By Natalie Barkus
In the era of digitization, the financial services industry faces complex challenges. With fraud, cyberthreats and attacks on the rise, safeguarding valuable and sensitive data is imperative. With the HKMA regularly publishing alerts to the public regarding fraudulent banking websites and phishing emails, it’s evident that vigilance is crucial in the face of increasing cyberthreats. The implementation of effective and secure measures to enforce information security not only protects clients’ and customers’ data but also the reputation of the company and the financial industry.
Post-COVID, the use of technology to facilitate everyday tasks, such as banking, has been embraced by the public. This increase in digitization, albeit positive, has also facilitated the expansion of the landscape and the opportunity for cyber-attacks. Hong Kong has seen a fourfold increase in cybercrime cases over the last 6 years, with losses due to cybercrime amounting to HK$3.2 billion in 2022 (https://www.boasecohencollins.com/blog/doj-steps-up-cybercrime-fight/#:~:text=Artificial%20intelligence%20has%20exacerbated%20the,over%20the%20last%20six%20years.). Cybercriminals are drawn to the financial sector due to the immense value of the information it holds, providing opportunities for increased financial gain.
Data breaches can have severe consequences. IBM’s cost of a data breach report 2023 found that the global average cost of a data breach is approximately USD$4.45 million (https://www.ibm.com/reports/data-breach?_gl=1*y8minc*_ga*MTg3MjIxODcyMi4xNjk3NDM4MzAx*_ga_FYECCCS21D*MTY5NzQzODMwMS4xLjAuMTY5NzQzODMwMi4wLjAuMA..&_ga=2.149093046.1291931853.1697438301-1872218722.1697438301 ) and the negative impacts do not end there. Not only is there the potential that companies will face lawsuits and/or have to invest more in stronger data protection and cybersecurity measures, but data breaches also have long-term effects on reputation, brand image, and client/customer confidence.
Building trust is vital for establishing a strong reputation and instilling confidence in the brand. A 2017 PwC report found that 85% of customers are unlikely to shop at a business if they have concerns about their security practices (https://www.pwc.com/us/en/advisory-services/publications/consumer-intelligence-series/protect-me/cis-protect-me-findings.pdf). Emphasising the need for financial industries to maintain robust data protection measures in order to reassure their customers that their personal data is safe. Where there is lost trust in financial institutions, there is inevitably lost business.
From a regulatory standpoint, the SFC Code of Conduct specifies that licensed or registered persons are required to implement internal control procedures and financial and operational resources in order to protect the business and their clients from financial loss (section 4.3) and that they must guarantee the reliability, security, and capacity of the electronic trading system they use or offer to clients. They should also have suitable backup plans in case of any unforeseen circumstances (section 18.5 and paragraph 1.2 of Schedule 7).
HKMA similarly sets out the importance of managing technology risks in its revised Policy Manual OR-1 – Operational Risk Management. Financial institutions are encouraged to establish a robust operational risk management framework that considers their organizational structure, risk management culture, and the variety of products and services they offer. This framework should enable FIs to effectively identify, assess, monitor, and control or mitigate operational risks.
Adhering to the regulations is the first line of defence in preventing cybersecurity attacks. Financial institutions should strive to achieve a comprehensive, risk-based approach that goes beyond regulatory compliance. This includes threat detection and anticipation measures to mitigate risk, developing a tailored approach to their business structure, and regular testing and upgrading of security measures. Regulatory compliance alone is not enough to ensure an organization’s cybersecurity.
Culture and employee awareness also play a fundamental role. With 74% of data breaches occurring as a consequence of human errors (https://www.verizon.com/business/resources/reports/dbir/ ), it is clear that fostering a cybersecurity-focused culture is key. This entails the encompassment of employees’ cybersecurity values, beliefs, knowledge, attitudes, and behaviours. There are several methods organizations can incorporate to develop their cybersecurity culture, including cyberthreat and attack drills, reporting and response procedure training, and incorporating cyber security objectives into evaluation processes. Nurturing a cybersecurity-focused mindset among employees is not just an option but an imperative for ensuring data protection and resilience against cyberthreats.
Ultimately, trust is paramount to building a company’s reputation and customer confidence. By implementing robust cybersecurity measures and developing a multi-faceted organizational cybersecurity culture, organizations can reassure their customers that their personal data is safe. Failure to do so not only risks financial loss but also leads to lost business opportunities. Therefore, organizations must prioritize information security and take proactive measures to mitigate cyber risks in order to thrive in the age of digitization.