Financial services institutions require an urgent shift in mindset over Asia’s vastly underestimated cyber security problem to view it less as an IT issue than a risk issue, a forum was warned.

Ben Wootliff, Hong Kong managing director at Control Risks Group Holdings, noted security breaches involving financial institutions were happening every day in Asia, but said the fact it was not being reported indicated people were not facing up to it.

“I can get you Hong Kong data of credit cards and put it on your desk. The breach is happening now; people are just ignoring it,” he said at last week’s event hosted by the Asia Securities Industry and Financial Markets Association (Asifma).

He observed that while security breaches were reported frequently in the US, just two high-profile cases had come to light in Asia this year.

The first occurred in July when the Mandarin Oriental suffered a breach exposing guests’ credit card data, while just two weeks ago electronics manufacturer Vtech’s system was hacked, compromising clients’ personal information, including children.

The forum heard financial institutions were the second most frequently targeted, after the Pentagon.

But Angelina Kwan, head of regulatory compliance at the Hong Kong Exchanges & Clearing Limited (HKEx), admitted that while regulators recognised cyber security as a major issue, they were several steps behind attackers. “We are not cutting edge, but there is a conscious effort to catch up,” she told the forum.

Wootliff said his impression from discussions with regulators on cyber security was that they were way behind. “I am not sure to what extent they really understand the threat landscape,” he stated.

The forum heard regulators were generally too top-line in providing guidance to institutions on appropriate measures to counter cyber security. 

“There is a grey line,” Wootliff said. “You get too prescriptive and you get the lawyers in. But there has to be appropriate measures [in place]. Leaving the assessment of threat to the organisation does not work.”

Todd Stewart, executive director for cyber security at EY, agreed that regulators needed to provide more granularity in their guidelines on countering threats to cyber security.

“We are seeing a lot of interpretation by organisations putting in very broad manual processes to meet this control,” he commented. “Getting people to understand what these threats are and the common methods of attack used and giving guidelines on how to react are important,” Stewart said.

Wootliff identified serious problems in how organisations choose to manage cyber security, noting that at a recent lawyer conference 80% of attendees said their firms’ IT function was responsible for it.

“This is a massive issue. If your security people are talking about it and reporting to the chief information officer, they are not able to manage that governance issue,” he said.

“Sticking it in the IT department is a recipe for disaster. It’s not because the IT people don’t do their job properly… they don’t understand the broader issue and the greater stakes around. It’s a real challenge.”

Wootliff argued there should be a move away from a compliance-based response to this issue – companies still tend to take an audit and box-ticking approach to it – to a threat-based one.

EY’s Stewart agreed it was imperative to get a board’s buy-in to support a cyber security programme and see it pushed through an entire organisation.

“Security is a cultural rather than a technological solution,” he said. “It has to be right throughout the organisation.”

But he noted the biggest threat to an organisation tended to be from internal sources, often caused by the unintentional disclosure of important information.