Albert Yuen and Jasmine Yung at Linklaters discuss Hong Kong’s regulatory approach to technology risk and data security.
Hong Kong’s financial institutions (FIs) and tech companies which undergo digital transformation and utilise technologies like artificial intelligence (AI), regulatory technology (Regtech), big data and cloud computing to empower their service offerings will have to navigate a myriad of regulatory requirements.
An appreciation of the approaches taken by regulators and the related requirements will help businesses unlock the benefits of technologies and data solutions and mitigate risks. In this article, we provide observations on regulatory approaches related to technology and data risk management, AI, cybersecurity and cloud computing.
Thematic supervision and evolving guidelines
Whilst regulators have steadfastly upheld their role in enforcement, in recent years we have witnessed a shift towards thematic supervision and enforcement on key issues. For example, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) has stepped up, and is expected to continue doing so, its enforcement efforts under the new doxxing regime in light of a rapid rise in doxxing-related incidents since 2019.
The PCPD has indicated that it will work with the HKSAR Government to conduct a legislative review of the Personal Data (Privacy) Ordinance (PDPO) to introduce mandatory data breach notification and administrative penalties regimes, in response to a rise in data breach incidents and repeated calls by members of the public in the city.
The Hong Kong Monetary Authority (HKMA) has meanwhile prioritised technology risk management, taking into consideration rapid adoption of technologies by FIs and the potential for operational, systemic and reputational risks to arise. The regulator has repeatedly reminded FIs to put in place governance systems and controls to identify and mitigate internal, external and third-party risks.
Underpinning this supervisory approach is an effort to clarify regulatory requirements through the issuance of thematic guidelines which supplement existing risk manuals. In light of these ever-evolving regulations, having comprehensive governance systems in place are essential for FIs and tech companies to reduce their compliance burden and refocus their efforts on business priorities.
HKMA’s and PCPD’s technology risk and data management rules
The HKMA has made clear its emphasis on technology risk management in its updated Supervisory Policy Manual OR-1 – Operational Risk Management (July 2022). FIs’ reliance on complex automated technologies, development of complex products, outsourcing, and involvement in M&A and reorganisations may potentially increase operational risks. In this regard, FIs are advised to develop an effective operational risk management framework (ORMF) for identifying, assessing, monitoring and controlling/mitigating operational risks, taking into account their organisational structure, risk management culture, and range of products and services.
Beneath this all-encompassing theme of operational risk management, the HKMA has issued thematic guidelines on the management of specific technology-related risks. In the Guidance on Cloud Computing (August 2022), the HKMA advised FIs utilising cloud operations to maintain an effective governance framework, overseen by senior management, which will guide their decision-making and formulation of cloud strategies.
Comprehensive risk management procedures for cloud operations should be developed to continually identify, monitor and mitigate operational risk, cyber risk, system resilience risk and concentration risk in relation to third-party vendors. There should be effective security controls in place to safeguard FIs’ information assets and consumer data confidentiality within the cloud. FIs should also have in place arrangements which guarantee their audit rights and the HKMA’s supervisory access to information stored in the cloud.
In relation to cybersecurity fortification, the HKMA’s Guidance on anti-DDoS protection (November 2022) provides guidance to FIs on protecting against distributed denial-of-service (DDoS) attacks. FIs are reminded to monitor the latest trends and techniques of DDoS attacks, and maintain a robust and updated mechanism to identify, assess and mitigate vulnerabilities in their networks and systems. To avoid a single point of failure, FIs should regularly evaluate the cyber defence capabilities of key third parties like DNS and internet service providers. They should also establish end-to-end incident response and escalation procedures, and conduct regular drills to evaluate the effectiveness of anti-DDoS protective measures.
Regtech solutions, on the one hand, beneficially provide FIs with automated risk management and increased operational effectiveness, yet they may increase operational risks where there is a lack of governance, control or third-party monitoring. To this end, the HKMA’s Regtech Adoption Practice Guides provide implementation guidance to FIs as to how they may mitigate risks in the adoption of Regtech solutions:
- FIs adopting cloud-based Regtech solutions are recommended to formulate their own entity-specific cloud strategy which aligns with their culture, business vision and capabilities to assist them in evaluating cloud solutions. A governance framework to assess cloud-based solutions against internationally recognised standards in relation to cloud security and reliability should be maintained.
- FIs adopting AI-based Regtech solutions are advised to devise an enterprise-wide data governance framework to facilitate data management, prioritising algorithmic integrity, fairness of AI models and explainability of the algorithmic decision-making process. A risk management framework covering the AI solution development lifecycle such as system failure, ethical concerns and cybersecurity should be deployed.
- FIs adopting cyber risk management Regtech solutions should formulate a cross-practice functional implementation team to identify appropriate cyber risk management Regtech solutions. Where Regtech solutions may collect or process personal information, an internal review of privacy processes and a privacy impact assessment should be conducted. FIs should also conduct comprehensive due diligence on third-party vendors to assess their technical and cyber capabilities.
In deploying technologies, utilisation of data solutions is inevitable to optimise internal processes, generate insights and improve customer experiences. In Hong Kong, the PCPD is the key regulator enforcing against data-privacy related infractions. Where technology deployment involves processing of individuals’ personal data, businesses will have to comply with the Data Protection Principles under the PDPO when collecting, storing, using and handling personal data and when managing cross-border data transfers, while also considering data sovereignty and national security rules across jurisdictions.
Within the matrix of data privacy regulation in Hong Kong, there appears to be a greater emphasis by the PCPD on data security, as indicated by talks of potential reform of the PDPO to introduce a mandatory data breach notification regime. In August 2022, the PCPD published the Guidance Note on Data Security Measures for Information and Communications Technology, recommending data security measures for data users to adopt, including to establish data governance and data security policy and procedures, conduct risk assessment on data security for new systems and applications, adopt adequate security measures, and devise a system on data breach handling and reporting. Should there be PDPO reforms to introduce a mandatory data breach notification regime this year, we expect that this will place a renewed focus on data security.
Whilst the PCPD is the key data regulator, the HKMA has, from time to time, issued reminders to FIs to safeguard customer data, with a similar focus on data security. In 2008 and 2014, the HKMA issued circulars to remind FIs to put into place adequate security controls and procedures to protect customer data. A circular issued by the HKMA in April 2022 further reminded FIs to establish an effective data governance and risk management framework to safeguard customer data and adopt a comprehensive customer data inventory to detect and manage the risks of loss or leakage of customer data.
In approaching AI regulation, the PDPO does not directly impose AI-specific requirements as in the General Data Protection Regulation (GDPR), such as transparency and the right for individuals to object to impactful decisions based solely on automated decision-making. However, it does encourage businesses to consider high-level principles in the adoption of AI, taking a similar approach to the HKMA.
In the Guidance on Ethical Development and Use of AI (August 2021), the PCPD encourages businesses to embrace fundamental data stewardship values when developing and using AI, ensuring that AI systems incorporate values of being respectful, beneficial and fair to stakeholders. Further, businesses should ensure transparency, fairness, explainability in AI systems and have in place an effective data governance system to ensure compliant use of personal data in AI deployment.
Risk management and governance frameworks to streamline compliance efforts
In light of the continued regulatory focus on technology and data risk management, businesses are advised to review their technology operations and data processes, and update/maintain their risk management strategy, processes and controls for identifying and mitigating internal, external and third-party risks.
To stay ahead of these ever-evolving guidelines, businesses should keep abreast of the latest trends to anticipate regulatory requirements and allocate resources and manpower accordingly. In order to streamline compliance efforts, businesses are advised to review and/or maintain a comprehensive governance framework and strategy to effectively identify and remedy existing gaps and seamlessly incorporate new requirements.
—
By Albert Yuen, Counsel & Head of Technology, Media & Telecoms at Linklaters in Hong Kong; and Jasmine Yung, Associate at Linklaters.
