Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
News & Insights
Authored by: Simon Deane and Kelly Poon
In response to the growing incidence and sophistication of distributed denial-of-service (“DDoS”) attacks, the HKMA issued a circular on 25 November 2022 to provide AIs with additional guidance (the “Guidance”) on this specific area of cyber security. With reference to the findings of a round of thematic reviews completed recently by the HKMA to assess the effectiveness of the anti-DDoS protective measures maintained by AIs, the Guidance is grouped under four key principles:
(i) Undertaking regular risk assessment and vulnerability management – AIs should monitor the latest trends, tactics and techniques of DDoS attacks. They should have in place a robust mechanism regularly to identify, assess and mitigate vulnerabilities in their networks and systems which may be susceptible to new forms of DDoS attacks, and critically assess whether their anti-DDoS defence mechanisms remain adequate.
(ii) Designing the architecture of anti-DDoS controls properly – AIs should properly configure and regularly review the architecture of their anti-DDoS controls to provide comprehensive protection against DDoS attacks. The protective measures should cover both customer-facing channels and key components that support an institution’s operations.
(iii) Maintaining effective governance over service providers and putting in place robust contingency arrangements – AIs should identify key third parties which are critical to the availability of their internet-facing services and are potential targets of DDoS attacks (e.g. DNS and internet service providers). AIs should maintain an effective mechanism regularly to evaluate the key third parties’ cyber defence capability and develop appropriate contingency arrangements to deal with potential disruptions.
(iv) Establishing proper incident response procedures and conducting regular rehearsal exercises – AIs should establish end-to-end incident response and escalation procedures, covering, among others, actions required of anti-DDoS service providers (e.g. timely identification of DDoS attempts, adjustment in relevant thresholds and rules for responding to DDoS attacks).
To access a full copy of the circular, please see here.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries please contact us at firstname.lastname@example.org.
Tel: +852 2825 9211