A Hong Kong research body backed by the government is about to put its cyber-security efforts with banks into higher gear once it receives what it hopes will be a positive audit of its capabilities.
ASTRI, the Hong Kong Applied Sciences and Technology Research Institute, is due to pass an audit conducted dually by two independent consultants, says Ieong Meikei, chief technology officer.
Assuming the institute receives this validation, which is due this month, it will accelerate its work with the Hong Kong Monetary Authority and leading commercial banks in the territory. ASTRI is part of an ecosystem designed to promote innovation, including the Hong Kong Science and Technology Parks Corporation and Cyberport.
DigFin understands one of the consultants conducting the audit is EY, and the other is a smaller, non-Big Four accountancy.
Defending the castle
Cyber-security is one of ASTRI’s core areas of focus. On the third floor of its office in the New Territories is its Cyber Range, where its people, including ethical hackers, trawl the dark web for threats against financial institutions or the government.
The Hong Kong Monetary Authority also has an innovation lab on the same floor, and the HKMA and ASTRI collaborate on building cyber defenses, and coordinate to improve training and collaboration with banks.
Ieong says ASTRI is still working on an assessment of Hong Kong’s cyber defenses. Although he declined to be drawn into detail, he says that although the level of sophistication is high – as befits one of the world’s leading financial centers – there is a lack of breadth. In other words, not enough people are trained in the arts of cyber defense.
“We realize there is a gap. We need to build our local expertise,” Ieong told DigFin.
From PoC to deployment
Although ASTRI has been working with the HKMA as well as the Hong Kong Association of Banks on cyber-security, these have been more proof-of-concept projects than full-throttled implementations. ASTRI has been cautious about ensuring whatever solutions it brings to banks, that they are solid.
Hence the twin audits.
“These projects will affect our partners,” Ieong said. “They need to be done right, with independent audits and feedback, before we can deploy financial solutions.”
Now that such validation is nearly in hand, though, ASTRI is preparing to turn its research into actual tools to defend Hong Kong from cyber threats, such as hacking into accounts or hijacking digital identities.
And as more human activity goes online, to smartphones, or via the Internet of Things, financial systems become more vulnerable to attacks.
Counting the costs
According to a report issued by the Financial Services Development Council on Hong Kong fintech issued in May 2017, worldwide cyber-security spending topped $75 billion in 2015, and is expected to exceed $150 billion by 2020; meanwhile, the cost of cyber-security breaches is on track to hit $2.1 trillion by 2019.
Hong Kong has not been immune to these risks: in April 2017, the South China Morning Post reported that hackers had stolen HK$110 million ($14.1 million) from local securities brokers over a period of 18 months.
ASTRI’s various units help share information on hacks among banks, technology vendors, and government bodies, as well as with counterparts in mainland China. They provide alerts, help develop protective software (including screens powered by artificial intelligence), and support training and education, in order to raise domestic capabilities.
As a research institute, ASTRI is also looking at future risks, notably how to defend blockchain against hacks by quantum computers. (Blockchain and A.I. are also prominent research topics, in addition to cyber-security; Ieong and ASTRI will be announcing new blockchain initiatives at the upcoming Hong Kong Fintech Week.)
Next on ASTRI’s to-do list, is to extend what it has learned in banking to the insurance industry. It is just beginning to share results in cyber-security and other areas, such as KYC, to the Hong Kong Insurance Authority and the local Federation of Insurers. The insurance industry is looking for technology to help combat fraud as well as hacks.
Ieong says ASTRI can only play such a role once it has proven itself. “We don’t run too fast,” he said. “First we have to do a good job for the banks. Then we can deploy our research elsewhere.”
