Cyber risk management – the HKMA’s Regtech Adoption Practice Guide

Leveraging Regtech Solutions for Cyber Risk Management

The Guide identifies some of the key cyber risk challenges that AIs face, including difficulties in keeping up with the rapidly-changing nature of cyber risk, increased usage of and reliance on third-party services, and the lack of awareness of cyber risks, both amongst personnel and the general public.

The Guide highlights some of the benefits of adopting cyber risk management Regtech solutions in the face of these challenges. By following the Guide’s recommendations, AIs should be in a better position to protect their operations by identifying cyberattack attempts at an early stage, developing vulnerability management solutions, and responding swiftly to cyber incidents.

In particular, AIs are advised to have in place a holistic cybersecurity programme and roadmap in light of the various Regtech solutions to support the planning and adoption of security solutions. Some of the practical considerations for AIs to bear in mind when preparing this roadmap include conducting a cost-and-benefit analysis, assessing the compatibility of Regtech solutions with the AI's existing security solutions, and developing training programmes for relevant personnel, as well as processes to facilitate and review the Regtech solutions on an ongoing basis. 

Implementation Guidance

The Guide includes the HKMA’s guidance on a number of specific considerations for AIs, including:

• Formulating a cross-functional implementation team by engaging individuals from different competencies to ensure adequate representation from all relevant stakeholders.
• Conducting business case analysis by evaluating the different solutions available.
• Conducting evaluation of prospective vendors before committing to a particular Regtech solution.
• Carrying out a proof of concept test to ensure the effectiveness of a Regtech solution and that it is conducive to the AI's business objectives.
• Other ongoing measures to facilitate the implementation of Regtech solutions; security operation processes should be updated on an ongoing basis.

Regtech Use Cases

The HKMA presents two use cases showing successful cyber risk management implementation in the Guide, which describe in detail the stages of implementation involved and the key lessons learned.

The Guide sets out the cyber risk management approach adopted by the AI in the use cases and outlines some of the key takeaways and methodologies. These include conducting on-going testing, configuring the Regtech solution, conducting proof of concept, defining use cases and end-goals, defining roles and responsibilities of team members, integrating the solution with existing functions, and upgrading to new capabilities.

Take-Aways for Legal and Compliance Teams and Next Steps

Regtech promises effective and efficient compliance solutions for AIs facing increasingly challenging compliance requirements.The Guide highlights how important Regtech can be in areas of critical operational risk, such as cyber security.

However, it is important to understand that Regtech solutions raise important legal and compliance issues, such as:

• Regtech solutions need to be assessed against the applicable regulatory requirements, taking into account applicable HKMA regulations, data protection laws, and other relevant considerations.
• In the context of cyber security incident response, Regtech solutions also need to be integrated with response plans and operating procedures.
• Agreements with Regtech vendors need to be carefully drafted and negotiated to reflect commercial considerations, AI risk management policies, and compliance with technology risk management and outsourcing requirements, where applicable.

Please see here for the link to the Regtech Adoption Practice Guide: Fifth Issue of Regtech Adoption Practice Guide Cyber Risk Management (hkma.gov.hk)