A US-based cybersecurity ratings agency has given the Hong Kong government, its Security Bureau and several departments low scores for their cyber defences, prompting local authorities to counter that the grading system used has limitations.
Advertisement
The risk assessment, seen by the Post, comes amid concerns over the government exempting itself from the city’s first anti-hacking legislation.
The government acknowledged the findings but mounted a robust defence, with its Digital Policy Office (DPO) saying such ratings were limited as they could not fully reflect information security measures in place and their effectiveness.
“It is worth noting that the cybersecurity rating agencies may employ their own distinct methodologies, areas of focus and rating factors, often drawing on externally visible data, which can lead to varying outcomes across different agencies,” the office said in response to queries from the Post.
“While such ratings offer useful external perspectives, they inherently have limitations, such as reliance on publicly available information, which cannot reflect the full range of information security measures in place for individual organisations and their effectiveness.”
Advertisement
The government is a client of leading cybersecurity ratings firm SecurityScorecard, which carried out the risk assessment, and subscribes to its service. The platform uses an A-D and F grading system on a scale of zero to 100 to rate an organisation’s cybersecurity performance.