security, risk, compliance & controls - cybersecurity legal framework in hong kong

© 2016 Baker & McKenzie © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Paolo Sbuttoni, Special Counsel, Baker & McKenzie

17 June 2016

Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong Kong

This presentation has been prepared for clients and professional associates of Baker & McKenzie. Whilst every effort has been made to ensure accuracy, this presentation is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this presentation is accepted by Baker & McKenzie.

Baker & McKenzie, a Hong Kong Partnership, is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. © 2016 Baker & McKenzie

AWS Enterprise Summit: Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong Kong Paolo Sbuttoni, Special Counsel, Baker & McKenzie

17 June 2016

© 2016 Baker & McKenzie 3

Agenda •  Cybersecurity trends •  Legal framework on data security in Hong Kong for

FSIs (Recent SFC and HKMA developments) •  Practical tips to address the risks

Cybersecurity trends

© 2016 Baker & McKenzie

Increase in data breaches ‒  New York Times:

§  Articles containing “data” and “breach” in 2012 = 117 §  Articles containing “data” and “breach” in 2015 = 650

‒  Annual Verizon Data Breach Investigations Report: §  2012 report – 855 breaches, 174 million

compromised records §  2015 report – 2,122 breaches, 700 million

compromised records

5


Trends ‒  Increasing incidence of attacks: large and small scale ‒  Increasing opportunity to do harm with personal information

e.g. identity theft, extortion, corporate and political sabotage ‒  Increased expectations and legal obligations

(including reporting): §  US Cybersecurity Act 2015 §  EU Network Information Security Directive


Risks for FSIs ‒  Loss of confidential data, including trade secrets ‒  Prevention of access to data needed to run business ‒  Loss of income/loss of clients ‒  Loss of reputation ‒  Costs associated with remedying breach/improving systems ‒  Breach of contractual obligations ‒  Notification and potential penalities ‒  Involvement in police or regulatory investigation


Baker & McKenzie Cybersecurity Counter-offensive Asia Pacific Guide v  Provides an outline of the preliminary assessment we

recommend should be undertaken by clients when confronted with a suspected data breach

v  Identifies, for 13 countries in the Asia Pacific region, the position in response to a number of common issues which arise in dealing with a data breach incident

8


Common issues arising from a data breach incident

(Please refer to Baker & McKenzie Cybersecurity Asia Pacific Guide for further detail)

.au .cn .hk .in .id .jp .my .ph .sg .kr .tw .th .vn

Is it unlawful to access third party data without authorisation?

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Are there any civil legal processes available to retrieve lost data?

Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes No

Is it possible to keep legal proceedings confidential?

Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes No

Are there obligations with respect to holding personal information securely?

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Are there specific laws restricting/limiting the export of personal information?

Yes Yes No No No No Yes Yes Yes Yes Yes Yes No

Is there a general obligation to notify data subjects of a security breach?

No No No No Yes No No Yes No Yes Yes No No

Is there a general obligation to notify the authorities of a data breach?

No No No Yes No No No Yes No Yes No No Yes

Are there sector specific data breach notification obligations?

Yes Yes No No No Yes No Yes Yes Yes Yes Yes Yes 9

Legal Framework on data security in Hong Kong


Data Security Framework Personal Data (Privacy) Ordinance ‒  Six Data Protection Principles (DPPs):

1.  Scope of collection 2.  Accuracy and length of retention 3.  Use of data 4.  Security of data 5.  Data privacy policies 6.  Rights of access


Data Security Framework ‒  Data Protection Principle 4:

All practicable steps shall be taken to ensure that personal data held by a data user are protection against unauthorized or accidental access, processing, erasure, loss or use

‒  All practical and reasonable protection measures to be taken, given circumstances (kind of data, physical location, transmission of data)

‒  Failure to take these steps: §  Enforcement Notice against the data user §  Civil claim by affected data subjects against data user


Sector specific guidelines

Supervisory Policy Manual: •  General Principles for Technology Risk

Management •  Operational Risk Management •  E-banking •  Outsourcing Circular on Examinations on controls over Customer Data Protection (2006) / Customer Data Protection (2008)

Circular on Customer Data Protection (October 2014) Cybersecurity Risk Management (September 2015) Cybersecurity Fortification Initiative (24 May 2016) Circular on security controls related to internet banking services (26 May 2016)

SFC Code of Conduct Internal Control Guidelines Circular on IT Management (March 2010) Circular on Internet Trading Reducing Internet Hacking Risks (January 2014)

Circular to all Licensed Corporations on Cybersecurity (23 March 2016) Circular: Mitigating Cybersecurity Risks (November 2014) Circular: Internet Trading (June 2015)

13


SFC Circular on Cybersecurity - 23 March 2016 Five Key Areas of Concern

1. Inadequate coverage of cybersecurity risk assessment exercises

2. Inadequate cybersecurity risk assessment of service providers

3. Insufficient cybersecurity awareness training

4. Inadequate cybersecurity incident

management arrangements

5. Inadequate data protection programs

Eight Suggested Cybersecurity Controls

1. Establish a strong governance framework to supervise cybersecurity

management

2. Implement a formalized cybersecurity management process for service providers

3. Enhance security architecture to guard against advanced cyber-attacks

4. Formulate information protection programs to ensure sensitive information flow is protected

5. Strengthen threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities

6. Enhance incident and crisis management procedures with more details of latest cyber-attack scenarios

7. Establish adequate backup arrangements and a written contingency plan with the incorporation of the latest cybersecurity landscape

8. Reinforce user access controls to ensure access to information is only granted to users on a need-to-know basis


HKMA Cybersecurity Fortification Initiative (CFI)

Cyber Resilience Assessment Framework • Seeks to establish a common risk-based framework for banks to assess their own risk profiles and determine the level of defence and resilience required.

• Draft framework issued to the banking industry for consultation for 3 months.

Professional Development Programme • Training and certification programme in Hong Kong which aims to increase the supply of qualified professionals in cybersecurity, who will be able to conduct risjk assessments.

• HKMA will work with Hong Kong Institute of Bankers (HKIB) and Hong Kong Applied Science and Technology Research Institute (ASTRI) to roll out the first training courses for cybersecurity practitioners by the end of 2016.

Cyber Intelligence Sharing Platform • Will allow sharing of cyber threat intelligence among banks in order to enhance collaboration and improve cyber resilience.

• HKMA will work with The Hong Kong Association of Banks (HKAB) and ASTRI to establish the Cyber Intelligence Sharing Platform by the end of 2016.

• All banks expected to join.

A comprehensive initiative and a supervisory requirement for banks in Hong Kong to implement to raise the level of cybersecurity through a three-pronged approach (HKMA Circular 24 May 2016):


Data Breach Reporting ‒  Guidance on Data Breach Handling and Giving of Breach

Notifications (updated October 2015) ‒  Industry specific reporting:

§  HKMA expects AIs to report breaches to HKMA / affected customers ‒  Privacy Management Programme - Best Practice Guide (2014)

recommends: §  data users establish procedures and have an officer / team responsible

for managing a data breach

16

Practical tips


Incident response plan ‒  Formulate policies and procedures which will establish

systems for identifying, investigating, mitigating and resolving risks

‒  Regularly monitor compliance with those systems, including, where necessary, conducting further risk assessments

18


Where an incident has occurred ‒  Conduct a timely and proportionate initial investigation ‒  Gather information / contain the breach / assess the “risk of harm”

to data subject ‒  Consider:

§  Whether the company has any notification obligations e.g. regulatory, contractual (insurers) – see data breach assessment guidelines in Cybersecurity Counter-offensive Asia Pacific Guide

§  When notification should be made

19


Early notification is good ‒  Acting quickly:

§  Assists in containment §  Affected individuals/organizations can start to take steps to

mitigate their losses §  Seen to be concerned – reduced reputational impact

20


Jumping the gun is not ‒  May cause affected individuals to take unnecessary

detrimental steps ‒  May cause unaffected individuals to believe they are

affected (further loss of reputation) ‒  May compromise the investigation of perpetrators ‒  May increase risk of legal action by customers/contractual

counterparties

21

This presentation has been prepared for clients and professional associates of Baker & McKenzie. Whilst every effort has been made to ensure accuracy, this presentation is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this presentation is accepted by Baker & McKenzie.

Baker & McKenzie, a Hong Kong Partnership, is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. © 2016 Baker & McKenzie

Paolo Sbuttoni Special Counsel, Hong Kong +852 2846 1521 [email protected]

Paolo Sbuttoni Special Counsel, Hong Kong +852 2846 1521 [email protected]