News & Insights

Guidance on Anti-DDoS Protection

View PDF

Authored by: Simon Deane and Kelly Poon

In response to the growing incidence and sophistication of distributed denial-of-service (“DDoS”) attacks, the HKMA issued a circular on 25 November 2022 to provide AIs with additional guidance (the “Guidance”) on this specific area of cyber security. With reference to the findings of a round of thematic reviews completed recently by the HKMA to assess the effectiveness of the anti-DDoS protective measures maintained by AIs, the Guidance is grouped under four key principles:

(i) Undertaking regular risk assessment and vulnerability management – AIs should monitor the latest trends, tactics and techniques of DDoS attacks. They should have in place a robust mechanism regularly to identify, assess and mitigate vulnerabilities in their networks and systems which may be susceptible to new forms of DDoS attacks, and critically assess whether their anti-DDoS defence mechanisms remain adequate.

(ii) Designing the architecture of anti-DDoS controls properly – AIs should properly configure and regularly review the architecture of their anti-DDoS controls to provide comprehensive protection against DDoS attacks. The protective measures should cover both customer-facing channels and key components that support an institution’s operations.

(iii) Maintaining effective governance over service providers and putting in place robust contingency arrangements – AIs should identify key third parties which are critical to the availability of their internet-facing services and are potential targets of DDoS attacks (e.g. DNS and internet service providers). AIs should maintain an effective mechanism regularly to evaluate the key third parties’ cyber defence capability and develop appropriate contingency arrangements to deal with potential disruptions.

(iv) Establishing proper incident response procedures and conducting regular rehearsal exercises – AIs should establish end-to-end incident response and escalation procedures, covering, among others, actions required of anti-DDoS service providers (e.g. timely identification of DDoS attempts, adjustment in relevant thresholds and rules for responding to DDoS attacks).

To access a full copy of the circular, please see here.

Key Contacts

Simon Deane

Consultant | Banking and Finance

Email or call +852 2825 9209

Related Services and Sectors:

Banking and Finance

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)