Hong Kong’s central banking institution – the Hong Kong Monetary Authority (HKMA) – has announced the launch of an upgraded Cybersecurity Fortification Initiative 2.0 (CFI 2.0). The changes will come into effect from January 1, 2021, and further enable banking institutions to close the gap on emerging threats across the sector.
The Cybersecurity Fortification Initiative
The Cybersecurity Fortification Initiative was first introduced in 2016 by HKMA to help build the cyber resilience of Hong Kong’s banking sector. The upgraded framework does not make amends to the three core pillars of the original framework, which are:
- Cyber Resilience Assessment Framework (C-RAF): It seeks to establish a common risk-based framework for banks to assess their risk profiles and determine the level of defense and resilience required.
- Professional Development Program (PDP): It aims at providing training and certification programs in Hong Kong to grow its cybersecurity talent pool.
- Cyber Intelligence Sharing Platform (CISP): It allows for the sharing of threat intelligence among banks as well as additional collaboration.
The Changes in CFI 2.0
HKMA recently conducted a holistic review of the CFI 1.0 through surveys, interviews, and industry-based consultations. It was observed that over 90% of the banks found the C-RAF useful and a whopping 100% of the banks said that the intelligence-led Cyber Attack Simulation Testing (iCAST) helped them in preparing against cyberattacks.
Considering this positive response, CFI, intending to streamline the cyber resilience assessment process, has implemented the following changes in Cybersecurity Fortification Initiative 2.0:
- C-RAF: It now includes the latest ways of approaching incident response (IR) and recovery while responding to the latest forms of cyberthreats.
- PDP: The list of certifications offered has been expanded to include qualifications equivalent to those in international jurisdiction.
- CISP: It now offers advanced sharing of threat intelligence among banks as well as additional collaboration.
Talking about the changes in CFI 2.0, Arthur Yuen, Deputy Chief Executive of the HKMA, said, “Since the launch of the CFI in 2016, the global cybersecurity landscape has continued to evolve and banks have undergone further digital transformation. We have therefore enhanced the CFI to reflect the latest trends in technology and incorporate recent developments in global cyber practices. Enhancements have also been made to facilitate the development of the local talent pool for better management of cybersecurity risk. We believe CFI 2.0 will raise the cyber resilience of the banking sector to an even higher level.”
Although the CFI 2.0 comes into effect in the new year, HKMA has provided a phased approach that will allow the banks and other financial institutions a total time of two years for complete implementation. Read more about the phased approach in this circular.