Financial Crime World

Here is the rewritten article in markdown format:

Cybersecurity Reporting Obligations in Hong Kong

=====================================================

Introduction

This guide provides an overview of the cybersecurity reporting obligations for licensed corporations (LCs) and automated trading systems (AIs) operating in Hong Kong. It highlights key points, industry-specific guidance, and international considerations.

Reporting Obligations

Mandatory Reporting to Regulators

  • The Securities and Futures Commission (SFC) requires SFC-licensed entities to report material cybersecurity incidents to the regulator.
  • The Hong Kong Monetary Authority (HKMA) mandates AIs offering internet trading services to refer to the SFC’s Internet Trading Guidelines for reporting requirements.

No Mandatory Obligation under PDPO

  • There is no mandatory obligation under the Personal Data (Privacy) Ordinance (PDPO) to report a data breach to the Privacy Commissioner for Personal Data (PCPD) or to data subjects.

Industry-Specific Guidance

  • The PCPD has issued guidance notes on proper handling of customers’ personal data for the banking industry and tips for using fintech, which include recommended good practices for FinTech providers/operators.
  • The HKMA’s guidance goes further than both the PCPD and SFC in mandating cyber incident reports to regulators and affected data subjects.

Key Takeaways

Time-Sensitive Response

  • Time is of the essence when handling and responding to cybersecurity incidents. A quick response can prevent the impact of an incident from being worse than necessary.
  • Financial services companies should implement a comprehensive cyber-risk prevention and control system to ensure effective immediate handling of such incidents.

Determining Notifiable Incidents

  • LCs and AIs should consider the potential impact on the company and its reputation, the seriousness of the incident, and the extent of impact to customers when determining whether an incident is notifiable.

International Considerations

Evolving Regulations in Asia

  • Data privacy and cybersecurity laws and regulations across Asia are evolving, and companies may be subject to reporting obligations in more than one jurisdiction.
  • LCs and AIs operating across Asia should consider the legal and regulatory reporting obligations in all relevant jurisdictions.