become an even more competitive international
financial centre with adequate cyber resilience and effectiveness.

1
Cyberspace Safety
– a Significant and Growing Issue Globally
Data has become a key asset of the new economy. With its capacity to be sold and exchanged, data
drives tremendous value that different players in the economy are striving to seize – for good and
bad purposes. Organisations of all sizes, geographic locations and industries are seeking to protect
their data “by preventing, detecting and responding to (cyber) attacks.” This is “cybersecurity”,1 the
subset with the data universe into which this paper looks.

Researching cybersecurity is extremely challenging, as cyber risk is inherently difficult to measure

or quantify. The hidden nature of most sources of cyber risk, together with the unwillingness
of a country or an organisation to disclose its vulnerability to risks, has exacerbated the
development of an accurate cyber risk analysis.2

Despite the challenge, cybersecurity is increasingly becoming a high priority agenda item because
of the alarming harms cyber risk brings. Amongst other consequences, the mounting cost as a result
of cyberattacks is pressing the world to pay more attention to this issue. Over the years, the cost of
cyber-attacks has surged – as early as 2015, a British insurance company estimated that cyber-attacks
would cost businesses as much as US$400 billion a year, globally.3 By 2018, the estimated cybercrime
cost had reached US$600 billion, or 0.8% of the global GDP, according to a study by a US
think-tank.4 A more recent update is that, global losses from cybercrime as of 2019 exceeded US$1
trillion, a 50%+ leap from the previous year.5 There are multiple reasons for the cost climb, including:
the increased ease of committing cybercrimes, an expansion of cybercrime ‘centres’ across different
regions, as well as the growing sophistication among cybercriminals to monetise stolen data.6

At the enterprise level, the cost of cyberattacks is multifaceted: internal cost activity centres (for
example, in detection, investigation and recovery) versus external consequences and costs (for
instance, business disruption, revenue loss and information theft); and direct financial losses versus
indirect costs (such as legal and regulatory consequences, reputational damage, etc.). Accenture
and Ponemon surveyed over 2,600 senior professionals from some 350 enterprises across various
industries in 2018.7 They found that both the average number of security breaches and the average
cost of cybercrime have increased steadily: a 67% jump (to 145 breaches in 2018) and a 72% leap
(to US$13 million in 2018) in the past five years. In a more recent survey jointly carried out by an
insurer and a law firm in 2021, cyberattacks ranked top of the five risks by the surveyed directors
working across Asia-Pacific, Europe, the UK and the US – 56% of the respondents rated such cyber
risk as very significant or extremely significant to their businesses.8

1
National Institute of Standards and Technology, Computer Resources Centre - Glossary: cybersecurity.
Definition set out by the National Institute of Standards and Technology, a non-regulatory agency of the United States Department of Commerce.
2
United States Department of Homeland Security, Cyber Risk Economics Capability Gaps Research Strategy, October 2018.
3
Fortune, Lloyd’s CEO: Cyber attacks cost companies $400 billion every year, January 2015.
4
Center for Strategic and International Studies, Economic Impact of Cybercrime: At $600 Billion and Counting - No Slowing Down, February 2018.
5
McAfee, The Hidden Costs of Cybercrime, December 2020
6
See footnote 4.
7
Accenture and Ponemon Institute, Ninth Annual Cost of Cybercrime Study, March 2019.
8
Global FINEX – Directors and Officers Insurance (D&O) - D&O Liability Survey 2021, Clyde & Co and Willis Towers Watson, April 2021.

2
The financial services industry is a prime target of cyberattacks, with the banking and insurance
sectors being the hardest hit, recording an average cost of some US$18 million and US$15 million
in 2018, respectively.9 Along similar lines, IBM found that the finance and insurance sector has been
the most-attacked industry for five consecutive years, with 23% of total cyberattacks and incidents
in 2020.10 Given such statistics, cybersecurity has rapidly climbed in importance on many, if not all,
financial institutions’ agendas.

Cost of cyber risk on the rise

Globally Financial services industry most attacked

2015 2018 2019

US$
400 bn US$
600 bn US$
1 tn 23% of total attacks (2020)
~0.8% of the global GDP

Sources: Fortune, Center for Strategic and International Studies, McAfee Source: IBM

Aside from the heightened cost, cyber risk is threatening also because it is by nature a transnational
subject matter. The places of launching and targeting a cyberattack do not, at all, have to be the
same and these places can be moved swiftly. Historically, the North American and European markets
were common targets by cyberattacks, which then were triggered to develop their security preparedness
in earlier days than others. As these markets become harder to attack, this centre of gravity has
gradually been expanded to the Asia-Pacific region. In the recent few years, threat levels in Asia
have become significantly higher than such in the rest of the world. For example, as pointed out in
the LexisNexis report, the Asia-Pacific region saw higher overall attack rates (3%) than the global
average of 1.4% in H1 2020.11 Given such high geographical mobility, cybercrimes are difficult to
trace and prosecute.

9
Ibid.
10
IBM, X-Force Threat Intelligence Index 2021, February 2021.
11
LexisNexis Risk Solutions, Cybercrime Report January-June 2020: The Changing Face of Cybercrime, September 2020.

3
Different countries and regions have started to realise the importance of cybersecurity and have
enhanced their cyber resilience accordingly. As reported in the Global Cybersecurity Index 2018,12
a significant number of Asian countries, on par with their European and American counterparts,
have demonstrated their cybersecurity commitments across five assessed “pillars” (legal measures;
technical measures; organisational measures; capacity building measures; and cooperation measures).
China (covering Hong Kong), Japan and Singapore are three jurisdictions classified as having ‘high’
commitment to the five pillars. Likewise, in another report by a US think-tank,13 Hong Kong and
Singapore are both considered to have relatively mature cyber regimes, in terms of policies, codes
of conduct and standards.

With the onset of the COVID-19 pandemic, the demands on the cybersecurity sector have
become even more urgent. As governments, organisations and individuals have been forced to
embrace new online activities such as remote working and virtual conferences, cybercriminals
around the world have capitalised on this crisis. In April 2020, for example, the World Health Organisation
announced that the number of cyberattacks it has encountered recorded a fivefold increase compared
to that of the same period in the previous year.14 This is echoed by another survey report issued by
a specialist insurer, with the findings that almost half of the businesses in Europe and North America
were targeted by cybercriminals in 2020, who took advantage of the pandemic.15 Accordingly, 43%
of the 6,042 companies in eight jurisdictions surveyed had suffered an online attack in 2020, a 38%
year-on-year increment.16 As for the financial services industry, a number of authorities have called
on financial institutions to enhance their cyber resilience efforts. Amongst others, the Financial
Action Task Force (“FATF”) points out, in its risk and policy response, that there has been a sharp
increase in social engineering attacks, which use links to fraudulent websites or malicious attachments
to acquire personal payment information of clients.17 Increased remote transactions, limited familiarity with
online platforms, and unregulated financial services, amongst others, could lead to additional
vulnerabilities to the global financial system.18

12
International Telecommunication Union, Global Cybersecurity Index (“GCI”) 2018, April 2019.
13
Centre for Strategic & International Studies, Financial Sector Cybersecurity Requirements in the Asia-Pacific Region, April 2019.
14
World Health Organization, WHO reports fivefold increase in cyber attacks, urges vigilance, April 2020.
15
Hiscox, Hiscox Cyber Readiness Report 2021, April 2021
16
Ibid.
17
Financial Action Task Force, COVID-19-related Money Laundering and Terrorist Financing: Risks and Policy Responses, May 2020.
18
Ibid.

4
Is Hong Kong an Obvious Target?
Over the years, there have been various studies on how cyber risks should be assessed. As a result,
a number of assessment standards have evolved. However, some of the most widely-adopted
standards are more suited for communicating the likelihood and severity of a cyberattack, but rarely
for providing the quantum of losses that could occur over a period of time. Likewise, market and
credit risk metrics such as value-at-risk, as some suggest, are not relevant to cybersecurity.19

Despite the absence of a widely-recognised scientific basis for assessing cyber risks, global business
leaders are increasingly focused on cybersecurity issues. According to a report from the World Economic
Forum,20 cyberattack is considered by senior executives to be one of the top 10 risks facing the
world.

While cybersecurity is an area of concern for businesses in a wide range of industry sectors, for the
purposes of this paper, we intend to focus on its impact on the overall economy and the financial
services industry. In this section, we will look into whether Hong Kong, in its capacity as a leading
international financial centre in the region, is an attractive target for cyberattacks, and if so, whether
the city is sufficiently prepared for this scenario.

Cyber risk level of, and impact on, Hong Kong

Hong Kong’s cyber risk level is palpable and increasing. According to the Hong Kong Computer
Emergency Response Team Coordination Centre (“HKCERT”), the number of cybersecurity breaches
continues to be significant. The latest figures published shows that Hong Kong, in 2020 alone,
recorded close to 39,000 unique security events, involving malware hosting, phishing and defacement.21
As for technology crimes, the number has climbed to 8,322 in 2019, i.e., a 6% year-on-year increment,
according to Hong Kong Police Force.22

How Hong Kong stands internationally in terms of its cyber risk level attracts diverse views. Figure A
compares the number of technology crime cases per capita of Hong Kong with that of several other
developed economies. Notwithstanding the minor deviation in the definition of technology/cyber/
computer-related crimes in different jurisdictions, the number of cases per capita for Hong Kong
appears broadly in line with that of the other countries in the survey. Meanwhile, if looking at digital
attacks, Hong Kong appears to be one of the targets for cross-boundary events (see Figure B, a
screenshot of daily DDoS attacks targeted Hong Kong).

19
Domenic Antonucci, The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities (p.67-70), May 2017.
20
World Economic Forum, The Global Risks Report 2021, January 2021.
21
Hong Kong Computer Emergency Response Team Coordination Centre, Hong Kong Security Watch Report (Q4 2020), February 2021.
22
Hong Kong Police Force, Law and order situation in 2019, March 2020.

5
Figure A

Number of cyber / technology crime cases per thousand of people

1.8
1.6
1.4
1.2
1.0
0.8
0.6
0.4
0.2
0.0
2016 2017 2018 2019
* 2019 data of the U.K. is not available

Hong Kong Singapore U.K. U.S.

Sources: HKSAR Police Force; Singapore Cyber Security Agency (CSA); UK Office for National Statistics (ONS);
US Federal Bureau of Investigation (FBI) and Internet Crime Complaint Center (IC3)

Figure B

Source: Digital Attack Map, built through a collaboration between Google Ideas and Arbor Networks
(accessed on 14 May 2020)
Cyber risks faced by financial institutions in Hong Kong also should not be understated. According
to the IMF staff’s findings, while advanced economies (including the US and the UK) account for a
majority of successful attacks on financial institutions, Hong Kong represented 3% - comparable to
counterparts such as Italy and India (see Figure C).23
23
International Monetary Fund, IMF Working Paper – Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment, June 2018.

6
Figure C

Cyber-attacks on financial institutions (% of total)

U.S.
28%
Great Britain (United Kingdom)
Russia 39%

Hong Kong
India
Netherlands
Germany 2%
Italy 3%
3%
Sweden
3%
South Africa 3%
3% 7%
Others 3% 6%

Sources: ORX News, IMF staff calculations

The economic losses resulting from cybercrimes also gives more insight into the severity of cyber
risks which Hong Kong is facing. A 2018 Frost & Sullivan study commissioned by Microsoft revealed
that the potential economic loss in Hong Kong due to cybersecurity incidents may hit US$32 billion,
about 10% of Hong Kong’s GDP.24 In particular, a large-sized organisation (i.e., with 500 employees
or more) could potentially incur an economic loss of US$24.9 million, over 650 times the average
estimated economic loss for a mid-sized organisation (i.e., 250 to 499 employees).25

As for actual financial losses, Hong Kong companies and residents lost more than HK$2.9 billion
(US$372.63 million) to cybercriminals in 2019.26,27 In the securities brokerage sector, for example, for
the 18 months ended 31 March 2017, the Securities and Futures Commission (“SFC”) received close
to 30 cybersecurity incidents, most of which involved hackers gaining access to customers’
internet-based trading accounts with securities brokers resulting in unauthorised trades totalling
more than HK$110 million (US$14.2 million).28

Of course, one could argue that the above statistics do not qualify as conclusive evidence to prove
that Hong Kong is exposed to greater cyber risk than other major economies, but the number of
cybercrimes and amount of financial losses should suffice to suggest at the very least that Hong
Kong is a key target for cyberattacks. Echoing the LexisNexis report, Hong Kong has emerged as
a ‘prime target’ for cyberattacks, given that the city is a “significant financial centre and boasts one
of the highest per capita incomes globally. These factors, combined with a more advanced digital
economy, makes Hong Kong one of the main focuses for cybercrime in the APAC region”.29

24
Microsoft, Cybersecurity threats to cost organizations in Hong Kong US$32 billion in economic losses, June 2018.
25
Ibid.
26
InfoSec (under Office of the Government Chief Information Office), Computer Related Crime: Recent Statistics, last updated in March 2021.
27
A deeper-dive of the recent figures (from Cyber Security and Technology Crime Bureau, Hong Kong Police) include: in 2019, internet deception under
general technology crime recorded a total of 5,157 cases accounted for 62% of the overall 8,322 cases of technology crimes; in H1 2020, number of
technology crime cases involving virtual currencies recorded a y-o-y increase of 1,060% (58 cases in H1 2020), incurring a total loss of HK$23 million.
28
Securities and Futures Commission, Consultation Paper on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading, May 2017.
29
See footnote 10.

7
Hong Kong’s cybersecurity preparedness

While the elevated level of cyber risk facing Hong Kong is alarming, that fact should not be used as
an excuse to scale back on adopting new technologies. Instead, the focus should be on how to strike
a balance between the extent of cybersecurity measures applied and market/business development.

With this, the question to ask is whether Hong Kong is sufficiently prepared to prevent, address
and/or handle the cyber risks it is facing. Research and surveys on the overall cybersecurity preparedness
of Hong Kong, as an economy or jurisdiction compared to others, is limited. Most researchers or
international organisations (such as the International Telecommunication Union (“ITU”) – a specialised
agency of the United Nations compile their global cybersecurity indices by ‘countries’, with the result
that a market like Hong Kong is often not given a dedicated score or ranking. Nonetheless, survey
findings on the level of preparedness within Hong Kong across the business sector which serve as
a useful reference.

In short, the level of preparedness within Hong Kong is uneven. The Hong Kong Productivity
Council and HKCERT developed a framework to compile the Hong Kong Enterprise Cyber Security
Readiness Index to keep track of the status of local cybersecurity awareness and readiness in business
sectors. In 2020, the overall cybersecurity readiness of Hong Kong enterprises is 46.9 out of 100,
falling at the lower end of the “Basic” category, a decrease of 2.4 over the previous year.30 Of the six
sectors studied, the financial services sector demonstrated the highest level of readiness, at 62.9, at
the “Managed” category.31 For companies outside of the financial sector, the level of readiness was
much lower with specific weakness identified in relation to non-technical solutions (such as training,
awareness building, processes, etc.). This could indirectly threaten financial intuitions in Hong Kong
given that cyber risk is a cross-sectoral issue – for example, the availability of private or confidential
information about their individuals can be used for potential targeted attacks on their accounts with
financial institutions. Further, across the four assessed areas of the Index, human awareness was the
one in which all industries scored the lowest.

This uneven level of cybersecurity preparedness is immensely felt by some cybersecurity experts in
Hong Kong. Between May and June 2020, the FSDC conducted several rounds of discussions with
seasoned cybersecurity practitioners in Hong Kong,32 who unanimously agree that financial industry
of Hong Kong is better prepared than other industries. Yet, even across the financial industry, institutions
have varying levels of readiness, with larger institutions being able to afford the increasing resources
required to enhance their cybersecurity infrastructures while smaller ones remain static. Working
under the common misconception that cybersecurity is interchangeable with ‘technology’, some
institutions have sought IT-related certifications without a sensible purpose.

According to the experts interviewed, the generally weak level of individual/personal awareness
towards cyber risks is a key challenge for Hong Kong (and indeed other parts of the world). While
institutions tend to place more emphasis on corporate cyber infrastructures, the “human element” is
commonly neglected. Individuals – including each and every user of financial services or practitioner
within the industry – can largely impact the cyber resilience of the financial services industry. This is
demonstrated by the fact that human error has been a primary reason behind many of cybersecurity
breaches. These breaches occur due to human errors such as configuration mistakes or arise from
subcontracting the work to third parties who have insufficient understanding of the server needs.
Particularly, when new (virtual) joiners attempt to challenge traditional financial institutions for market
share, some tend to push the systems out at speed, overlooking misconfiguration issues.

30
Hong Kong Computer Emergency Response Team Coordination Centre, SSH Hong Kong Enterprise Cyber Security Readiness Index 2020 Survey, April 2020.
31
ibid.
32
Practitioners with more than 15 years of experience in cybersecurity-related work at financial institutions, universities and FinTech startups.

8
Hong Kong should maintain a cyber-safe yet business-friendly environment

As explained above, although Hong Kong is a key target of cyberattacks, the city – especially its finan-
cial service industry – has some degree of preparedness for these attacks. However, this attack-ver-
sus-preparedness battle is constantly evolving as the future cyber universe will only become more
complex.

As acknowledged by the World Economic Forum staff and others,33 cyberattacks will likely become
more ubiquitous and sophisticated. With the use of artificial intelligence (e.g., Emotet Trojans), cyber
attackers can learn from failed attempts, modify and relaunch even more scalable, customised
attacks from which neither a sector nor a financial centre can be immune. The future of cybersecurity
will likely be driven by a new class of subtle yet sophisticated attackers.

This is especially a challenge for an international financial centre like Hong Kong, given that
the financial services industry is, by its nature, particularly vulnerable to cyber risk and its
rapidly evolving nature. Financial institutions place significant reliance on critical financial market
infrastructures such as payment and settlement systems, trading platforms, central counterparties,
etc. A single point of failure in a piece of critical infrastructure, triggered by a cyber-attack, can have
a ripple effect impacting various other parts of the financial system. For example, both the RTGS and
SWIFT systems, given their importance to cash and securities payments and settlements, are potential
‘single points of failure’.34 A cyberattack on such systems could result in consequences beyond
those systems and their participants to the entire financial markets – e.g., if SWIFT were not able to
submit payment instructions, due to cyberattacks, the consequence could be widespread liquidity
dislocations.35 Markets with relatively short settlement cycles (e.g., markets for uncollateralised overnight
loans and repurchase agreements) would especially be affected.36

While rapid technological development brings more convenience and efficiency to businesses and
individuals, it also leads to increasing complexity of cybersecurity issues for Hong Kong. With developments
such as the introduction of virtual financial services since 2018 (through, for example, virtual banks
and virtual insurers), the use of online/remote virtual services will naturally increase and, thus likely
result in cybersecurity becoming more closely intertwined with and indispensable to the financial
services industry.37 In the post-COVID-19 era, financial institutions are experiencing a transformation
in how they operate – from a physical, office-based mode more to a virtual/remote mode, through
cloud, online collaboration tools, etc. Together with the coming of the fifth generation (5G) network
coverage and other Smart City infrastructures, all these rapid changes will exponentially increase
the opportunities for hackers and cybercriminals to exploit.

33
World Economic Forum, 3 ways AI will change the nature of cyber attacks, June 2019.
34
World Economic Forum, Understanding Systemic Cyber Risk, October 2016.
35
Ibid.
36
Ibid.
37
Other incorporation of technology into financial services, for example in the Know-Your-Client process, is also relevant and being studied by the FSDC separately.

9
As referenced in the previous paragraph, financial services institutions in Hong Kong have been
forced to adapt to a more remote and online business model since the onset of the Covid-19 pandemic.
This was an area of concern in the context of investment product sales which have traditionally
required some level of face-to-face interaction as part of account opening, anti-money laundering,
and suitability procedures, as well as consumer protection safeguards. Those face-to-face requirements
also provided some level of protection against cyber risk. Hong Kong financial regulators, including
the SFC, Hong Kong Monetary Authority (“HKMA”) and Insurance Authority (“IA”), recognised the
urgent pressures facing its regulated population as a result of Covid-19 and responded by permitting
financial institutions more flexibility in using remote/online solutions, building on moves that the regulators
had been making in recent years with the advent of FinTech and online sales platforms.38 Although
these moves assisted financial sector participants in maintaining business levels while employees
were working from home, they also exposed such institutions and their staff to a greater degree of
cyber risk. The SFC expressly recognised this with its 29 April 2020 circular addressing the management
of cybersecurity risks in light of the increased use of remote office arrangements, in which it reminded
licensed corporations to “assess their operational capabilities and implement appropriate measures
to manage the cybersecurity risks associated with these arrangements”.39

The fast-changing landscape is truly challenging for a financial centre. On the one hand, there is the
need for cyber safety; on the other hand, the precautionary (or regulatory) measures cannot go so
far that they hinder the further development of the market. In this uphill battle of maintaining a cyber-safe
yet business-friendly environment, Hong Kong needs a clear, up-to-date cybersecurity policy direc-
tion.

38
Insurance Authority, Circulars - Temporary Facilitative Measures to tackle the Outbreak of Covid-19, February & March & June 2020 (allowing non
face-to-face distribution methods for certain types of insurance policies);
Hong Kong Monetary Authority, Circular - Coronavirus disease (COVID-19) and Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT)
measures, April 2020 (encouraging the fullest use of reliable digital customer on-boarding); and
Securities and Futures Commission, Circular - Extended deadlines for implementation of regulatory expectations and reminder of order recording require-
ments under COVID-19 pandemic, March 2020 (alternative order receiving and recording options).
39
Securities and Futures Commission, Circular - Management of cybersecurity risks associated with remote office arrangements, April 2020.

10
From precaution to business opportunities for Hong Kong

The value proposition of a robust cybersecurity framework is not limited to the precautionary (or
protective) dimension. It can also serve as a foundation of developing business opportunities for the
financial services industry.

Development of a cyber-insurance market is one such opportunity. The global cyber insurance
market is expanding quickly, with an annual growth rate to be approximately 20% - 25%.40 In 2019,
the market for cybersecurity insurance was at US$7.36 billion; by 2025, it is forecast to reach US$27
billion.41 While conventional cyber insurance products (such as those covering data breach, extortion,
cybercrime and fraud etc.) mainly focus on protecting digital assets against losses caused by cyber
risks, the future cyber insurance market will likely be expanded to insure the cyber risks of intangible
assets such as cryptocurrency and other digital assets.42

The global demand for cyber-insurance is growing while the take-up remains patchy. For now, the
market of cyber insurance is largest in the US and most firms that offer these policies are
US-based.43 According to a survey report issued by a specialist insurer in April this year, a third of
the surveyed US firms had standalone cyber insurance cover.44 In Europe, activities in this regard
are also increasing – for example, two prominent insurance firms based in Germany announced, in
March 2021, their partnership with a major cloud provider on cyber insurance, combining their
cloud-specific security expertise and risk transfer expertise. Meanwhile, that demand is present in
Hong Kong as well. In 2018 alone, the city faced over 7,800 cybercrime cases, accounting for more
than HK$2.7 billion of financial losses.45 Another survey conducted by a major insurer indicated that
76% of small- and-medium-sized enterprises in Hong Kong experienced a cyber-incident in 2019,
with about a third of those companies taking no further action after the incident. Given the above,
several international insurance companies are developing their businesses to serve this underinsured
population, with an aim to better measure, mitigate and transfer the increasing cyber-related risks for
their clients.46,47

40
KPMG, Seizing the cyber insurance opportunity, July 2017.
41
Sjouwerman, S. (2020). Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008. Clearwater, FL: KnowBe4.
42
Lloyd’s, Lloyd’s launches new cryptocurrency wallet insurance solution for Coincover, February 2020.
43
See footnote 40.
44
See footnote 14.
45
See footnote 25.
46
蘋果日報, QBE：網絡保險查詢大增, June 2019. (in Chinese only)
47
明報, 網絡保險興起 AIG：保費年增四成 亞洲網絡攻擊風險高 市場潛力大, December 2018. (in Chinese only)

11
Venture capital investment in cybersecurity-focused companies is also rising, as are mergers
and acquisitions (M&A) activities. Venture capital investors increasingly recognise the business
potential that cybersecurity products and applications could bring, for example, through using
machine learning to develop security solutions for enhancing client experience. The breadth and
depth of the cybersecurity business is being increasingly explored. In 2018, a total of US$6.4 billion
in venture capital investment went to cybersecurity companies, according to KPMG.48 As of Q3 of
2019, cybersecurity companies constituted US$5.8 billion of venture capital investments through a
total of 388 deals.49 Most deal targets were from Israel and Europe. Further, M&A has become a popular
exit strategy for many cybersecurity startups. For example, in Q3 of 2019 US-based cybersecurity
company Palo Alto Networks acquired container security company Twistlock in an effort to extend its
cloud security reach.50

In order to address both the need for protection against evolving cyber risks and development of
potential business opportunities in the cybersecurity sector, Hong Kong should strive to continually
improve and enhance its cybersecurity framework.

Why is cybersecurity relevant to Hong Kong ‘s financial services industry

Now Then

Potential cybersecurity economic loss AI makes future attacks more

scalable & sophisticated
US$
32 bn
Cybersecurity preparedness Potential business opportunities
eg. cyber insurance, VC investments,
M & A etc.
62.9 /100

Sources: Frost & Sullivan, Microsoft, Hong Kong Productivity Council, HKCERT, World Economic Forum, KPMG

48
KPMG, Venture Pulse Q3 2019, October 2019.
49
Ibid.
50
Ibid.

12
Hong Kong Is Keeping Pace but Not a Leader
As mentioned above, cybersecurity is a tricky topic – cyber risk is difficult to measure or quantify, as
is the cyber resilience of a particular place. In general, while there is no clear leader in the cybersecurity
space, it is fair to say that some jurisdictions are considered relatively ‘more developed’ than the
others. As indicated in various research studies,51 Australia, the European Union (“EU”), Japan,
Mainland China, the US and Singapore are often named as jurisdictions associated with having an
advanced cybersecurity framework. Given this, we have conducted a jurisdictional survey of Hong
Kong’s cybersecurity framework against each of these five jurisdictions.52

Drawing reference from part of the Cybersecurity Capacity Maturity Model for Nations developed by
the Global Cyber Security Capacity Centre at Oxford University,53 the jurisdictional survey covers the
selected jurisdictions’ approaches across four key dimensions: (i) cybersecurity policy and strategy;
(ii) legal and regulatory frameworks; (iii) cybersecurity culture (and society); and (iv) cybersecurity
education, training and skills. A survey of these approaches is not to suggest one way is better than
the other, but at a minimum it can provide a helpful reference for Hong Kong as it considers its way
forward to fill the gaps in its framework and keep pace with other leading jurisdictions.

United States European Union Japan

Mainland China
Hong Kong

Singapore

Australia

Cybersecurity Legal and Cybersecurity Cybersecurity

policy and regulatory culture and education,
strategy frameworks society training and
skills

51
Various research studies, such as “Safe Cities Index 2019” by the Economist in terms of ‘digital security’, have been considered.
52
Key features of the cybersecurity frameworks of the selected jurisdictions and Hong Kong and set out in Annex.
53
This is a “first of its kind” model to review cybersecurity capacity maturity across the five key dimensions, with an aim to enabling governments to “self-assess,
benchmark, better plan investments and national cybersecurity strategies, and set priorities for capacity development”.

13
Cybersecurity policy & strategy

A common feature of cybersecurity frameworks of other markets is to develop centralised strategy

or policy direction dedicated for cybersecurity; meanwhile, in Hong Kong, cybersecurity policy
direction is blended into the broader Smart City Blueprint. As part of the Smart City Infrastructure,
the Government has the vision to enhance its cybersecurity capability to “address new security
risks, facilitate collaboration among stakeholders to promote awareness and incident response
capability in the community”. To this end, the Government publishes policies and guidelines on
cybersecurity on a regular basis, groom and attract talent on cybersecurity, and participates in
global and regional cybersecurity organisations for enhancing information exchange. Hong Kong
adopts a multi-stakeholder approach to strengthen the cyber resilience of Hong Kong. That means,
work or obligations related to cybersecurity rests under various government bureaus and agencies.

In comparison, some of the jurisdictions reviewed in the survey have chosen to establish a centralised
strategy specifically for cybersecurity related matters. For instance, the EU’s strategy, updated in
December 2020, sets out their approach on priority areas such as increasing the level of cyber resilience
of critical public and private sectors, and enhancing operational capacity to reduce cybercrime
(including the establishment of a new Joint Cyber Unit to strengthen cooperation between the EU
and its member states). Similarly, following a 2018 update to the US national cyber strategy which
itself built upon earlier cybersecurity initiatives by successive administrations, and in the aftermath
of the unprecedented SolarWinds cyberattack, the new US administration has acted quickly to
outline its cyber strategy, noting that it will “make cybersecurity a top priority, strengthening our
capability, readiness, and resilience in cyberspace.”54 Likewise, the Australian government in 2020
launched an updated cybersecurity strategy, replacing the earlier 2016 version. The revised strategy,
which has a stronger focus on deterrence and security than the prior version, is accompanied by a
AUS$ 1.67 billion investment over 10 years to strengthen cyber resilience and security. Finally,
Singapore also took the opportunity in 2020 to announce a “Safer Cyberspace Masterplan”, building
on its 2016 Cybersecurity strategy and focusing on, amongst other things, securing core digital
infrastructure and safeguarding cyberspace activities for its population.

Legal & regulatory frameworks – financial industry specific

In terms of the overall cybersecurity legislation, Hong Kong does not have a standalone set of
cybersecurity legislation or an independent enforcement agency, as some other leading
jurisdictions do. Nonetheless, there are ordinances which address cyber- or computer- incidents.
Various sectoral regulators, particularly in the financial sector (e.g., HKMA, IA and SFC), have also
introduced cybersecurity regulations and other initiatives for their respective sectors – their
approach is rather light-touched and on a micro level. Further, Hong Kong has a personal data privacy
and protection framework – in the form of the Personal Data (Privacy) Ordinance (“PDPO”).

The EU, Japan, Mainland China and Singapore have a combination of standalone cybersecurity or
cyberspace protection legislation (as an umbrella under which other regulations or initiatives are
made) and some pieces of financial industry specific regulations/guidance. Apart from a standalone
cybersecurity statute, most of these jurisdictions also have data privacy and protection legislation.
In particular, the European and Singaporean statutory frameworks provide for mandatory breach
notification in cases where there has been a material breach of data privacy/data protection rights
(for example, as a result of a large-scale hacking incident).

54
The White House, Interim National Security Strategic Guidance (March 2021).

14
In relation to the financial sector, Hong Kong’s financial industry regulations and guidance on
cybersecurity / cyberspace protection are sector-specific. Each regulator tends to have its
own regulations/guidance for financial institutions that are licensed under their respective
purviews. Some of the key regulations/guidance include:

• The SFC’s “Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet
Trading” encourages protection of client internet trading accounts through two-factor authentication
processes, monitoring and mechanisms,55 prompt client notification, data encryption and stringent
password policies;56 in relation to COVID-19, the SFC issued a circular in April 2020 reminding
licensed corporations to assess their operational capabilities and implement appropriate measures
to manage cybersecurity risks associated with remote office arrangements;57

• The HKMA has its Cybersecurity Fortification Initiative (“CFI”), comprising: (i) the Cyber Resilience
Assessment Framework (C-RAF) (a two-part self-assessment and intelligence-led Cyber Attack
Simulation Testing (iCAST) to help AIs evaluate their cyber resilience); (ii) the Professional
Development Programme (PDP) (certification scheme and training program for cybersecurity
professionals); and (iii) the Cyber Intelligence Sharing Platform (CISP);58,59 and

• The IA’s “Guidance Note on the Corporate Governance of Authorised Insurers” (section 7.17)
requires an authorised insurer to identify cybersecurity threats arising from network, email and
relevant devices,60 and its “Guideline on Cybersecurity” sets out the minimum standards of
cybersecurity that are expected of an Authorised Insurer.61

Mainland China’s approach is similar to that in Hong Kong. The China Securities Regulatory Commission
and China Banking and Insurance Regulatory Commission, amongst others, have their respective
regulations and guidance in relation to cybersecurity.

By contrast, cybersecurity regulations specific to the financial industry in other jurisdictions tend to
be all-embracing, mainly owing to their super-regulator structure. For example, the primary set of
cybersecurity regulations covering financial institutions in Singapore is the Monetary Authority of
Singapore’s Technology Risk Management Guidelines (updated in January 2021 to reflect the
fast-moving cyber threat landscape) and associated circulars and notices. In Japan, regulations
and guidelines in this regard are mainly prescribed by the Financial Services Agency.

55
Securities and Futures Commission, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading, October 2017.
56
Securities and Futures Commission, Circular to All Licensed Corporations Alert for Ransomware Threats, May 2017.
Securities and Futures Commission, Circular to Licensed Corporations Engaged in Internet Trading Good Industry Practices for IT Risk Management and Cyberse-
curity, October 2017.
57
Securities and Futures Commission, Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements, April 2020.
58
The HKMA launched the Cybersecurity Fortification Initiative (CFI) in 2016, with a view to raising the cyber resilience of Hong Kong's banking system. The HKMA
59
has recently completed a review of the CFI and introduced an enhanced version (CFI 2.0) in November 2020. Major enhancements include incorporating recent
international sound practices on cyber incident response and recovery under the Cyber Resilience Assessment Framework (C-RAF) and expanding the certifica-
tion list under the Professional Development Programme (PDP) to include equivalent qualifications in major overseas jurisdictions.
60
Hong Kong Monetary Authority also launched the “Enhanced Competency Framework on Cybersecurity” in December 2016 (updated in January 2019) in parallel
with the CFI, to enable talent development and facilitate the building of professional competencies and capabilities of those working in cybersecurity. In October
2017, the HKMA issued a circular to CEOs of Registered Institutions requiring them to apply the SFC Guidelines for Reducing and Mitigating Hacking Risks
Associated with Internet Trading. Further, HKMA exercises its supervision over authorised institution’s information systems through regular on-site examinations,
off-site reviews and prudential meetings. HKMA takes a risk-based approach to compliance, requiring different benchmarks and review cycles for institutions with
different risk profiles.
61
Insurance Authority, Guidance Note on the Corporate Governance of Authorized Insurers, October 2016.
62
Insurance Authority, Guideline on Cybersecurity, June 2019.
Failure to comply with the Guideline does not by itself render an authorised insurer liable to any judicial or other proceedings, but codes or guidelines are admissi-
ble in evidence in any proceedings under the Insurance Ordinance before a court. The IA will also have regard to the codes and guidelines when taking
disciplinary actions.

15
Cybersecurity culture

With human error being one of the main causes of cybersecurity incidents, the cultivation of cyber
resilience awareness amongst individuals and enterprises is an area of increasing focus. As stated
in earlier paragraphs, the level of preparedness in Hong Kong’s business sector for cyber incidents
is improving but remains uneven across different industries. To incentivise organisations to
improve their cyber resilience, the Innovation and Technology Bureau has offered subsidies to enter-
prises of all sizes to put in place cybersecurity measures (subject to certain requirements) under the
Technology Voucher Programme since November 2016.62 This programme focuses more on the
technological services and solutions perspective, as opposed to the individual user/practitioner
level. To cultivate awareness of collaboration in cyber security, the Partnership Programme on Sharing
of Cyber Security Information (Cybersec Infohub) enables industries and enterprises to, amongst
others, share information on cybersecurity related matters.63 Turning more broadly to personal data
processing in Hong Kong, there is relatively little engagement of the public as data subjects in
promoting their cybersecurity awareness.

Culture takes time to be cultivated and our European counterparts have been early movers in this
regard, having put in place data protection legislation since 1998. Under the General Data Protection
Regulation (“GDPR”) which came into effect in 2016, data subjects in the EU are given a series of
rights in relation to the processing of their personal data, including a right to access personal data,
right of rectification of personal data, right of erasure of personal data, and a right to object to the
processing of personal data.64 Data subjects in the EU have made use of these data protection
rights provided by the GDPR at a swift pace.65 For instance, an airline was facing a £500 million class
action lawsuit in a UK court for non-material damage caused by a security breach.66 Further, the
UK’s Information Commissioner’s Office announced its intention to fine a hotel group and an airline
for data breaches under GDPR.67,68

The US takes an alternative approach through developing the cyber workforce of the future and
catalysing the next billion-dollar company. For example, New York’s Cyber NYC, a US$100m
public-private investment, was launched in 2017 aiming at turning the city into a capital of cybersecurity.

As for Australia, a 2018 CEO survey noted that 89% of Australian respondents said they were concerned
about cyber threats (up from 80% the previous year); however, only 44% surveyed said they were
investing more heavily in cybersecurity protection in order to build trust with customers.69

62
The Bureau has also worked with the Hong Kong Internet Registration Corporation Limited in providing free website scanning services for SMEs. It has maintained
the Cyber Security Information Sharing and Collaborative Platform to allow the sharing of cybersecurity intelligence between organisations. Amongst other
incentives, the Hong Kong Computer Emergency Response Team Coordination Centre provides free 24-hour hotline services for organisations to report cyberse-
curity incidents and to give recommendations on how to respond.
63
Cybersec Infohub is a cross-sectoral, public-private-partnership programme that promotes closer collaboration among local information security stakeholders of
different sectors to share cybersecurity information and jointly defend against cyberattacks. More than 360 organisations from a wide spectrum of industries had
joined as at January 2021.
64
Also for information, PDPO of Hong Kong provides for right to request access to personal data and the right to request correction of personal data.
65
The Law Reviews, The Privacy, Data Protection and Cybersecurity Law Review (Edition 6) - European Union Overview, October 2019.
66
Ibid.
67
Information Commission Office, Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, July 2019.
68
British Broadcasting Company (“BBC”), British Airways faces record £183m fine for data breach, July 2019.
69
PwC, Infographic: How cyber aware is Australian business?, March 2018.

16
Cybersecurity education, training & skills

The cyber talent pool has long been considered deficient. According to an international information
system security certification consortium called (ISC)2, the shortage of cybersecurity professionals
was close to 4.3 million globally and the cybersecurity workforce needs to increase by a staggering
145% to cope with the surge in demand.70 On the organisation level, about 65% of the surveyed
organisations expressed they were experiencing a shortage of cybersecurity staff. On the regional
level, APAC experienced the highest talent shortage, at around 2.6 million (see Figure D). In Hong
Kong, of the 98,780 IT employees in 2018, only 1.2% specialised in IT security.71

Figure D

Cybersecurity workforce gap by region

NA Europe
~561,000 ~291,000

LATAM APAC
~600,000 ~2.6M

Global
14%
64% ~4.07M
North America
APAC 15%
7% Latin America
Europe

Source: “Cybersecurity Workforce Study 2019”, (ISC)²

The relatively narrower talent gap in Europe can be attributed to a number of reasons. As some
cybersecurity experts pointed out, in various European countries, military defence training has
incorporated a strong emphasis on cybersecurity, which to some extent helps the countries groom
a sustained pool of cybersecurity experts. Further, Europe’s cybersecurity education & training strategy
is generally considered organised and structured, and thus effective. The European Union Agency
for Cybersecurity (“ENISA”), the EU agency overseeing cybersecurity, supports many initiatives for
raising awareness of and providing education on cybersecurity issues. These include (amongst
other things) the development of Cybersecurity Training material and a European Cybersecurity
Skills Framework, and guidance for improving cyber security culture within private sector organisations.
To enhance the competency of practitioners, a number of cybersecurity certification schemes have
evolved, aimed at providing a comprehensive set of rules, technical requirements and standards to
assess the knowledge of scheme participants.

Comparatively, in Asia, capacity-building initiatives related to cybersecurity have a shorter history.

70
(ISC)², Cybersecurity Workforce Study 2019, November 2019. As supplementary information, various markets conducted their research to gauge the talent
shortage issue. In the 12 months that ended in August 2018, there were more than 300,000 unfilled cybersecurity jobs in the U.S., according to CyberSeek, a
project supported by the US-government-involved National Initiative for Cybersecurity Education. In addition, the UK government published a research report in
March 2020, suggesting that close to 400,000 cybersecurity-related job postings were yielded in the UK between September 2016 and August 2019 (a 3-year period).
71
Legislative Council, Building cyber security talent (ISE15/20-21), 22 January 2021.

17
In Hong Kong, the government-supported Cyber Security Information Portal (“CSIP”) and Cybersechub.hk
are the main tools. The former provides advice and step-by-step guidelines for SMEs and other general
users to conduct health check on computers, mobile devices and websites, as well as to learn tips
and techniques to guard against cyber-attacks;72 whereas the latter is a platform for industries and
enterprises to exchange cybersecurity information.73 To cultivate the awareness of businesses and
the public on cybersecurity, the Government and the private sector organise regular seminars and
workshops, amongst other initiatives.74

That said, Hong Kong does not have an educational institution dedicated to cybersecurity
training, as some other jurisdictions do. For example, Australia established the Academic Centres
of Cyber Security Excellence (“ACCSE”) in 2016 to address the national shortage of highly-skilled
cyber security professionals by encouraging more students to undertake studies in cyber security
and related courses;75 Mainland China plans to open 4-6 cybersecurity academies by 2027;76 and
Singapore has established the Cyber Security Associates and Technologists (CSAT) Programme to
train and up-skill fresh ICT professionals and mid-career professionals for Cyber Security job roles.77

In relation to industry-specific training, the current offerings in Hong Kong are rather fragmented. On
the positive side, the banking sector has made a good start with an enhanced competency
framework on cybersecurity. The framework, developed by the HKMA and other sector stakeholders,
facilitates the building of professional capabilities of banking staff engaged in cybersecurity duties.
Banks can refer to the HKMA’s guide which contains details of the qualification structure, recognised
certificates and continuing professional development requirements to equip relevant staff with the
appropriate skills, knowledge and behaviours.78 As for the rest of the financial industry (such as the
securities and insurance sectors), institutions can refer to various cybersecurity workshops, for
example such co-hosted by the SFC, the Hong Kong Police Force and the Hong Kong Computer
Emergency Response Team Coordination Centre, that cover key topics (such as cybercrime prevention
tips) on a macro basis. However, with the absence of guidance similar to HKMA’s, it depends largely
on the financial institutions’ or the staffs’ own initiatives in taking corresponding training to fulfil the
high-level competency regulatory requirements.

72
Cybersecurity Information Portal, About Us, last updated in September 2020.
73
Cybersec Infohub, About Us, last updated in November 2019.
74
Apart from seminars and workshops to encourage and support the industry in information security training, the Government also works with professional bodies to
promote professional accreditation in information security among IT practitioners and encourages tertiary education institutions to provide more information
security courses in relevant disciplines.
75
Academic Centres of Cyber Security Excellence (“ACCSE”), Program Guidelines, last updated in May 2017.
The ACCSE program gives recognition to Australian universities that successfully demonstrate high-level cyber security education and training competencies,
research capability and strong connections to government and the business sector.
76
Ministry of Education of the People’s Republic of China, 關於印發《一流網絡安全學院建設示範項目管理辦法》的通知, August 2018. (in Chinese only)
77
Cyber Security Agency of Singapore, Cyber Security Associates and Technologists Programme, last updated in May 2020.
78
Hong Kong Monetary Authority’s Guide to Enhanced Competency Framework on Cybersecurity, last updated in January 2019.

18
On the tertiary and continuing education level, universities in Hong Kong were some of the first in
Asia to incorporate industry-ready cybersecurity elements into the curriculum (e.g., MSc Cyber
Security) to help develop new talent. However, as understood from the FSDC’s interviews with
seasoned cybersecurity practitioners, those businesses that can afford to hire cybersecurity staff
prefer experienced-hires, instead of fresh graduates. Meanwhile, smaller enterprises tend to conflate
Information Technology and Cybersecurity as the covering the same subject matter, thus further
depressing the market for cybersecurity specialists.79 In light of the above factors, new cybersecurity
graduates frequently consider switching to another field given the lack of entry-level opportunities in
the cybersecurity field.

On attracting non-local talents, the Government’s Technology Talent Admission Scheme provides a
fast-track arrangement for eligible technology companies and institutes to admit overseas and Mainland
technology talent (including cybersecurity talent) to undertake research and development work.
Also, the Government’s Talent List of Hong Kong covers experienced cybersecurity specialists.
Eligible applicants who meet the requirements of the Talent List may enjoy immigration facilitation
under the Quality Migrant Admission Scheme. Qualifiers under the scheme are not required to have
secured an offer of local employment before their entry to Hong Kong; they may also bring their
dependents to the city for settlement.

79
As understood from seasoned practitioners, the skillsets possessed by information technology professionals and cybersecurity professionals are fairly different –
with the former being good at ‘building’ IT infrastructures whereas the latter at dissecting parts to identify errors and potential risks.

19
Recommendations
Taking into consideration Hong Kong’s cybersecurity exposure and the approaches followed by
other major jurisdictions, we have mapped out a number of recommendations which we believe will
facilitate the enhancement of Hong Kong’s cybersecurity capacity and enable it to positively distinguish
itself from its global counterparts. At the core of this objective is the need for Hong Kong to formulate
a more strategic view on cybersecurity which reflects both the needs of the city as a whole and its
position as a leading international financial centre.

The recommendations relate to three broad “levels”: (i) policy level; (ii) legal and regulatory level;
and (iii) operational level. They are not intended to be implemented sequentially, thus reflecting the
reality that some recommendations may take longer to complete than others.

Recommendations

Policy level Legal and regulatory level Operational level

Develop cybersecurity Enhance talent

Develop cybersecurity
roadmap for development
legislation
Hong Kong

Operationalise
Harmonise financial preparedness at
regulations industry level

Stress Test
Data Recovery

20
Policy level

(1) Develop a dedicated cyberspace safety roadmap with policy priorities for Hong Kong

Having the element of cyberspace safety incorporated into the holistic Smart City Blueprint is a good
start for Hong Kong, both in terms of facilitating related policy formulation and enhancing the overall
cybersecurity capabilities. Yet, as cyber threats continue to increase globally at a rapid pace, the
city may require policy considerations with priorities and actionable items in the short, medium and
longer terms in a more explicit manner under a dedicated set of roadmap, in addition to the existing
approach by way of an annual update of the work plan.

Currently, documents in the public domain indicate what the Government has done but there is not
as much detail on what the Government plans to do in terms of cybersecurity. For example, we are
aware that the Government and its agencies have conducted plenty of seminars and workshops to
enhance capabilities among practitioners and the community, but how Hong Kong plans to extend
its advantage in the cybersecurity ecosystem and to strengthen its standing as a trusted city with
sound cybersecurity infrastructure are perhaps areas that citizens or different industries would be
interested in knowing too. While we appreciate the Government’s various work initiatives in cybersecurity,
it is important to get these initiatives known by the market and by the public so that they can prepare,
act and respond accordingly.

With reference to other jurisdictions, there is usually a structured nation/city-wide strategy on cybersecurity,
spelling out actionable items under a range of areas, for example – strengthening governance of
cyberspace safety by introducing a new act within a certain timeframe, and making Government
systems more secure by committing to allocate a certain percentage of government expenditure to
cybersecurity. This kind of strategy is, to date, not obviously seen in the public domain of Hong Kong
and not well heard of, at least, within the financial services industry. Clearer work plans with policy
priorities over a longer time horizon can facilitate different stakeholders, including businesses in
Hong Kong, to coordinate and make their part of contribution correspondingly.

Apart from policy priorities, clearer delegation at the organisational/departmental level is considered
instrumental. While we understand that cyberspace safety is a cross-sectoral subject matter that can
be relevant to more than one government bureau or agency, lucidly-defined accountabilities placed
under one overarching governance body can serve both efficiency and comprehensiveness. Workable
options for this proposed overarching governance body include: (i) establishing an independent
commission (similar to the Australian Signals Directorate,80 or the Cyber Security Agency of Singapore);81
or (ii) setting up a cross-bureau/agency working group to coordinate both regulatory and enforcement
actions. With such formation, all initiatives related to cybersecurity –– from local capacity building,
infrastructure review to international partnership –– can be brought under a single agency.

The financial services industry, as one of the major pillars of Hong Kong’s economy, should play a
key role in facilitating the setting of key policy priorities and promoting the ongoing public-private
collaboration.

80
Established as a statutory agency to house the Australian Government’s cybersecurity functions.
81
As part of the Prime Minister’s Office and managed by the Ministry of Communications and Information, the Agency oversees cybersecurity strategy, operation,
education and so on for Singapore.

21
Legal and regulatory level

(2) Develop cyberspace protection legislation

As described in this paper, many of the leading jurisdictions in cybersecurity have an omnibus
cybersecurity / cyberspace protection law as a core element of their cybersecurity framework. In
addition to providing Hong Kong citizens and businesses with a higher degree of legal certainty and
protection, a comprehensive cyberspace protection statute would also provide clarity in respect of
cross-border data processing and transfers.

Hong Kong should consider introducing its own omnibus Cyberspace Protection Ordinance that
covers the following objectives at a minimum:

• identifying and defining ‘critical information infrastructure’;

• establishing a framework for accountability (including investigating, reporting and enforcement

of cyber incidents, including such in the civil and/or criminal litigation manner);

• defining and mandating the type(s) of cyberspace protection information sharing between
public and private sectors (for example, about the types of incidents/threats they are facing);
and

• establishing a light-touch licensing framework for cybersecurity service providers, where appropriate.

The introduction of such legislation can go hand in hand with the effective operation of the previously
mentioned cyberspace safety roadmap.

In addition to the proposed omnibus cyberspace protection ordinance, other related statutes should
be reviewed on a regular basis to ensure that they remain fit for purpose and aligned with interna-
tional standards. These would include ordinances covering cyber-related crimes as well as legisla-
tion in relation to other relevant areas such as personal data protections.

22
(3) Harmonise financial regulations

Given the interconnectedness across different sectors within the financial system, cyber incidents
faced by one sector can easily have a spill-over effect on other sectors. An effective cybersecurity
framework requires a coordinated approach amongst various financial regulators.

In Hong Kong, financial institutions are generally regulated by the respective financial regulators
which license/authorise them to carry out certain business activities in a particular sector. While this
institutional architecture has the merits of imposing rules and regulations that are tailored to the
needs of and circumstances faced by the particular sector, the potential differences across financial
regulations of different sectors may confuse the market, thus hampering the city’s business-friendliness.

In respect of cybersecurity, Hong Kong has various sets of regulatory guidance in place – as
covered in earlier paragraphs, the HKMA, IA and SFC have their respective guidelines/circulars to
assist their licensed/authorised institutions to handle cybersecurity issues. Some degree of coordination
is seen – for example, the HKMA issued a circular in 2017 to CEOs of Registered Institutions requiring
them to apply the SFC’s Guidelines for Reducing and Mitigating Hacking Risks Associated with
Internet Trading – but more efforts towards coordinating policy responses have not been made.

A potential area for coordination/harmonisation relates to the reporting timeframe in cases where a
cyber incident is detected. Currently, the SFC asks its licensed corporations to report to the SFC
“immediately” upon happening of any material cybersecurity incident including ransomware
attacks;82 whereas the IA asks insurers to report the incident “as soon as practicable, and in any
event no later than 72 hours from detection” of a relevant incident.83 While we appreciate that the
regulatory approaches adopted by the various regulators are catered for the unique business operations
and nature of each sector within financial services, some market participants – especially those who
work directly in cybersecurity tasks – express the view that a single reporting timeframe would ease
the compliance burden of financial market participants answering to multiple regulators.

A harmonisation exercise across financial sector regulation covering cybersecurity issues would
require the efforts of various regulators. An effective means of achieving such coordination can be
in the form of a cross-agency steering group. A recent example of such a group is the Green and
Sustainable Finance Cross-Agency Steering Group established in May 2020 to,84 amongst other
things, facilitate policy direction and coordination to ensure Hong Kong has a cohesive and comprehensive
green and sustainable finance strategy. If implemented in the cybersecurity realm, we would expect
for such a steering group to include, at a minimum, the SFC, the HKMA and the IA.

82
See footnote 54.
83
See footnote 59.
84
This Steering Group was initiated by the HKMA and the SFC; other members are the Environment Bureau, the FSTB, HKEX, the Insurance Authority and the
Mandatory Provident Fund Schemes Authority.

23
Operational level

(4) Enhance talent development

Talent shortage has been identified as a critical issue, particularly in Asia. A quick yet costly fix to the
talent shortage problem is to import talent from other markets, such as Europe. However, as stated
earlier, only the largest financial institutions can afford the high expenses incured. To a certain
extent, this explains why the banking sector has been able to achieve a higher level of cybersecurity
competency than other sectors.

With the HKMA’s introduction of the enhanced competency framework, the market has generally
observed an improvement in the cyber resilience of the banking sector. However, given the high
level of inter-connectivity among various financial sectors, the banking sector’s progress could be
undermined if the other sectors do not demonstrate a comparable degree of resilience. Given the
above, we recommend that other financial regulators, including the SFC and the IA, consider joining
hands to build on the HKMA’s competency enhancement framework and develop it into an overarching
structure with specialised streams of expertise to meet evolving supervisory requirements in different
sectors (some being bespoke while others sharing common features). For example, a list of recommended/
approved cybersecurity certification schemes for staff working in the various financial sectors would
be a useful starting point.

As cybersecurity is not a direct source of revenue generation, financial institutions (especially corporations
with small business operations) may still be reluctant to deploy significant resources to improve their
cyber resilience. One approach to help overcome this challenge would be for the Hong Kong SAR
Government to provide incentives, such as training subsidies to eligible staff or institutions if they enroll in
a cybersecurity certification schemes recognised/approved by the regulators. Specifically, the
Government could implement a subsidy programme similar to what it recently did in relation to
FinTech professionals – in that case, a new HK$120 million wage subsidy plan was launched on 1
July 2020 to encourage companies in the financial sector to hire 1,000 financial technology professionals
over the next 12 months by subsidising the salary of one full-time new hire with HK$10,000 every
month for a year as part of the FinTech Anti-epidemic Scheme for Talent Development (FAST).85

A longer-term alternative would be for Hong Kong to establish a cybersecurity training institute, consistent
with the approach taken by other jurisdictions (i.e., Australia, Mainland China and Singapore). However,
this option would require a more in-depth feasibility study by the Government.

85
South China Morning Post, Hong Kong launches US$15.5 million subsidy plan to encourage companies to hire 1,000 fintech professionals, July 2020.

24
(5) Operationalise preparedness at industry level

Stress Test

In order to assess Hong Kong’s capacity to withstand and tolerate cyberattacks, we recommend that
the Government conduct a series of cyber stress tests across the financial services sector.

Works on cyber risk stress testing in Hong Kong have been in silos and are largely focused on the
banking sector. The Office of the Government Chief Information Officer (OGCIO), the Cyber Security
and Technology Crime Bureau (CSTCB) under the Hong Kong Police Force, and HKCERT have
worked closely with different stakeholders to conduct cyber incident drills. For instance, CSTCB
offered cyber security drills for virtual banks to raise their preparedness and readiness for cyber
security attacks prior to commencing their operation in November 2019. The HKMA also conducts
the C-RAF (a two-part self-assessment) and intelligence-led Cyber Attack Simulation Testing
(iCAST) to help banking institutions to evaluate their cyber resilience. At the industry-led level, there
are annual cyber crisis simulations such as the Whole Industry Simulation Exercise (“WISE”). Conducted
in October 2019, the latest WISE drew participants from banks, securities firms, asset management
firms and clearing houses with operations in Hong Kong. In the four-hour exercise, crisis-management
teams from some 40 financial institutions participated in a simulation in which the fact pattern
changed every five to ten minutes86, with support by regulators87. Banks participated in both iCAST
and WISE reportedly found the two exercises useful in assessing their cyber resilience. They indicated
that there is value in both regulator- and industry-led initiatives, with the former (iCAST) benefitting
from wider industry participation, while the latter (WISE) provided valuable insight through confidential
institution-specific reports which help banks to pro-actively identify potential weak spots in advance
of regulatory audits.

However, stress tests focussing on only a couple of financial sectors are not adequate for a financial
centre of Hong Kong’s prominence. Given the increasing interconnectedness of different sectors
within financial services, as well as the constantly evolving nature of complex cyberattacks, an
industry-wide stress test covering all relevant sectors is highly recommended. Further to this
recommendation, we would expect that the HKMA, the SFC and the IA coordinate, for example
under the FSTB’s spearhead, to develop such a stress test as a matter of high priority.

A useful example in this regard is the Hamilton Series in the US. Led by the US Treasury, the Series
involves simulations of different types of cyberattacks against the financial services sector, including
on individual segments of that sector (for example, equities markets, payment systems, and
exchanges). The results of those tests are then used to improve public and private sector policies,
procedures and coordination.

86
Reuters, Hong Kong banks compare pandemic stress test with epidemic reality, February 2020.
87
The HKMA joined by providing comments on the drill scenarios and interacting with a few participating banks throughout the drill exercise, in order to rehearse its
communication and collaboration with the banks in handling the scenarios; meanwhile, the SFC representatives participated in the exercise as Regulatory and
Industry Support and Observers.

25
In planning an industry-wide stress test, Hong Kong’s financial sector regulators could either organise
the exercise themselves (which would likely ensure greater participation), or encourage financial
institutions to plan and conduct their own industry-wide exercise (for example, through subsidising
the cost incurred in organising the stress test). While the latter approach has the benefit of allowing
financial institutions to conduct the exercise in an environment without fear of regulatory scrutiny, we
would recommend that this be a regulator-led exercise given the gravity and nature of the cyber risks
facing the industry. For the purposes of reserving flexibility, a ‘baseline approach’ could be adopted
whereby only mission-critical systems and interconnected areas are covered, allowing room for
each financial regulator to carry out contingency planning according to their respective operational
considerations (as per iCAST and WISE).

Data Recovery

A key question for the Hong Kong financial industry to consider is whether it has in place a suitable
cyber incident response mechanism, including an effective and comprehensive data recovery plan.
Amid the increasing frequency and severity of cyber threats and incidents, financial institutions, as
well as governments and regulators, around the world are exploring ways to best approach data
recovery.

Currently, financial institutions in Hong Kong rely predominantly on their own infrastructures to store
and recover data, with a view to minimising business disruption and data loss in case of a cyber-incident.
Given the nature and volume of data involved, an industry-led initiative is considered to be a more
realistic option, at least in the near term.

One of the examples that Hong Kong financial industry participants should consider is the Sheltered
Harbour initiative in the US. Driven by the financial industry, this initiative allows the recovery of
customer account information in the event of a cyber-incident. Under Sheltered Harbour, participating
institutions can store data directly themselves or by third parties. When a cyber-incident occurs, the
previously stored data is validated, formatted, encrypted and transmitted through industry-established,
standardised file formats. The underlying information is able to be restored and accessible to the
impacted participating institution within a week. The merit of Sheltered Harbour is that it can provide
an additional layer of protection for financial institutions, which is missing in many markets (including
Hong Kong).88 The initiative is extensively quoted in a recent Bank of England Future of Finance
report, indicating that the UK might be considering a similar approach.

88
Bank of England, The future of finance report, June 2019.

26
Conclusion
Cyberattacks cause tremendous economic, regulatory and reputational harm to governments and
businesses globally. The financial services industry is a prime target of cybercriminals.

As an international financial centre, Hong Kong attracts an increasing number of cybercrimes. In

response, the level of readiness among financial institutions to prevent, address and handle cyber
risks is considered to have generally increased.

With developments in the post-COVID-19 era – including licensed virtual financial services, increasing
reliance on cloud and online collaboration tools, etc. – the future cyber universe will only become
more complex and the need to combat cyber risks more urgent. Naturally, this attack-versus-preparedness
battle for Hong Kong, and indeed the rest of the world, will be ever growing.

To keep pace with international cybersecurity standards, Hong Kong should consider the cybersecurity
frameworks of those jurisdictions widely considered to be leaders in the field. Building on the various
approaches taken by Australia, the EU, Japan, Mainland China, Singapore and the US, this paper
suggests a number of recommendations that Hong Kong can consider as key steps towards
enhancing its cybersecurity framework –

On the policy level –

• to develop a dedicated cybersecurity roadmap with policy priorities for Hong Kong;

On the legal and regulatory level –

• to develop cyberspace protection legislation;

• to harmonise regulations the financial sector;

On the operational level –

• to enhance talent development; and

• to operationalise preparedness at industry level through industry-wide stress test and data
recovery enhancement.

The above recommendations could be proceeded in parallel in light of the urgency to present, address
and handle cyber risk. We believe that these policy recommendations should lead to a more effective
and resilient cybersecurity infrastructure for Hong Kong. However, the ultimate success of the initiative
to improve Hong Kong’s cybersecurity position relies on full engagement and partnership with the
private and public sectors. As such, we very much encourage input from and collaboration with these
parties.

27
Annex – Jurisdictional Survey of Cybersecurity Frameworks
Dimension 1 – Cybersecurity Policy and Strategy
Hong Kong Australia EU Japan Mainland China Singapore US
Although there is no The Australian The EU Cybersecurity The cabinet-led China started to form The Cybersecurity In 2003, the Department
stand-alone cybersecurity Government Strategy (first Cybersecurity its cybersecurity Security Agency of of Homeland
strategy document, launched Australia’s announced in 2013) Strategy Headquarters strategy as early as Singapore (“CSA”) Security’s National
cybersecurity policy Cyber Security details actions to established in 2015 the end of 2012. On was established in Strategy to Secure
direction is incorporated Strategy 2020 on 6 address challenges under the Basic Act 28 December 2012, 2015 to oversee Cyberspace was
into the Smart City August 2020, under five priority on Cybersecurity the Standing Committee Singapore’s cybersecurity released by the
Blueprint of Hong replacing Australia’s areas: achieving (2014) is responsible of the National strategy, education George W. Bush
Kong. The Government 2016 Cyber Security cyber resilience; for developing People’s Congress and outreach, as well administration to
also publishes policies Strategy. The revised drastically reducing strategies for (“SCNPC”) issued a as industry development. highlight the role of
and guidelines on strategy, developed cybercrime; developing cracking down on decision to strengthen The CSA is part of the public-private
cybersecurity on a by the Department of cyber defense policy cyber-attacks and the protection of Prime Minister’s Office engagement and
regular basis, and Home Affairs, is more and capabilities; mitigating any information on and is managed by provided suggestions
participates in global robust from an developing industrial damage caused. networks, with a the Ministry of to improve collective
and regional cyber- enforcement, security, and technological focus on protection Communications and cybersecurity for
security organisations and deterrence resources; and The National Center of personal information Information. businesses, educational
for enhancing perspective than the establishing a of Incident Readi- collected, processed institutions and
information 2016 strategy which coherent cyberspace ness and Strategy for and applied by CSA issued the individuals.
exchange. was developed by policy for EU. Cybersecurity “network service Singapore’s Cybersecurity
the then Prime (“NISC”) announced providers” and other Strategy Report in In 2008, the Bush
OGCIO and other Minister and more In September 2017, its National Strategy entities “during the 2016, which sets out administration
government-supported focused on economic the EU updated its for Cybersecurity in course of business”. Singapore’s vision, launched Compre-
organizations have opportunities and Cybersecurity July 2018 (covering goals and priorities hensive National
been established to innovation. Under the Strategy to further a three-year period), On 7 November for cybersecurity. Cybersecurity
defend against and new strategy, the improve the protection which identified an 2016, the SCNPC Singapore’s cybersecurity Initiative (“CNCI”).
respond to cyber government will of European critical increasing need for issued the PRC strategy aims to CNCI aimed to
threats and invest AUD1.67 infrastructure and to reinforcing cybersecurity Cybersecurity Law, create a resilient and strengthen cybersecurity
incidents. billion over 10 years boost the EU’s digital measures across which became trusted cyber education, bolster
to achieve the vision self-assertiveness Japan. Among other effective on 1 June environment, and is the deployment of
The OGCIO has of creating a more towards other things, it aimed to 2017. Around the underpinned by four intrusion detection
developed and secure online world regions of the world. improve the cybersecurity same time as and pillars: and prevention
maintained a for Australia. of Japanese critical corresponding to the systems throughout
28
 Hong Kong Australia EU Japan Mainland China Singapore US
comprehensive set The vision set out in Most recently, the infrastructure and issuance of the PRC (i) strengthening the the federal government,
of information the 2020 strategy will EUset out its revised encourage Japanese Cybersecurity Law, resilience of and better coordinate
technology security be delivered through: Cybersecurity business to pursue the CAC (defined Singapore’s critical cybersecurity
policies, standards, Strategy in December cybersecurity best below) announced a information research and
guidelines, procedures (i) action by governments 2020. The strategy, practices. National Cybersecurity infrastructure development within
and relevant practice to strengthen the which was Strategy in December (“CII”); the United States.
guides for use by protection of accompanied by 2016, with the key (ii) mobilizing
government departments. Australians, proposals for a tasks identified as: businesses and President Obama,
These procedures businesses and revised Network and defending cyberspace the community to recognizing the
and guidelines were critical infrastructure Information Security sovereignty; protecting create a safer importance of
developed with from the most Directive and a critical information cyberspace by strengthening
reference to international sophisticated proposed directive infrastructure (“CII”); countering cyber cybersecurity policy,
standards, industry threats; on the resilience of and elevating threats, combating evolved and updated
best practices, and (ii) action by critical entities, cyberspace defense cybercrime and the CNCI through
professional resources. businesses to contained concrete capabilities. protecting 60-day Cyber Policy
secure their proposals for personal data; Review, in which the
Financial regulators products and regulatory, investment The Central Leading (iii) developing a National Security
have taken the lead services and and policy initiatives Group for Cyberspace vibrant cybersecurity Council (“NSC”) and
in developing protect their in three areas: Affairs was created in ecosystem Homeland Security
cybersecurity customers from 2014 by President Xi. comprising a Council reviewed
initiatives for the known cyber (i) resilience, It supports the skilled workforce, government activities
financial services vulnerabilities; technological principle that cybersecurity technological- and cybersecurity
industry. See and sovereignty and is integral to national ly-advanced programs and
Dimension 2 for more (iii) action by the leadership – security. In 2018, this companies and ultimately produced
details. community to actions to group evolved into strong research a report that summarized
practice secure increase the level the Central Cyberspace collaborations so its findings. As a
online behaviours. of cyber Affairs Commission as to support result, the executive
resilience of (“CCAC”), also Singapore’s branch was directed
The lead agency for critical public and known as the cybersecurity needs to ensure an organized
cybersecurity is the private sectors, Cyberspace and be a source and unified response
Australian Cyberse- and the launch of Administration of of new economic to future cyber
curity Centre (“ACSC”) a network of China (“CAC”). growth; and incidents; strengthen
which was established Security Operations (iv) stepping up public/private
in 2014. ACSC Centres across Following the efforts to forge partnerships; invest in
manages a national the EU; issuance and strong interna- relevant cutting-edg-
framework of Joint (ii) building operational mplementation of the tional partner- eresearch and
Cybersecurity Centres capacity to PRC Cybersecurity ships to address development; and
29
Hong Kong Australia EU Japan Mainland China Singapore US
where the agency prevent, deter Law, China has international promote cybersecurity
collaborates with and respond – introduced new laws cybersecurity awareness and
industry, government establishment of and regulations that and cybercrime digital literacy.
and academic a new Joint set out stricter issues. President Obama
partners on current Cyber Unit, to requirements, also established the
cybersecurity issues. strengthen including various In addition, the CSA role of a cybersecurity
cooperation national standards to issues an annual coordinator who
One of the primary between EU regulate companies publication which would play a central
financial regulators, bodies and (including Chinese reviews the cyber role in developing
the Australian Member State affiliates of foreign landscape in cybersecurity policy,
Prudential Regulatory authorities; and companies) that set Singapore and the report to the National
Authority (APRA), (iii) advancing a up their cloud initiatives introduced Security Advisor, and
announced a new global and open infrastructure, in the year in further- have regular access
Cyber Security cyberspace including servers, ance of Singapore’s to the President. (the
Strategy for 2020-2024 through increased virtualized networks, four-pronged Trump administration
designed to comple- cooperation. software, and cybersecurity removed this position
ment Australia’s 2020 information systems strategy. The latest in 2018).
Cyber Security The European Union in China. Singapore Cyber
Strategy. For details, Agency for Network Landscape 2019 The Obama
see Dimension 2 and Information A draft of the PRC was issued on 26 administration also
under Financial Security (“ENISA”) is Data Security Law June 2020. released the Cyber-
Regulatory. the EU’s center of was released for security Strategy and
cybersecurity public comments in In February 2020, the Implementation Plan
expertise. It supports July 2020. The draft Singapore govern- (“CSIP”) in 2015
Member States in legislation is the first ment announced that which aimed to
responding to Chinese law aimed at it would set aside strengthen government
large-scale regulating the S$1 billion over the systems and data by
cross-border cyber collection, process- next three years to identifying and
incidents, as well as ing, control and build up the govern- addressing critical
supporting the storage of data ment's cyber and cybersecurity gaps
development and involving national data security and emerging
implementation of EU security, business capabilities and to priorities. CSIP was
cybersecurity law secrets and personal safeguard citizens' followed in February
and policy, including data. data and CII systems. 2016 by Cybersecurity
European cybersecurity National Action Plan
certification schemes. In October 2020, a In October 2020, the (“CNAP”) which
draft PRC Personal Singapore government included the following
30
Hong Kong Australia EU Japan Mainland China Singapore US
In July 2020, ENISA Information Protection- announced Singapore’s initiatives: a
announced its new Law (“Draft PIPL”) Safer Cyberspace proposed $3.1 billion
strategy, outlining the was published for Masterplan 2020, Information Technology
Agency’s path consultation. If building on the 2016 Modernization Fund;
towards achieving a passed, the Draft Cybersecurity establishment of a
high common level of PIPL would be the Strategy and outlining federal Chief
cybersecurity across first comprehensive a blueprint for the Information Security
the EU. The strategy national level personal creation of a safer Officer (CISO);
is based on seven information protection and more secure continued identification
strategic objectives law in the PRC. cyberspace in and review of highest
that will set the Singapore. It value and most
priorities for ENISA, Once the draft Data comprises three at-risk IT assets; and
including: (i) empowered Security Law and the strategic thrusts: (i) an increase in
and engaged Draft PIPL are securing core digital government-wide
communities across formally issued, they infrastructure, (ii) shared services for
the cybersecurity will form, along with safeguarding IT and cybersecurity.
ecosystem; (ii) the PRC Cybersecurity cyberspace activities President Obama
cybersecurity as an Law, a comprehensive and (iii) empowering also lead efforts
integral part of EU legal framework for its own cyber-savvy related to a variother
polices; (iii) effective cybersecurity and population. cybersecurity-related
cooperation amongst data protection in policies during his
operational actors China. Presidency, such as
within the Union in military cyber
case of massive operations and
cyber incidents; (iv) international strategy.
cutting-edge
competences and In May 2017, the
capabilities in Trump Administration
cybersecurity across issued the Executive
the Union; (v) a high Order on Strengthening
level of trust in secure the Cybersecurity of
digital solutions; (vi) Federal Networks
foresight on emerging and Critical Infrastructure
and future for Europe. (“Order”). The Order
required agency
heads to adhere to
the National Institute
31
Hong Kong Australia EU Japan Mainland China Singapore US
of Standards and
Technology (“NIST”)
Framework for
Improving Critical
Infrastructure Cyber
Security (“NIST
Cybersecurity
Framework”) in order
to manage each
agency’s cybersecurity
risk. In September
2018, the White House
issued the National
Cyber Strategy
outlining the government’s
plan to protect
networks and
systems, to nurture a
secure and thriving
digital economy, and
to strengthen US
ability to deter and
punish malicious use
of cyber tools.
In November 2018,
President Trump
signed into law the
Cybersecurity and
Infrastructure
Security Agency Act
of 2018 which created
the Cybersecurity and
Infrastructure Security
Agency (CISA), a
new stand-alone
federal agency,
32
Hong Kong Australia EU Japan Mainland China Singapore US
created to protect
the nation's criticalin-
frastructure. That law
rebranded the
Department of
Homeland Security's
National Protection
and Programs
Directorate (NPPD)
as CISA and transferred
resources and
responsibilities of
NPPD to the newly
created agency.
CISA’s mission is to
build the national
capacity to defend
against cyber attacks
and work with the
federal government to
provide cybersecurity
tools, incident
response services
and assessment
capabilities to
safeguard the ‘.gov’
networks that support
the essential operations
of partner departments
and agencies.
In the spring of 2021,
the Biden Administration
announced six
priorities for Cybersecurity
& Infrastructure
Security Agency in
33
Hong Kong Australia EU Japan Mainland China Singapore US
2021, including (1)
tackling ransom-
ware,(2) improving
cybersecurity training
at the Department of
Homeland Security,
(3) bolstering the
resilience of industrial
control systems1, (4)
protecting transportation
systems, (5)
safeguarding election
systems, and (6)
advancing international
capacity-building
efforts. The Biden
Administration is also
reportedly considering
an executive order
requiring software
vendors to notify
federal government
customers in the
event of a cybersecurity
breach following
revelations of a
breach of technology
provider SolarWinds
that affected several
government agencies.
34
Dimension 2 – Legal & Financial Regulatory Frameworks
Legal
Hong Kong Australia EU Japan Mainland China Singapore US
No “omnibus” No “omnibus” The Cybersecurity The Basic Act on The Cybersecurity The Cybersecurity There is no single
cybersecurity cybersecurity law. Act entered into force Cybersecurity was Law came into effect Act 2018 (No. 9 of overarching cybersecurity
ordinance or in 2019 to strengthen enacted in 2014 to in 2017. It is the first 2018) (“Cybersecurity law in the US. The
agency/regulator. The Criminal Code the mandate of set out the roles and national-level law Act”) which came statutory framework
Act 1995, as amended ENISA and establish responsibilities of addressing cybersecurity into effect on 31 is fragmented, with
Section 161 of the by the Cybercrime an EU-wide cybersecurity national and local in China (including August 2018, creates industry and
Crimes Ordinance, Act 2001, is the certification framework. governments within data protection in a legal framework for information-specific
enacted in 1993, principal legislation the overall national such context). It the oversight and requirements.
expanded the scope criminalizing cyberattacks The Directive on cybersecurity policy. provides various maintenance of Key federal statutes
of existing criminal in Australia. Security of Network It also provides that security protection national cybersecurity that address
offences under and Information cyber business and obligations for in Singapore. The electronic security
various ordinances The Tele-communi- Systems (“NIS infrastructure-related network operators Cybersecurity Act include the following:
to cover comput- cations Sector Directive”) aims at businesses should and imposes establishes a
er-related criminal Security Reform tackling network and take voluntary heightened security regulatory framework • The Electronic
offences. (under the Tele-com- information security measures to enhance obligations for CII for the, protection of Communications
munications and incidents and risks cybersecurity. operators. The law CII against cybersecurity Privacy Act of
The Personal Data Other Legislation across the EU. In also introduces a threats, authorizes 1986, last amended
(Privacy) Ordinance Amendment Act December 2020, in In December 2018, general requirement the CSA to investigate in 2008, establishes
(“PDPO”) sets out 2017) applies to conjunction with the Japan’s Parliament for the reporting and and respond to legal requirements
the data privacy and cyber threats revised Cybersecurity passed a bill to notification of actual cybersecurity threats for acquisition or use
protection framework targeted at critical Strategy, the Commission amend the 2014 or suspected and incidents and of communications
for Hong Kong. infrastructure and adopted a proposal Basic Act on Cyber- material personal establishes a in transit and in
There is currently no specific sectors. for a revised Directive security to fortify information breaches. cybersecurity electronic storage,
mandatory requirement on Security of Network cybersecurity in information sharing as well as criminal
to notify the Privacy The Privacy Act 1988 and Information preparation for The National Security framework. and civil causes of
Commissioner for regulates how the Systems (“NIS2 Japan hosting the Law adds cyberspace action for violations
Personal Data private sector and Directive”). The Tokyo Olympics & and information Aside from the of these requirements.
(“PCPD”) or the data government agencies proposal, which Paralympics. security as important Cybersecurity Act, • The Computer
subject of a data handle personal builds on and repeals elements of national other key pieces of Fraud and Abuse
breach under the information. Entities the current NIS Several other laws security. legislation include Act, first enacted
PDPO. However, in subject to the Directive, modernises (e.g., the Penal Code the Personal Data in 1986 and last
January 2020, the Privacy Act 1988 are the existing legal and the Act on the Cybercrime is covered Protection Act 2012 amended in 2008,
35
 Hong Kong Australia EU Japan Mainland China Singapore US
PCPD indicated that subject to its mandatory framework. Among Prohibition of under the PRC (No.26 of 2012) establishes
a mandatory breach data breach notification other things, it Unauthorized Criminal Law. (“PDPA”), and the criminal and civil
notification is likely to regime and must introduces stricter Computer Access) Computer Misuse causes of action
be included in handle and use security and notification also cover different As mentioned above Act (Chapter 50A) for a range of
upcoming amendments personal information obligations and types of cybercrime in Dimension 1, (“CMA”). cybercrimes.
to the PDPO. The in compliance with harmonises sanctions and cybersecurity. China is also in the • The Health
timing for those the 13 Australian regimes across the midst of the legislative The PDPA, which is Insurance Portability
amendments has yet Privacy Principles EU by requiring The key data process to finalize administrated by the and Accountability
to be confirmed. contained in schedule member state to protection legislation the PIPL and the Personal Data Act of 1996
1 of the Privacy Act. impose administrative is the Act on the PRC Data Security Protection Commission (“HIPAA”) requires
fines for breaches. Protection of Personal Law. (“PDPC”), governs that covered
The Security of Information (“APPI”). the collection, use, medical entities in
Critical Infrastructure Also in December On 5 June, 2020, the disclosure and care the healthcare
Act 2018 (“Critical 2020, the EU Japanese legislature of personal data. In industry implement
Infrastructure Act”) announced a passed several particular, the PDPA technical and
seeks to manage proposed directive on amendments to the requires organisations non-technical
national security risks the resilience of APPI that will expand to make reasonable safeguards to
(e.g. sabotage, critical entities (“CER protections for security arrangements protect and secure
espionage and Directive”). The personal data and to protect personal individuals’
coercion) posed by proposed directive impose new obligations data in its possession “electronic
foreign entities and will expand both the on all businesses or under its control to protected health
was implemented as scope and depth of using personal data prevent unauthorized information”
a response to the existing EU rules for business purposes. access, collection, (“e-PHI”).
increased cyber on critical infrastructure Importantly, there will use, disclosure, • Section 5 of the
connectivity in to cover 10 sectors, be an obligation to copying, modification, Federal Trade
relation to critical including banking notify the Personal disposal or similar Commission
infrastructure. In and financial market Information Protection risks. (“FTC”) Act
November 2020, infrastructure. The Commission of prohibits “unfair
major amendments CER directive will also certain data breaches In January 2021, the and deceptive
to the Critical introduce an enforcement (though the threshold PDPC announced acts or practices”
Infrastructure Act mechanism designed for reporting obligations that certain sections by entities with
were proposed by to ensure that has not yet been of the Personal Data respect to
the government, in member state decided). The Protection (Amendment) misrepresentations
alignment with the authorities have the amendments will go Act 2020 would take about a company’s
newly revised powers to conduct into effect within two effect from 1 February protection of
Cybersecurity Strategy. on-site inspections of years of 5 June, 2021. These include consumers’
The proposals would, critical entities and 2020. three key changes: personal information.
36
Hong Kong Australia EU Japan Mainland China Singapore US
among other things, to impose penalties (i) a mandatory data The FTC has
(i) introduce new for non-compliance. breach notification published
government powers for data breaches guidance on best
to intervene in The EU will look to with a threshold practices for
response to cyberat- implement the new based on level of safeguarding
tacks and obtain cyber-security harm or scale; (ii) information as well
information from strategy in the introduction of as insight into its
critical infrastructure coming months. The offences concerning enforcement
entities if it is NIS2 and CER mishandling of actions in the
deemed to be in the Directive will require personal data by cybersecurity
national interest, (ii) further review and individuals; and (iii) context.
add a number of adoption by EU an expansion of the • The Federal
additional sectors to institutions before consent network. Information Security
the definition of being sent to the Further changes as a Modernization Act
“critical infrastruc- member states for result of the amend- of 2014 (“FISMA
ture,” including implementation. ments expected to 2014”) requires
financial services, take effect after federal govern-
and (iii) imposing The General Data February 2021 ment agencies
positive security Protection Regulation include increased and contractors to
obligations on (“GDPR”) is the financial penalties for create and put in
owners and opera- consolidated EU law organizations. place cybersecurity
tors of critical on data protection, programmes. In
infrastructure assets. setting out a compre- The CMA is the response to
hensive network of principal legislation FISMA, the
obligations and rights on cybercrime in National Institute of
relating to the Singapore – certain Standards and
processing of personal cyber activities, such Technology (NIST)
data. Widely viewed as hacking, of the United
as the gold standard denial-of-service States Department
of data protection attacks, and infecting of Commerce
legislation, the GDPR computer systems published the NIST
contains robust data with malware, are Cybersecurity
breach notification criminalized. The Framework.
requirements. CMA also covers • The Cybersecurity
unauthorized Information
access, use or Sharing Act of 2015
modification of
37
Hong Kong Australia EU Japan Mainland China Singapore US
computer, computer (“CISA Act”)
materials and enhances sharing
computer services. of information
about cybersecurity
threats. CISA Act
provides a
process for
companies to
receive protections
from liability and
public records
disclosure when
sharing information
with federal law
enforcement about
cybersecurity
attacks.
There is no omnibus
privacy/data protection
statute in the US.
Instead, privacy
issues are governed
by a patchwork of
different state and
federal rules. There
is no central authority
to enforce these
rules; the closest
equivalent for federal
privacy law enforcement
is the FTC, however,
prosecution for
cybersecurity related
incidents is uncommon.
In relation to data
breach notification,
38
Hong Kong Australia EU Japan Mainland China Singapore US
each state has their
own data breach
notification laws with
varying definitions of
“personal information.”
39
Financial Regulatory
Hong Kong Australia EU Japan Mainland China Singapore US
The Securities and The Australian The NIS Directive The PPC and the Under the Cybersecurity Financial institutions The
Futures Commission Prudential Regulation aims to ensure that Financial Services Law, financial in Singapore are Gramm-Leach-Bliley
(“SFC”) has issued to Authority (“APRA”) operators in sectors Agency (“FSA”) institutions have subject to the Act (“GLBA”)
licensed corporations issued mandatory deemed essential issued “Guidelines additional cyber-se- regulatory oversight enacted in 1999, in
a range of guidelines regulations in 2019 (including providers for Personal Information curity requirements of the Monetary conjunction with
and circulars related (Prudential Practice of financial market Protection in the to meet given that Authority of Singa- implementing
to cybersecurity Guide CPG CPS 234 infrastructure services) Financial Field.” they are consi pore (“MAS”). One of regulations
risks. Topics include Information Security are taking appropriate These Guidelines dered to be CII the key regulatory published by
mitigation of hacking (“Prudential Standard”)) measures to manage require financial operators. focus areas of the financial services
risks associated with which aim to ensure cybersecurity risks. institutions and MAS is to build a regulators, requires
internet trading of that APRA-regulated As mentioned above, others to develop At the financial cyber-resilient financial institutions
securities and futures entities meet certain a new NIS2 directive necessary and regulatory level, financial sector. In to employ technical,
and raising awareness cybersecurity was proposed in late suitable cybersecurity financial institutions this regard, the MAS physical and admin-
of ransomware. requirements in order 2020 which would management are generally has issued three key istrative safeguards
to be resilient against impose stricter measures, with the required to protect sets cybersecuri- to protect non-public
The Hong Kong emerging information obligations on the focus on preventing client confidentiality, ty-focused notices personal information
Monetary Authority security threats. The covered sectors. data leakage, loss or and implement and guidelines: the of consumers from
(“HKMA”) launched key requirements of damage. enhanced protections Technology Risk unauthorised access
its Cybersecurity this Prudential In response to the over AML information Management or use. The compre-
Fortification Initiative Standard are that an European Commission’s In October 2018, the and personal Guidelines; Notices hensive security
(“CFI”) in respect of APRA-regulated FinTech Action plan FSA issued updated financial information. on Technology Risk program developed
the banking sector in entity must: of March 2018 where “Policy Approaches Cybersecurity is also Management; and by each company is
2016, comprising (i) • clearly define the cybersecurity issues to Strengthen an important regulatory Notices on Cyber unique and appropriate
the Cyber Resilience information where a recurring Cybersecurity in the focus, among others, Hygiene. These to the size of the
Assessment Framework security-related theme, the Joint Financial Sector” to in regulations issued notices and guide- company, and scope
(a two-part self-as- roles and Committee of the address increasing by relevant financial lines generally set of the company’s
sessment and cyber responsibilities of European Supervisory digitalization, as well regulators on IT out obligations of the activities and
attack simulation the Board, senior Authorities (comprising as challenges system development, financial institutions information. GLBA
testing); (ii) certification management, the European presented by the outsourcing and relating to (a) system regulations further
scheme and training governing bodies Banking Authority, Tokyo Olympics. operations of various reliability, availability require certain
program; and (iii) the and individuals; European Securities financial institutions. and recoverability, financial institutions
Cyber Intelligence • maintain an and Markets Authority, In June 2020, the (b) notification to the to notify regulators
40
 Hong Kong Australia EU Japan Mainland China Singapore US
Sharing Platform. An information and the European FSA published the China’s central bank, MAS of IT security and data subjects
enhanced version security capability Insurance and Financial Sector the People’s Bank of incidents and after breaches of
(CFI 2.0) was commensurate Occupational Cybersecurity Report China, released its malfunction of critical non-public personal
introduced in with the size and Pensions Authority) in which described the new Personal systems, and (c) the information.
November 2020. extent of threats to April 2019 published current status and Financial Information security of customer
its information their advice to the common challenges Protection Technical information, and also The US Securities
The HKMA also assets; European Commission identified in the Specification on 13 provide for key risk and Exchange
introduced a competency • implement on strengthening EU course of conducting February 2020, management Commission (“SEC”)
framework that controls to protect cyber and information monitoring of which took effect principles and best also uses its civil law
facilitates cybersecurity its information security regulation in progress with the immediately. This practice standards to authority to bring
talent development assets commen- the financial sector. 2018 Policy industry standard guide financial cyber-related
for the banking surate with the These initiatives Approach document. sets forth additional institutions in establishing enforcement actions.
sector. Further, it criticality and include: Among other things, privacy and cybersecurity a sound and robust SEC rule 30 applies
issued a circular to sensitivity of those the report noted that requirements on the technology risk to brokers, dealers
require CEOs of information assets; • Developing an EU cyber risks surrounding life cycle of personal management and investment
registered institutions and oversight framework financial institutions financial information framework. companies regis-
(i.e. authorized • notify APRA of for 3rd party have increased collected and tered with the SEC
institutions that are material information providers active in further due to the processed by On 18 January 2021, cybersecurity
also registered with security incidents. financial services COVID-19 pandemic financial industry the MAS issued measures. The SEC
the SFC) to apply the with a focus on and the postponed institutions. revised Technology also set up the
relevant SFC guidelines As referenced in cloud services Tokyo 2020 Olympics Risk Management Division of Enforce-
mentioned above. As Dimension 1, APRA providers; and and Paralympics. guidelines to take ment’s Cyber Unit in
part of its superviso- announced a new • Developing an In response, the FSA into account the 2017 to focus on,
ry functions, the Cybersecurity EU-wide framework will encourage small fast-changing cyber among other things,
HKMA also conducts Strategy for 2020-24 for testing cyber and medium FIs to threat landscape and cybersecurity
on-site exams and designed to comple- resilience of maintain and improve financial institutions’ controls at regulated
off-site reviews of the ment Australia’s important financial the effectiveness of increased reliance on entities; and issuer
information systems 2020 Cyber Security institutions. their basic cybersecurity cloud technologies, disclosures of
of authorised Strategy. The new management application programming cybersecurity
institutions. strategy comprises In September 2020, systems through interfaces, and rapid incidents and risks.
three primary focus the European Com- cooperation with software development. The SEC issues
The Hong Kong areas: mission adopted a their industry groups The new guidelines guidance to help
Insurance Authority (i) establishing a digital finance and upgrade their apply to all banks, investors protect
requires insurers to baseline of cyber package, including a incident response payment services themselves from
identify cybersecurity controls e.g., embed digital finance strategy capabilities through firms, brokerage and cyber threats.
threats, and has non-negotiable and legislative cyber exercises. insurance firms.
issued guidelines cyber practices, proposals on With regard to larger The Sarbanes-Oxley
41
 Hong Kong Australia EU Japan Mainland China Singapore US
setting out the facilitate better crypto-assets and institutions, the FSA Act requires any
minimum standard of sharing of cyber digital resilience. The will encourage them publicly traded
cybersecurity information and European Commission to upgrade risk company in the United
expected of an enable more published its draft management States to issue an
insurer. effective incident Digital Operational regarding annual Internal Control
response Resilience Act group-wide and Report certifying that
processes; (DORA), to ensure global cybersecurity the company
(ii) enabling boards that financial-sector and further advance maintains adequate
and executives information and cybersecurity internal controls for
of financial communications countermeasures. financial reporting,
institutions to technology systems including, the security
oversee and can withstand security and integrity of the
direct correction threats and that company’s information
of cyber exposures; third-party ICT systems. Notably,
and providers are monitored. executives can face
(iii) rectifying weak criminal penalties for
links within the As noted above, the noncompliance.
broader financial proposed CER
eco-system and directive designates The Commodity
supply chain by companies in the Futures Trading
advocating banking and financial Commission (CFTC)
cyber-assessment markets infrastructure Regulations require
and assurance, sector as “critical all CFTC registrants
and harmonising entities,” meaning to adopt policies and
the regulation such companies will procedures that
and supervision have to undertake implement administrative,
of cyber across common reporting technical and
the financial measures, including physical safeguards
system. entity-level risk to protect customer
assessments and information.
The Australian incident notifications,
Securities and as well as implementing The New York
Investments Com- other technical and Department of
mission (“ASIC”) organisational Financial Services
assesses the IT measures. They will Cybersecurity
management also be subject to Requirements
systems of financial on-site inspections by requires regulated
42
Hong Kong Australia EU Japan Mainland China Singapore US
entities and provides national authorities. entities to implement
guidance related to and maintain
cyber risks. cybersecurity
programs that meet
specified requirements,
conduct periodic
testing and risk
assessments,
employ and train
qualified cybersecurity
personnel, monitor
third-party vendor
compliance with
cybersecurity controls,
and report certain
cybersecurity incidents
to New York State.
43
Dimension 3 – Cyber Culture
Hong Kong Australia EU Japan Mainland China Singapore US
The Hong Kong An annual Cyber A survey of the A 2018 survey of The 44th statistical A 2019 Cybersecurity A survey by the Pew
Enterprise Cybersecurity Threat Report (July attitudes of Europeans Japanese public report on China’s Public Awareness Research Center
Readiness Index is 2018 to June 2020) towards cybercrime opinion by the Pew Internet development survey by the published in October
issued by the Hong published by the survey was published Research Center by the China Internet Singapore Cyber 2019 reported that
Kong Productivity Australian Cyber by the European published in July Network Information Security Agency Americans:
Council and measures Security Centre Commission in 2019 highlighted Center (published in (published in August
the status of local (“ACSC”) found that January 2020 and that: September 2019) 2020) found that: • vary substantially
cyber security of the 2,266 cyber reported that: reported that: on their understanding
awareness and security incidents • 81% of the • the level of of technology-related
cyber-readiness in reported during the • awareness of respondents say • up to 30 June concern for cyber issues by educational
business. The most reporting period: cybercrime is attacks on 2019, 99.1% of incidents is high; level as well as by
recent version was rising, with 52% of computer systems the 854 million • most respondents age, and
published in May • the largest respondents launched from population in agreed that • vary on their
2020 and reported proportion were stating they are other countries are China who were everyone has a understanding of
an Overall Readiness assessed as fairly well or very a major threat to Internet users role to play in technology-related
level of 46.9 (with being ‘Category 5 well informed Japan, representing accessed to the ensuring issues depending
100 being the – Moderate about cybercrime, a 10% points Internet via mobile cybersecurity; on the topic. For
highest level of Incident’ (36.5%) up from 46% in increase since network; and • there continued to instance, over
readiness), a slight followed by 2017; 2016; • in the first half of be room for 60% of Americans
decrease from the ‘Category 4 – • respondents are • Cyberattacks are 2019, a significant improvement in survey correctly
2019 survey, potentially Substantial growing less ranked as the top number of internet respondents’ answered ques-
due to the need to Incident’ (33.3%); confident about international worry users consumed cyber hygiene, tions related to
prioritize business and their capacity to among Japanese online services, e.g. the majority phishing scams
resources in the • the most common stay safe online: citizens every year e.g. online food did not install and cookies, while
current challenging type of cyber 59% think they can since 2016; and ordering and security applications only 30% of them
business environment. security incident protect themselves • 84% of the delivery: 421m in their devices correctly answered
The survey further was ‘malicious sufficiently against Internet users in users; online despite knowing a question related
revealed that: email’ (27%), cybercrime, down Japan voiced shopping: 639m the risks; to URL or website
followed by from 71% in 2017; concern about users; online • respondents encryption.
• except for NGOs ‘compromised • more than a third of cyberattacks. payment: more faced difficulty in
and schools, the system’ (24.4%) the respondents than 633m users; identifying An earlier Pew
overall readiness which describes have received online streaming phishing emails, survey published in
index for all incidents where an fraudulent emails services: more i.e. only 4 % of January 2017
industries fell as adversary has or phone calls than 759m users; respondents reported the following:
44
 Hong Kong Australia EU Japan Mainland China Singapore US
compared with accessed or asking for personal and nearly 40% of could identify all • Americans
2019; modified a details in the last the total Internet the phishing generally fail to
• financial services network, account, three years; and users used emails correctly; follow cybersecurity
sector continued database or • 10% of the ride-hailing and best practices in
to be the most website without respondents say services. • many respondents their own digital
vigilant, with authorisation. cybersecurity continued to think lives, e.g. password
readiness at the concerns make In a September that cyber management;
“managed” level; them less likely to 2020 survey by the incidents would • 64% of Americans
• the readiness make purchases PRC cybersecurity not happen to surveyed have
level of all other online. authorities, around them. personally
industries, such 88.5 percent of experienced a
as NGOs, respondents said major data breach;
information and they will be cautious • A relatively large
communication in giving permission percentage of the
technology, to mobile apps to public lack trust in
manufacturing access mobile phone key institutions
and professional sensors and data. (e.g. federal
services, is Other findings government, social
“basic”; included the fact media sites) to
• larger enterprises that half of the protect their
have generally respondents said personal information;
adopted more they would carefully and
comprehensive read the privacy • Americans are not
cybersecurity policy popping up always vigilant in
measures; and when opening an app the context of
• more enterprises for the first time or mobile security,
encountered before updating it. e.g. 28% of the
external cyberattacks The survey also respondents who
in 2020 than in showed 77.8 percent are smartphone
2019 with of respondents owners report that
phishing emails agreed that regulators they do not use a
being the top should increase screen lock or
type of attacks. punishment for other security
violations and 72.2 features, while
percent proposed around one in ten
legislation on personal people reported
data protection. that they never
45
Hong Kong Australia EU Japan Mainland China Singapore US
install updates to
their smartphone’s
apps or operating
system.
46
Dimension 4 – Cybersecurity Education, Training and Skills
Hong Kong Australia EU Japan Mainland China Singapore US
A number of As part of the ENISA supports Cybersecurity The government The CSA oversees NIST, a unit of the US
government-supported Australian many initiatives for education and plans to establish a cybersecurity Commerce Depart-
platforms have been cyber-security strategy, raising awareness of training programs number of “world-re- strategy, education ment, is the leading
set up to provide various government and educating about have been created in nowned” cybersecurity and outreach and educational and
information and initiatives have been cybersecurity issues, Japan by a wide schools by 2027 to industry development, outreach organization
guidelines in relation established: including: range of organizations, build a strong group and works with within the United States.
to cybersecurity, including government of professionals to government agencies Through events,
including: • The Australian • Guidance for body and research/ combat cyberattacks. as well as partners presentation and the
Cybersecurity improving educational institutions. As of 2019, 11 from the private promulgation of
• the Cybersecurity Growth Network cybersecurity culture; For example: universities have sectors in these written resources
Information Portal; and Cyber.gov.au • “European Cyber- been selected to aspects. such as cybersecurity
• Cybersec Infohub; portal undertakes security Month” • a cyber-defense participate in this and incident response
• Hong Kong initiatives to grow campaign which is program (CYDER) initiative. The Cybersecurity frameworks, NIST
Emergency the domestic organized once a initiated by the Awareness Alliance, aims to enable the
Response Team cybersecurity year; Ministry of Internal The 2020 China a public-private development of
Coordination industry and to • Recurring initiatives Affairs and Cybersecurity Week partnership which is cybersecurity solutions
Centre (HKCert); raise awareness of meant directly for Communications sponsored by the co-chaired by the and technologies
• Government cybersecurity risks students, such as in 2013 focuses Office of the Central CSA, aims to build a that strengthen the
Computer Emergency respectively; the yearly ‘European on competence in Cyberspace Affairs positive cybersecurity United States’
Response Team • Academic Centres Cyber Security dealing with Commission offered culture and to security capabilities.
Hong Kong of Cybersecurity Challenge’; cyberattacks on a wide range of increase cybersecurity
(GovCert.HK); and Excellence are set • To promote government activities. The awareness. As part of the CNCI
• Cybersecurity and up to encourage cybersecurity offices, administrative campaign’s main initiatives, the National
Technology Crime more students to education and agencies, as well event included a The CSA has also Initiative for Cyberse-
Bureau under the undertake studies address the as large companies; forum on cybersecurity, introduced various curity Education
Hong Kong Police in cybersecurity cybersecurity skill and to promote good programmes and (“NICE”) was
Force. and related shortage, maintenance • a program to practices and initiatives to promote established in 2010
courses; and of a crowd-sourcing equip university increasing awareness cybersecurity as a partnership
The government has • Voluntary Cybersecurity database of of the implementation education, such as: between government,
students with the
also launched Guidelines are cybersecurity and application of academia, and the
basic skills needed
various initiatives to being developed related education national cybersecurity • the Cybersecurity private sector to
for IT security
promote information to promote good programmes; standards. Associates and address cybersecurity
engineers (SecCap)
sharing and collaboration cybersecurity • Development of Technologists needs related to
offered by a
among local practice across proper mechanisms Collaboration among Program and the public awareness,
consortium of
47
 Hong Kong Australia EU Japan Mainland China Singapore US
information security different organisations. and consistency Japanese universities. the industry, Cybersecurity education, professional
stakeholders in for cyber incident academia and the Career Mentoring development, and
different sectors. In addition, to and crisis management; The Japanese Chinese government Programme have talent management.
One such initiative is increase the number and Defense Ministry has also helped in been launched to NIST was tasked as
“Cybersec Infohub,” of skilled cyber • Development of a announced in early the cultivation of train and up-skill the lead for NICE to
the objective of security professionals, European Cybersecurity 2021 that they would cybersecurity talent. ICT professionals support its functions
which is to facilitate Box Hill Institute with Skills Framework to hold its first competitive and to attract by promoting the
cross-sector collaboration industry support create a common cybersecurity talent students and initiatives.
for better visibility of have developed two understanding of the search in which young professionals
cyber threats national cyber roles, competencies, participants compete to pursue a The National Initiative
globally and locally. security qualifications: skills and knowledge to show their cybersecurity-related for Cybersecurity
The programme has a Certificate IV in in order to address understanding of career respectively; Careers and Studies,
been operating for Cyber Security and the cybersecurity cybersecurity and • ICE71, a cybersecurity launched in 2013, is
more than a year and an Advanced skills shortage. ability to apply that startup hub that an online national
more than 360 public Diploma of Cyber knowledge. The aims to strength- resource portal for
and private organisations Security. These are The European contest is part of the en Singapore’s cybersecurity
from various sectors the first national- Cybersecurity government’s search growing cybersecurity education, training,
have joined the ly-recognised cyber Organisation for talent to strengthen ecosystem by and career opportunities.
programme as of security vocational (“ECSO”) was the country’s cyber developing and CyberCareers.gov
January 2021. The education qualifications created in 2016 in defenses. accelerating provides updated
programme provides in Australia. order to act as the cybersecurity cybersecurity
organisations with Commission’s The Cybersecurity start-ups from information and
reference in gathering The Cybersecurity counterpart in a Strategy Headquarters early to late resources to support
cyber security Strategy 2020 will contractual public-pri- promotes measures stages, through federal employees,
information and involve the government vate partnership to develop security partnerships with students and
meeting with investing AUD1.67 covering Horizon standards, raise Institutes of academics.
information security billion over ten years 2020 in the years awareness, strengthen Higher Learning,
stakeholders to to introduce various development at failure response large local In 2015, the United
share the latest initiatives, including: European level. 2016 frameworks, and enterprises and States Department of
security trends and • Greater collaboration to 2020. ECSO manage and global cybersecurity Justice computer
best practices. to build Australia’s carries out various address risks. accelerators; Crimes and Intellectual
cyber skills activities aiming at • the SG Cyber Property Cybersecurity
On the industry level, pipeline; community building The Ministry of Women initiative, Unit issued a “Best
the banking sector • Stronger partnerships and industrial develop- Economy, Trade and which is targeted Practices for Victim
has an enhanced with industry ment at European Industry (METI) and the to encourage Response and
competency framework through the Joint level. Information-technology more females, Reporting of Cyber
on cybersecurity. Cyber Security Promotion Agency, from as young as Incidents” report,
48
 Hong Kong Australia EU Japan Mainland China Singapore US
On the tertiary and Centre program; Japan (IPA) have pre-tertiary age, to which was later
continuing education • Advice for small together issued join the cybersecurity updated in 2018.
level, universities in and medium “Cybersecurity profession; and This report provides
Hong Kong were enterprises to Management • the CSA Cybersecurity guidance to
some of the first in increase their Guidelines” to urge Co-Innovation and organizations as to
Asia to incorporate cyber resilience; companies to Development how to prepare for
industry-ready and recognise cybersecurity Fund, which and respond to
cybersecurity • Improved community risks and develop provides funding cyber incidents
elements into the awareness of company-wide support to lawfully and through
curriculum. cyber security measures. companies adequate incident
threats. working on response planning.
On attracting cybersecurity
non-local talent, the challenges. In 2016, as part of
Government’s the CNAP, President
Technology Talent The inaugural Obama invested $62
Admission Scheme Singapore Cybersecurity million to advance
provides fast-track Education Symposium the following: offer
arrangement to (“SCES”), organised scholarships for
admit cybersecurity by the CSA, held on Americans who wish
professionals. Its 19 to 20 November to obtain cybersecurity
Talent List also 2020, was the education; develop a
facilitates cybersecurity first-of-its-kind in the Cybersecurity Core
specialists to apply region. The event is Curriculum for
for immigration. one of the key cybersecurity
initiatives under the education; and
SG Cyber Educators strengthen the
programme, which National Centers for
objective is to grow a Academic Excellence
passionate pool of in Cybersecurity
secondary and Program to increase
tertiary school the number of
teachers, and participating
Education & Career academic institutions
Guidance counsellors and students.
to be familiar with
cybersecurity to In May 2017, the
interest and guide Trump administration
49
 Hong Kong Australia EU Japan Mainland China Singapore US
their students to tasked various cabinet
make cybersecurity secretaries to jointly
a choice for their assess the scope and
education and sufficiency of efforts to
career. educate and train the
American cybersecurity
CSA has announced workforce, including
that it will continue to cybersecurity-related
expand into new education curricula,
areas through the training, and
introduction of two apprenticeship programs.
new programmes to
nurture top young In May 2019, President
talent and leaders. Trump issued an
The two new Executive Order on
programmes are SG America’s Cybersecurity
Cyber Olympians Workforce, which
and SG Cyber established a federal
Leaders. More cybersecurity rotational
details on both assignment program
programmes will be among cybersecurity
released soon. practitioners in the
Department of
Homeland Security
and other agencies.
The Executive Order
also promoted the
use of the NICE
Framework for
cybersecurity
workforce knowledge
and skill requirements.
Note: This table is non-exhaustive and intended only to give an indication of some of the key features of the cybersecurity frameworks of the listed jurisdictions as of March 2021.
50
Acknowledgement
The FSDC would like to thank the following
experts and professionals for their valuable input:

Mr Jim Lai Ms Karen Chan

Mr Philip Chiu Mr Victor Ho
Ms Eva Kwok Mr Henry Shek
Mr Steve Wong

About the FSDC

The FSDC was established in 2013 by the Hong

Kong Special Administrative Region Government as
a high-level, cross-sectoral advisory body to engage
the industry in formulating proposals to promote the
further development of the financial services industry
of Hong Kong and to map out the strategic direction
for the development.

The FSDC has been incorporated as a company

limited by guarantee with effect from September
2018 to allow it to better discharge its functions
through research, market promotion and human capital
development with more flexibility.

Contact us

Email: [email protected]
Tel: (852) 2493 1313
Website: www.fsdc.org.hk