On 29 Nov 2024, the HKMA issued TM-C-1 to supersede its 2015 cybersecurity circular, establishing a risk-based supervisory framework requiring Als to implement the Cyber Resilience Assessment Framework (C-RAF) and adopt Secure Tertiary Data Backup (STDB). The document mandates regular cyber resilience assessments, systemic risk mapping, and enhanced information sharing via the Cyber Intelligence Sharing Platform (CISP) to strengthen sector-wide cyber resilience and incident response capabilities.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
Opening Bank Accounts: Duties of Banks in Hong Kong to Combat Tax Evasion
Hong Kong money laundering laws require banks to assess the risk of tax evasion in evaluating bank account opening applications. Prospective customers applying
Opening a Bank Account in Hong Kong: Latest Regulatory Developments
For many new businesses, opening a bank account is a mission critical task. Unfortunately, as a result of significant growth in laws intended to combat money l
SPOTLIGHT ON
FAMILY OFFICES
Introduction
On 29 Nov 2024, the Hong Kong Monetary Authority (HKMA) issued Supervisory Policy Manual (SPM) TM-C-1, superseding the Circular on 'Cybersecurity Risk Management' dated 15 September 2015, to establish a risk-based supervisory approach for authorized institutions (Als) managing cyber risks and strengthening banking sector cyber resilience.
Regulatory Framework and Key Changes
TM-C-1 replaces the 2015 circular with a comprehensive supervisory framework, requiring Als to implement the Cyber Resilience Assessment Framework (C-RAF). The C-RAF mandates inherent risk assessments based on business size and technology profile, maturity assessments of cybersecurity controls, and Intelligence-led Cyber Attack Simulation Testing (iCAST) for Als with 'medium' or 'high' inherent risk ratings. Als must conduct regular C-RAF assessments to align cyber defence maturity with risk exposure, with the HKMA updating the framework to address evolving threats.
Systemic Risk Management and Incident Response
The HKMA adopts a risk-based supervisory approach prioritizing Als with higher cyber risks and evolving threats, emphasizing ongoing risk assessment and agility. To address systemic cyber risks, the HKMA conducts cross-sector cyber mapping exercises with financial authorities to identify network interdependencies and concentration risks. Als are required to adopt Secure Tertiary Data Backup (STDB) to ensure data resilience against destructive attacks like ransomware, and must promptly report significant cyber incidents to the HKMA and relevant authorities.
Collaboration and Information Sharing Infrastructure
The HKMA mandates Als to participate in the Cyber Intelligence Sharing Platform (CISP) under the Cybersecurity Fortification Initiative for secure, timely exchange of cyber threat intelligence. Domestic collaboration includes aligning supervisory regimes with Hong Kong's cybersecurity strategy and enhancing collective response mechanisms through information sharing with government bureaux and sectoral authorities. Internationally, the HKMA integrates FSB and BCBS standards into local supervision and actively participates in global cyber intelligence sharing.
View the full article:Source
