Cyber Incident Reporting Obligations for Hong Kong Licensed Financial Services Companies
The number of cyber-attacks is on the rise. In particular, financial services companies have been identified as key targets for threat actors in the Q2 of 2022.
A recent report by leading cybersecurity services provider, Kroll, identified the Finance sector as jointly the second most attacked industry sector in June 2022 (behind Healthcare, and alongside Professional Services), with email compromise passing ransomware and other malware as the leading threat incident type.1 Q1 2022 had seen a 54% increase in phishing attacks used for initial access compared to Q4 20212.
This article summarises the Hong Kong reporting obligations in the event of a cybersecurity incident under the latest guidelines for corporations licensed by the Securities and Futures Commission or authorised by the Hong Kong Monetary Authority. It also addresses the current position on under Hong Kong law on data breach notifications to the Privacy Commissioner for Personal Data and data subjects.
SFC licensed corporations
The Securities and Futures Ordinance and the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the “Code of Conduct”)4 contain no specific references to cybersecurity incidents or data breach reporting obligations.
Rather, the Code of Conduct requires that SFC-licensed corporations (“LCs”) report to the SFC immediately upon “any material breach, infringement of or non-compliance with... the requirements of any regulatory authority”5 or “any material failure, error or defect in the operation or functioning of [their] trading, accounting, clearing or settlement systems or equipment”,6 and comply with various additional requirements when conducting electronic trading.7
The SFC issued a circular in 2017 reminding LCs to report to the SFC immediately “upon the happening of any material cybersecurity incident including ransomware attacks”.8 For the 18 months ended 31 March 2017, according to the SFC 12 LCs reported 27 cybersecurity incidents, most of which involved hackers gaining access to customers’ internet-based trading accounts with securities brokers resulting in unauthorised trades totalling more than HK$110 million, and some others involved distributed denial-of-service (“DDoS”) attacks targeting their websites accompanied by threats of extortion.9
LCs therefore have to make a judgment call on whether a cybersecurity incident is material and therefore notifiable to the SFC. An attack that causes an extended outage to a financial institution’s trading system or client internet trading accounts is likely to be considered material. Similarly, a ransomware attack that encrypts all of an asset manager’s systems preventing the collection of any client instructions or the giving of any trading orders, is likely to be material and reportable to the SFC.
The SFC has issued no specific rules or guidance on customer data leaks. An email compromise that leads to an extraction of personal data but allows normal operations to continue may not be considered material to the SFC under current regulations.
HKMA authorised institutions
The HKMA stresses in its Supervisory Policy Manual for Technology Risk Management11 and its circular on Incident Response Management Procedures12 that once an authorised institution authorised by the HKMA under the Banking Ordinance (“AI”) becomes aware that a “significant incident”, “IT-related fraud or a major security breach” has occurred, it “should notify the HKMA immediately and provide [the HKMA] with whatever information is available at the time”. The HKMA is clear that AIs must not wait until they have rectified the problem before reporting the incident to the HKMA. This is clearer than the obligations stated by the SFC.
The HKMA’s Incident Response and Management Procedures circular also provides a specific obligation to “proactively notify the customers affected or likely to be effective... and advise them of the steps or precautionary measures that they need to take as well as whether the bank would reimburse any losses”. In the event of a “cyberthreat”, AIs should also endeavour to issue warning messages to all or the relevant customers as appropriate as soon as practicable.13 AIs are further required to “consider making a public announcement where the situation so warrants” for example where the nature of the incident is serious (e.g. disruption to any “essential and critical banking service channel” or where “the disruption may last for a prolonged period of time”) or where a large number of customers have been affected.
However, the HKMA emphasises that these are only “the broad principles” and AIs may need to take into account other factors. The HKMA has not set out lists of what incidents it considers should be notifiable to it, and what would not. Once an AI has become aware that a “significant incident” has occurred, it is required to notify the HKMA immediately. The burden therefore rests on AIs, in deciding whether to report cyber incidents to customers or the HKMA, to consider the impact and severity of the cyber incident and how it might affect customers and the AIs’ operations. AIs are also expected to make a separate public announcement if an incident “has wider implications for the general public”.
The HKMA has gone further than the SFC in providing specific guidance on customer data protection and when a reporting data “privacy incidents”. In the event of an incident involving “stealing, loss or leakage of customer data”, the HKMA’s circular on Customer Data Protection14 sets out procedures required by AIs to handle, respond to and report the incident. These include:
(i) having effective incident handling and reporting procedures in place (i.e. before an incident occurs);
(ii) assigning an officer of sufficiently senior ranking or a designated management committee, which is chaired by senior management, to oversee the handling and reporting of privacy incidents;
(iii) reporting the incident to the HKMA and “relevant regulatory authorities” including the PCPD “where appropriate”; and
(iv) notifying affected customers “as appropriate” or providing a justification why it did not notify affected customers.
Personal data privacy legislation
In handling and responding to any cybersecurity incident, time is of the essence.
A quick, pre-planned response can be critical in preventing the impact of the incident being worse than needed.
As financial services and data privacy regulators tighten their regulations and impose more onerous cyber incident reporting obligations, financial services companies would benefit from implementing a comprehensive cyber-risk prevention and control system to ensure effective and effective immediate handling of such incidents. This should include the designation of responsible staff for handling the report of cybersecurity incidents to regulatory bodies.
The regulatory reporting obligations in Hong Kong still provide a lot of ambiguity in relation to when a cyber incident is material enough to require reporting to the financial services regulators, although the HKMA's guidance is clearer. We have not yet seen any enforcement actions by the SFC, the HKMA or the PCPD for failing to report, or late reporting, of a material cybersecurity incident. There remains no statutory data breach reporting obligation to the PCPD under Hong Kong's personal data protection law.
In determining whether a cybersecurity incident is notifiable to the regulators, customers or the public, LCs and AIs should consider the potential impact on the company and its reputation, the seriousness of the incident, and the extent of impact to the customers. They should also seek immediate legal advice if there is any doubt. If there is any doubt about whether an incident should be reported, LCs and AIs may wish to file a voluntary report to the SFC / the HKMA 'out of an abundance of caution' in order to demonstrate to the regulators that the company is taking a responsible approach to being the victim of an illegal attack. As a final note, this article looks only at the reporting obligations under Hong Kong law and regulations. Data privacy and cybersecurity laws and regulations across Asia are evolving.
In addition to the increasingly extraterritorial reach of data privacy laws, the international nature of financial services means that companies may be subject to reporting obligations in more than one jurisdiction. By contrast to the Hong Kong position, financial institutions falling within the respective Singapore reporting obligations are required to report a personal data breach to Singapore's Personal Data under Hong Kong's personal data protection law. Protection Commission within 3 calendar days, or a system malfunction or IT security incident to the Monetary Authority of Singapore within 1 hour. LCs and AIs operating across Asia should therefore consider the legal and regulatory reporting obligations in all relevant jurisdictions (which may include places where they have customers but no operations).
A structured data mapping exercise, pro-active and periodic cybersecurity training and simulations, and preparation of a cyber incident / data breach response plan can all save time, money and anguish, and can even result in a lighter sanction (if any) from the regulators.