Kok Tin Gan, Partner, Cyber Security & Privacy, PwC, talks to CGj about how governance leaders can transform cybersecurity from a compliance exercise into a driver of resilience and trust.

Hong Kong is facing an unprecedented rise in cyberthreats. According to the Hong Kong Computer Emergency Response Team Coordination Centre, the number of cybersecurity cases in Hong Kong hit a five-year high in 2024 as hackers weaponised artificial intelligence (AI) to manipulate data systems and generate malware, impacting organisations across the public, private and non-profit sectors.

The consequences are increasingly tangible, from data loss and system outages to severe reputational damage. Against this backdrop, Kok Tin Gan shared his insights on how boards can move beyond tick-box compliance to build true organisational resilience.

Cybersecurity at the governance frontier

When directors discuss risk, cyberattacks now rank alongside financial, reputational and regulatory concerns. Mr Gan has worked with over 300 global security engagements and has coauthored cybersecurity guidelines for regulators. During that time, he has observed that as more people, products and services become connected, the need to proactively address cybersecurity and privacy risks has never been more urgent.

Mr Gan is the founder of the PwC’s Dark Lab. This state-of-the-art technical space, based in Central, Hong Kong, is a dedicated space for simulating real-world hacking scenarios to help organisations identify vulnerabilities and prepare for sophisticated attacks. He explains that today’s cyber landscape requires a forward-looking, hands-on approach, and that there are many ways to test an organisation’s cyber resilience. Two of the most common are penetration testing and red teaming. However, many boards still struggle to distinguish between these approaches, which play very different roles in assessing and strengthening defences.

‘Penetration testing is system-focused – it’s about testing a defined application, like an e-commerce or email platform, for vulnerabilities. Red teaming is broader and is scenario-driven. This proactive approach looks at the pathways that an attacker could exploit if they wanted to breach your organisation. The goal isn’t just to test systems, but also processes, people and response capabilities,’ Mr Gan says.

He emphasises that both approaches have profound governance implications. Penetration testing is necessary but limited, only showing how individual systems might fail. Red teaming, on the other hand, provides directors with strategic insight.

‘A red team exercise might reveal a forgotten VPN connection, or an HR platform accidentally left exposed to the internet,’ Mr Gan notes. ‘It tests whether detection and response mechanisms actually work, and whether management can react in real time. With red teaming, boards gain insight not only into technical weaknesses but also into cultural and organisational gaps.’

For governance leaders, cybersecurity should not be treated as a purely technical exercise. ‘Security findings are not negative,’ Mr Gan points out. ‘They are essential for improvement. The philosophy is simple – find and fix. The more often you repeat that cycle, the stronger your organisation becomes.’

Asking the right questions

A recurring theme in Mr Gan’s remarks is board engagement. He observes that too often, boards in Hong Kong are dominated by professionals without cyber expertise. ‘I see many boards led by accountants and lawyers – these are valuable skills, but do not provide enough diversity of knowledge. Without the right people, boards don’t know how to interpret a red teaming report or how to challenge management effectively.’

Mr Gan argues that having the right people at board level is not simply about technical know-how, but about creating a culture where cyber issues are questioned with the same rigour as financial statements. He stresses that boards should move beyond treating policies as paperwork and instead ask questions that reveal whether processes, systems and people are genuinely secure.

What questions should directors ask? Mr Gan suggests starting with: ‘When was the last time we engaged an independent red team to test our environment?’ He advises boards to expect external qualified assessors to carry out exercises without informing management in advance, with findings reported directly to the board, along with all relevant remediation roadmaps.

He also encourages directors to tailor their questions to the organisation’s activities and markets. For instance, if a company is entering a new jurisdiction, boards should ask about local data protection laws and the cyber environment. If a company is moving operations to the cloud, they should probe vendor security standards and contractual safeguards.

Key indicators to monitor include:

• whether the scope of the assessment is impartial and comprehensive
• how management prioritises and remediates findings within set timelines, and
• whether systemic root causes, such as outdated patching processes or inadequate staffing, are addressed – it should not be just about the technical symptoms.

Preparing for emerging threats

Mr Gan highlights that due to the rapid advancement of technology, the threat landscape is expanding faster than most boards realise. Traditional entry points such as phishing, VPN exploitation and unpatched systems remain prevalent, but new risks are emerging.

‘Generative AI makes it easy to craft convincing phishing emails, videos or even voice messages. Attack surfaces are expanding across messaging apps, social platforms and blockchain systems. We are also seeing AI poisoning, where malicious actors manipulate training data to bias outcomes,’ Mr Gan warns.

For governance professionals, Mr Gan emphasises that cyber risks must be fully integrated into enterprise-wide risk management frameworks, not just treated as a siloed IT issue. Incident response playbooks should be designed with AI-powered and crossborder attacks in mind, recognising that attribution and enforcement are often slow and complex. Boards should also require regular, independent red team exercises, ensure that findings are reported directly to the board and track management’s remediation against clear timelines.

Beyond playbooks and reports, directors should promote a culture where security findings are seen as opportunities for improvement rather than failures, insist on diverse expertise within the board and ensure that budgets are tied to addressing root causes – such as patch management, third-party oversight and staff training – rather than focusing only on technical quick fixes.

Culture, DNA and the tone at the top

Mr Gan repeatedly returns to the importance of leadership tone. ‘Everyone says the tone at the top matters, but the real question is how to achieve the right tone. That comes from board composition, diversity of knowledge and a willingness to see cyber findings not as bad news, but rather as an opportunity to strengthen resilience.’

The DNA of governance – whether an organisation values transparency, continuous improvement or technical competence – ultimately determines whether cybersecurity is treated as a strategic imperative or as a compliance tick box.

Forward-thinking companies treat red teaming as a continuous process, rather than as a one-off audit. Tech leaders like Apple have institutionalised bug bounties that reward the discovery of flaws, reinforcing a culture of openness. Closer to home, regulators such as the Hong Kong Monetary Authority and the Securities and Futures Commission are issuing frameworks that expect boards to integrate cyber risk oversight into their fiduciary responsibilities.

For smaller organisations and NGOs with limited resources, Mr Gan’s advice is pragmatic, accepting that cybersecurity expertise is scarce and costly, but that it starts with culture. Even without a large budget, boards can embed ‘find and fix’ principles, periodically seek independent assessments and ensure cyber risks are integrated into strategic decision-making.

As digital dependency deepens, the role of boards in cybersecurity governance is no longer optional. Red teaming and penetration testing are not just technical tools, but are vital governance mechanisms that reveal blind spots, test resilience and sharpen oversight.

‘Don’t hide your bugs – find them and fix them,’ Mr Gan concludes. ‘The more you do this, the more secure your organisation becomes. That mindset is the foundation of effective cybersecurity governance.’