Cyber security starts with plugging park loopholes

In the age of all things online, the significance of data security cannot be emphasized enough. While cybersecurity assaults are often seen as major threats to business, it is crucial to recognize that the physical security of data centers, where corporations store their valuable data, is equally pivotal.

According to IBM’s Cost of a Data Breach Report 2023, an estimated 8 percent of all data breaches occur through physical security compromises, surpassing the percentages of data breaches caused by malicious insiders or accidental data loss.

Each breach costs an average of US$4.1 million (HK$31.98 million). This highlights the need to protect not only the virtual realm but also the physical infrastructure housing critical data.

It is disturbing to hear that certain financial institutions, including major global investment banks, store their highly confidential data in rented spaces within data centers, such as those located in the Tseung Kwan O Innopark operated by the Hong Kong Science & Technology Parks Corp.

Court case revelations exposed lease agreements between the data center operators and their landlord, HKSTPC, which grant them exclusive possession of the premises and full control over access rights.

In other words, the financial institutions, as clients of those data center operators, do not have full primary control over access to their data.

Owing to these lease deals, data center operators in Innopark, such as Global Switch, include clauses in the agreements with their clients that grant the operators the right, at all reasonable times and on reasonable notice, to enter the rented space to inspect the condition of the premises and remove any employees and subcontractors of the clients for security reasons. There is no right for the clients to refuse entry.

Yet the Hong Kong Monetary Authority, through its supervisory policy manual, requires critical information processing facilities of financial institutions in Hong Kong be housed in secure areas such as data centers and network equipment rooms with appropriate security barriers and entry controls.

Access to these areas should be restricted to authorized personnel only. In controlling access by third-party personnel (eg, service providers) to secure areas, proper approval of access should be required and their activities should be closely monitored.

Obviously, the lease conditions imposed by HKSTPC on Global Switch and other data center operators in Innopark mean it is impossible for financial institutions’ clients to follow the HKMA’s policy guideline.

Other operators, including NTT and HKCOLO, have hosted financial service institutions such as top global investment banks, international insurance companies and wealth management companies.

These institutions naturally handle vast amounts of data, including the confidential information of numerous high net-worth customers in Hong Kong and the region.

In today’s digital era, businesses and individuals rely heavily on the confidentiality and integrity of financial information.

Unauthorized access, fraud, and identity theft can have severe consequences, including financial losses, reputational damage, and legal repercussions.

As Hong Kong strives to maintain its status as a global financial hub, the need for better safeguards, compliance and enforcement in Hong Kong’s financial data security landscape is of utmost importance.

Recent incidents, such as the exposure of the personal data of users of the online marketplace Carousell and ransomware attacks on Cyberport and the Consumer Council, are stark reminders of the city’s data security vulnerabilities.

Hong Kong cannot afford financial data breaches of any kind.

In its role as the banking regulator, the HKMA bears the responsibility of investigating whether financial institutions comply with proper data security practices by ensuring their data are free of any security risk.

Dr Vera Yuen Wing Han is an economics lecturer at the University of Hong Kong