Earlier this year, hackers seized personal information including social security numbers, emails and phone numbers for 143 million Americans and another 400,000 people in the UK from Equifax, a credit-scoring agency, erasing billion of dollars from its market value and sparking a slew of senior management departures and a federal investigation.
For investors, the incident was a stark reminder of how a cyberattack can hit your bottom line – even if you are not directly on the receiving end. Recent cases in Asia, too, have underlined the very real danger from hackers, especially for financial institutions.
Lessons from the Equifax were put under the spotlight in Hong Kong yesterday at FinanceAsia's 6th Compliance Summit. The audience of more than 250 industry insiders heard that the complexity of cyberattacks from anonymous hackers and the reputational dangers have prompt asset managers and banks to increasingly turn for advice to cybersecurity professionals.
“For the finance industry in Asia, the Equifax hack has alerted us on setting pre-emptive steps to prevent a huge leak of personal data and fraudulent activities such as getting phishing emails or an email carrying malware,” Gabriel Chan, head of information security for Greater China at ABN Amro Bank, told the summit at the Ritz-Carlton Hotel.
A closer examination of major breaches demonstrates a common theme: hackers can easily crack the passwords of individuals and even financial institutions. In October, a hacking group linked to North Korea managed to pinch $60 million from the Far Eastern International Bank in Taiwan by infiltrating its computers, the latest case in which a bank's connection to the global payment platform Swift was used to steal money from a financial institution.
Far Eastern Bank said most of the stolen money was recovered, but the Bangladeshi central bank was less fortunate in 2016, with hackers drawing about $81 million to a bank in the Philippines.
“Passwords needs to be replaced,” said Micky Lo, chief technology risk officer for Asia Pacific at the Bank of New York Mellon, “Financial institution should adopt multi-factor authentication for both internal use and external internet-based applications because this is the single most important thing you can do at this stage.”
Multi-factor authentication, in which a user of a system must provide both a password and another form of security such as a fingerprint or a code sent to their email address, has become a popular and useful way to deter spam and hacking activities for technology companies. Apple, for example, built a new feature into its latest iPhone X, which the US tech firm says is more secured with a facial recognition sensor.
Speaking in the same panel, David Nagrosst, a Singapore-based cybersecurity expert, joked: “Hopefully your face can’t be hijacked any time soon.”
He made the point that one way investors and corporates could make themselves less inviting to hackers was to stay ahead of their peers.
“If you are running away from a bear, you don’t have to be the strongest but you have to run a bit faster than the people behind you,” Nagrosst said.
Over 1 billion records of personal information were stolen or leaked through data breaches of major organisations between 2004 and 2013, mostly through relatively unsophisticated techniques such as phishing or email malware.
A guess game of China's new cyber-security law
Another concern for investors is the impact of China's new cybersecurity law, which raises a host of questions about how businesses store data acquired in China.
The law took effect in late May, yet experts are still debating what the regulations really mean and how foreigners should interrupt it. Failure to comply the new regulation could incur a fine of Rmb 1 million ($150,000) and potential criminal charges.
Under the new law, foreign companies must store data on China on the mainland. For example, a US bank that used to hold the personal information of Chinese clients at its headquarters may question whether it has to switch to holding such information in China. Another worry is that companies now have to submit a review to the regulator before transferring a large amount of data overseas, raising concerns about potential leaks to their local rivals.
“It is a super hot topic and it is still vague,” said Lo, “In terms of clarity, we are still looking for guidelines from the People’s Bank of China.”
Some foreign companies choose to store their data in Hong Kong, given the geographical proximity to China and sound legal framework. They also want to avoid the regulatory grey area of Chinese law and question whether the Chinese central bank is the best watchdog for cyber-security issues.
“For some of my US clients, they operate their data operations in Hong Kong because they are more comfortable with the protection of intellectual property,” Nagrosst. “They are very concerned about the intellectual property rights.”
FinanceAsia's sister brand Corporate Treasurer will partner with TMF Group for a webinar discussing how Asia will be affected by the OECD's recent focus on information transparency and AML regulations. Click here to register now for the webinar, which takes place on Thursday, November 23,