The Hong Kong Monetary Authority confirmed that cyber criminals are using both sophisticated and commonplace means to breach financial institutions' firewalls with increasing regularity.
Information provided to the HKMA by banks operating in the Territory indicate there were 17 reported cases related to distributed denial-of-service (DDoS) attempts so far in 2015, the HKMA told FinanceAsia. Among those breached were the Hong Kong unit of Malaysia's Public Bank and Hong Kong wealth manager Kowloon Global.
There were three such attacks -- a particularly malicious form of cyber-assault -- in all of 2014, the monetary authority said.
Cyber-attacks on financial institutions in this Asian banking centre are a matter of grave concern to the banks and their clients, prompting the HKMA to release guidelines on cybersecurity risk management on September 15.
Henry Cheng, executive director of the HKMA's banking supervision unit, prefaced the guidelines by noting that the "frequency, stealth, sophistication... and potential impact of cyber attacks are on the rise globally".
Bandits without borders
Last year Standard Chartered bank found itself under siege not only by hackers but by Singapore regulators dismayed that cyber criminals were able to defeat security and steal bank statements belonging to 647 StandChart private wealth clients from a server at its printing company Fuji Xerox.
JP Morgan also suffered a major security breach last year in which the phone numbers of millions of US households and companies were hacked. The attack prompted CEO Jamie Dimon to say the Wall Street bank would likely double cybersecurity spending in the next five years having spent about $250 million in 2014.
Cheng of HKMA said it was incumbent upon banks and other deposit-taking institutions to conduct "penetration tests related to electronic banking services" and institute proper cybersecurity risk management regimes.
Like most predators, computer attackers pick off companies one by one. Some consultants are therefore calling on businesses to circle the wagons.
The finance industry and regulators are in favour of mounting a united defence against cyber crime, like that proposed by Mark Clancy, CEO of cybersecurity firm Soltra. Clancy advocates for the sharing of information between companies to identify and block attacks being made against multiple organisations.
Anita Lam, a solicitor at the law firm of DLA Piper told FinanceAsia that "companies in Asia are generally considered as less prepared" for the increase in cybercrimes than their counterparts in the West.
Lam, of counsel in the firm's employment practice, said institutions had no doubt "stepped up security measures" in the wake of recent attacks, noting that companies of all stripes have been "training employees in how to detect phishing emails" and even phone calls used to extract information to breach firewalls and access confidential information on servers.
DLP Piper advises Hong Kong regulatory authorities on the implementation of rules set up to prevent the cross border transfer of personal data.
"The consequences of not protecting your business sufficiently from cybercrimes can be huge," Lam and Scott Thiel, a partner in DLA Piper’s intellectual property & technology practice, co-wrote in a briefing paper on cybersecurity. "It can lower the company's value, damage reputation and ultimately, destroy the business."
Bona fide internet security firms -- and those purporting to safeguard data from hackers -- are cropping up across Asia.
Some banks are even employing younger, tech-savvy staff in the hopes that so-called "internet natives" will prove more adept at detecting fraudulent or unusual network behavior before it causes irreparable damage.
Predictive analytics, said Lam, which is mostly used as tool for marketing companies who make use of data collected from consumer’s online interactions to predict purchasing behaviour, is also being used in the battle against cyber-attacks. DLA Piper and consultancies like EY believe the use of algorithms and predictive analytics will be the trend in countering cyber crime.
“Banks are definitely increasing their expenditure,” Paul O’Rourke, cybersecurity leader for Asia Pacific Ernst & Young, said. “In some areas of cybersecurity, because it is in such demand, it is becoming increasingly hard to acquire and to retain resources. It is a very hot market for skilled practitioners.”
Vetting internet security firms is also generating business and lending currency to certifying organisations like the Independent International Organisation for Certification. Based in Geneva, the IIOC recently told FinanceAsia that the revision to the ISO 9001 management system has applications to the financial services sector.
"ISO certifications allowed banks to identify the best external service provider," the organisation write in a briefing paper for FinanceAsia. Though the certifications were initially accorded to minor, non-sensitive sectors, the ISO certification ... quickly spread to IT support, training, and later e-banking and customer service call centres in the retail sector."
The IIOC noted that in February 2013 the Bank of East Asia awarded some of its key sub-contracting mandates on providers with ISO 9001 (quality management) and ISO 27001 (information security management) certifications.