Hong Kong can do more in fight against rising cybercrime in financial sector

What is the difference between the economic cost of the global COVID-19 pandemic and global cybercrime in 2021?

Not much.

The economic cost of the COVID-19 pandemic is estimated to be in the region of US$5-US$6 trillion in terms of lost global GDP. Its cost in broader terms is, of course, immeasurably higher. The cost of annual cybercrime worldwide is forecast to reach about US$6 trillion this year.

That valuation makes cybercrime more profitable than the global trade of all major illegal drugs combined. Its mounting cost and impact runs deeper than ever having accelerated discernibly since the start of the pandemic because of both the largely unplanned increase in homeworking, ecommerce and electronic trading, and the fact that criminals have been forced online too.

Cybercrime comes in various shapes and forms, such as phishing, ransomware and hacking. Its costs include destruction of data, lost productivity and business disruption, fraud, along with theft of money, intellectual property, personal and financial data. There is often a cost in reputational damage for both the business and the jurisdiction it is in, and for the restoration of data and systems, and possibly even an investigation.

Financial sector an attractive target

The financial services sector is heavily targeted by hackers and other cyber criminals, who are attracted to the sensitive data on individuals, businesses and governments held by banks and other financial institutions. As a sector, it typically features in the top five sectors for severity and frequency of cyber-attacks.

During the first three months of the pandemic, attacks against the financial sector increased 238% globally, while 80% of financial institutions reported an increase in cyberattacks in 2020, according to VMware. Indeed, in a survey of global business customers, Allianz found nearly half citing cybercrime as the top risk for the financial services sector, ahead of the pandemic, business interruption and legislative or regulatory change.

As a leading global financial centre, Hong Kong is an attractive target for cyberattacks. It’s an unfortunate fact that the level of economic losses experienced in the city as a result of cybercrime is on an upward trend.

During the past decade, Hong Kong has seen a huge increase in cybercrime, with reported incidents rising from 2,206 in 2011 to 12,916 in 2020. During 2020, the number of cases rose 55% from 2019. The value of those crimes rose from HK$148 million in 2011 to a staggering HK$2.96 billion last year.

Smart City Blueprint needs cybersecurity plan

Hong Kong can certainly do more to protect itself from cybercrime. It’s holistic Smart City Blueprint brings together payments, transport, energy, education, water, work, living spaces and other elements that comprise a modern a city in a vision underpinned by digital technology.

It is important and clearly positive that the blueprint incorporates cyberspace safety to the vision: “Enhance the Government’s cyber security capability to address new security risks, facilitate collaboration among stakeholders to promote awareness and incident response capability in the community.”

But more could be done; more planning is needed. Clearer work plans with policy priorities over a longer time horizon are important because they can facilitate different stakeholders, including businesses in Hong Kong, to coordinate and make their part of contribution correspondingly.

Hong Kong would benefit from the establishment of an independent commission, similar to the Australian Signals Directorate or the Cyber Security Agency of Singapore. Alternatively, it could set up a cross-bureau working group to coordinate both regulatory and enforcement actions.

In Hong Kong, there is no specific legislation that deals with cyber offences. The legal framework for cyber offences is set out in other existing legislation, such as Personal Data (Privacy) Ordinance, Unsolicited Electronic Messages Ordinance, Interception of Communications and Surveillance Ordinance and Official Secrets Ordinance.

Regulation and oversight fragmented

The regulation and oversight of these different pieces of legislation is fragmented. The Cyber Security and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force is responsible for handling cyber security issues and for carrying out cybercrime and technology crime investigations, computer forensic examinations and prevention of technology crime.

At the same time, the Office of the Privacy Commissioner of Personal Data (PCPD) oversees data related issues, and adherence to its Guidance on Data Breach Handling and the Giving of Breach Notifications. There’s also the Commissioner on Interception of Communications and Surveillance.

In the financial services sector, there are the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (SFC) and the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC. Regulation and oversight of these businesses and individuals is part of the SFC’s role.

Besides the SFC, the Hong Kong Monetary Authority (HKMA) and Insurance Authority (IA) also have their respective guidelines to assist their licensed institutions in handling cybersecurity issues. Some degree of coordination is seen, but more efforts towards coordinating policy responses need to be made.

Omnibus cybersecurity protection

Many of the world’s leading jurisdictions in cybersecurity have an omnibus cybersecurity protection law as a core element of their cybersecurity framework. Hong Kong should consider introducing its own omnibus Cyberspace Protection Ordinance. Alongside, other related statutes should be reviewed on a regular basis to ensure that they remain fit for purpose and aligned with international standards.

With the HKMA’s introduction of the enhanced competency framework, the market has generally seen an improvement in the cyber resilience of the banking sector. However, given the high level of inter-connectivity among various areas within the financial services industry, the banking sector’s progress could be undermined if the other sectors do not demonstrate a comparable degree of resilience.

Regulators, public and private sectors must work together

An effective approach would be for other financial regulators, including the SFC and the IA, to consider joining hands to build on the HKMA’s competency enhancement framework, developing it into an overarching structure with specialised streams of expertise to meet evolving supervisory requirements in different sectors.

As the world looks ahead to a post-pandemic situation and how to pay for the cost it, governments, regulators and businesses would be wise to look closely too at the cost of cybercrime, which continues to rise. It’s grand larceny on a scale that far exceeds anything that’s gone before.

As an international financial centre, Hong Kong attracts an increasing number of cybercrimes. In response, the level of readiness among financial institutions to prevent and handle cyber risks has improved.

Going forward, while harnessing the power and partnership of the local public and private sectors, the city needs to keep pace with international cybersecurity standards. One way would be to consider adopting the cybersecurity frameworks of jurisdictions widely viewed as leaders in the field.