Cybersecurity is increasingly an issue that affects us all, but unfortunately, public understanding of the topic remains weak. Last year saw records broken for the number of cyberattacks on governments, companies and individuals and the trend will continue in 2021 and into the future. Many of these attacks resulted in sensitive data being stolen and company networks and operations compromised leading to breaches of privacy, financial loss and ultimately, reputational damage.
Against this backdrop, the Macau Cybersecurity Law (MCSL) came into force in December 2019. The main purpose of the Cybersecurity Law was to protect the networks, systems and data of companies in Macao that operate critical infrastructure, or put more simply, are necessary for the normal operation of society. These companies, if targeted by a cyberattack, may seriously endanger social welfare, public safety or order. This includes banks and other financial services, public transport, telecommunication networks, utilities and hospitals. Casinos and resorts are also deemed critical infrastructure, given their economic contribution to society in Macao.
What does Macao’s cybersecurity law require companies to do?
The provisions of the MCSL require operators to establish and maintain internal cybersecurity management functions that facilitate cybersecurity protection and reporting measures. A key responsible person and substitute in the company possessing the appropriate professional qualifications and experience needs to be appointed to be responsible for Cybersecurity and they should have habitual residence in Macao. These individuals will be responsible for interacting with the public institutions in charge of enforcing the legislation which are headed by the Commission for Cybersecurity (CPC).
Under the MCSL companies are expected to implement a cybersecurity management system with the relevant operating procedures that can handle cybersecurity incident monitoring and response. Any such cybersecurity incident that occurs within the company must be communicated to the Cybersecurity Incidents Alert and Response Center (CARIC). There is also an obligation for public critical infrastructure operators to monitor their third-party cybersecurity service providers and vendors and to ensure their performance is in accordance with service contracts.
Some aspects of the MCSL are based on a company’s own self-assessment and reporting while others involve inspections from CARIC and other regulatory and supervisory entities. Companies that fail to comply with the requirements of the MCSL will be subject to various financial and other penalties.
How does the cybersecurity law affect local businesses?
The MCSL has significant implications for companies.
It is important for management to start with a risk assessment to determine what the law means for their companies and which areas of their operations, internal functions, risk management and technology systems will need to be modified or supplemented. Engaging an appropriately qualified third-party organisation to undertake the risk assessment can be an effective way to address internal biases and blind spots as well as navigating the political obstacles often found in large organisations.
An effective cybersecurity posture means ensuring there is awareness and clarity throughout your company. That needs to start with top-level management and be cascaded down through the ranks such that every employee is aware of internal policies and procedures, and their own obligations in how to respond to cyber incidents appropriately.
Casino Integrated Resorts present particular challenges when it comes to cybersecurity. This is because IT and engineering systems are typically spread out over a large area within and between properties. In addition, many different vendors are often contracted to deliver services including via remote access (more so now due to Covid-19 travel restrictions). Cybersecurity monitoring is therefore essential to providing the operator with visibility of their technical assets and who has access to them, while an alerting system should warn the operator to any anomalies or threats detected. While cybersecurity for IT systems is fairly mature, engineering and industrial control systems need particular focus as they are inherently less secure.
The Macau Cybersecurity Law is an important development for safeguarding Macao’s critical infrastructure and an excellent catalyst for raising awareness of the importance of cybersecurity.
In addition to the law, companies should be aware of international standards such as ISO/IEC 27001 (for information security) and IEC 62443 (for industrial security) and continue to bolster their cybersecurity framework with relevant best practices.
What we often get wrong about cybersecurity
Cybersecurity is often regarded as a technology problem when it really is about people. There is a strong need for leadership, communication and access to relevant training. It is also important to understand the motivations that external actors may have in trying to compromise your business operations and having the appropriate defences in place to mitigate against it.
Threats can come from within as well. For example, a disgruntled staff member can wilfully cause damage internally to systems if the appropriate controls and policies are not in place.
Not all cyber damage is intentional, however. Employees undertaking critical tasks without the appropriate skills, training, experience and supervision may inadvertently compromise internal systems leading to business disruptions. Similarly, companies with a heavy dependence on third-party service providers need to have controls in place to monitor the service providers remotely accessing their systems and the activities being undertaken.
Adoption of the Macau Cybersecurity law is fundamental to the city’s ambitions to develop into a “smart city”, which will encompass cloud computing, smart transportation networks, smart tourism and smart healthcare. As systems and infrastructure become increasingly interconnected, cybersecurity demands will grow as well. Irrespective of the measures mandated by the Macau Cybersecurity Law, the onus will be on the operators of critical infrastructure to ensure that cybersecurity is taken seriously and that it is championed within the company and budgeted for accordingly.
Stephen Berry is the Chief Executive Officer of DDE Technology, a cybersecurity services and advisory company that works with companies in Macao and around the world to protect their critical infrastructure and operations.