Financial Sector Cybersecurity Requirements in the Asia-Pacific Region
April 30, 2019
As the threat of cyberattacks has risen in recent years, financial institutions (FIs) and regulators have taken a range of steps to strengthen the security and resilience of the financial system to cyber threats. In the Asia-Pacific region (APAC), regulators have introduced a raft of new regulations and controls to bolster the resilience of FIs in their jurisdictions. While greater attention to—and engagement on—these issues is important, the development of new regulatory regimes across APAC has created challenges for multinational FIs and regulators, and could hinder the growth of the financial services and fintech industries within the region.
We reviewed the cybersecurity requirements impacting the financial industry in five key jurisdictions, including the largest regional financial centers and consumer markets in APAC: Singapore, Hong Kong, Japan, China, and India. Through a combination of open-source research and on-the-ground interviews—with regulators; local, regional, and global FIs; policymakers; technology experts; and academics—we sought to understand the range of requirements and approaches from different regulators across the APAC region, and the ways in which they impact cyber risks to the regional financial system.
Harmonizing regulators’ approaches to cybersecurity regulation in the region could help reduce systemic risks, improve regulatory efficiency, and make it easier for FIs across APAC to grow. This will not be easy and will require sustained engagement on multiple levels. Cyber threats are a transnational issue and will require a transnational response, particularly in highly integrated regions like APAC. Strengthening the security and resiliency of financial networks across the region will require looking at FIs from an enterprise perspective and understanding the cyber risks they face from the perspective of defenders, not the narrow lens of national borders. This will require principles-based approaches that allow for the wide range of business models and capacities of FIs and regulators across the region, and consolidated auditing, examination, and testing procedures to ensure that regulators have an accurate picture of the risks and controls at institutions under their care. Ultimately, regulators’ goals must be to ensure that strong security and resilience, not redundant compliance, is the focus for FIs.
This report is made possible by the generous support of Standard Chartered and by general support to the CSIS Technology Policy Program.