Technology issues featured prominently in this year’s ACRU. CGj outlines the main message of the forum in relation to the management of artificial intelligence (AI) tools, data security and paperless communications.

Highlights

  • the ability of generative AI to create highly convincing fakes has sobering implications in terms of the threats this technology poses to market stability
  • data users need to establish clear internal policies and procedures on data governance and data security, including appointing a suitable individual in a leadership role to have specific responsibility for data security
  • a listed company may rely on implied consent for disseminating corporate communications electronically, provided that this is permissible under its articles of association and the relevant laws of the jurisdiction where the company is incorporated

As organisations increasingly integrate emerging technologies into their operations, the need for effective internal controls relating to the attendant risks and for revised governance frameworks better adapted to the digital era has become increasingly evident. This second part of our ACRU review summarises the key takeaways of the forum relating to technology governance.

Managing AI tools in financial markets

Henry Tsang, Director, Intermediaries Supervision, Intermediaries Division, Securities and Futures Commission (SFC), focused his ACRU presentation on the risks associated with using generative AI (Gen AI) tools, especially those affecting financial market stability, market integrity and investor protection.

He attributed the meteoric rise of ChatGPT, the most well-known Gen AI chatbot, to its ability to respond to natural language prompts so users don’t need to be programming experts to use it. Nevertheless, Mr Tsang suggested that financial regulators and the industry alike should scrutinise how the emerging technology actually works to improve their understanding and management of the risks involved in order to harness its opportunities.

Hallucination risk

As Gen AI is trained to guess the next word in a sequence based on probabilities, Mr Tsang emphasised that it can make things up that often seem plausible – giving rise to the hallucination risk. He cited the case of a lawyer in the US who used ChatGPT to help him write a federal court filing. In the filing, ChatGPT cited at least six cases that do not exist, but insisted they were real when the lawyer asked further.

Bias and intellectual property risks

Both traditional and Gen AI models are trained on vast amounts of data, some of which may have been used without the relevant copyright owners’ consent. This exposes developers and users of the AI models to lawsuits on copyright infringement.

Equally well documented is the tendency for AI models, both traditional and generative, to replicate the same biases found in its training data. Mr Tsang cited the case of Amazon’s recruitment AI application that learned to favour male over female job applicants because it was fed the CVs of mostly male employees.

Misinformation risk

Another well-known risk associated with Gen AI is its ability to generate highly convincing fakes. An example of this was when an AI-generated image of a fire at the Pentagon in May 2023 went viral on social media. The picture, along with the caption stating that there had been an explosion near the Pentagon, caused sharp falls in global equity and bond markets. This highlights the disturbing potential of this technology for market manipulation and damage to market stability.

Concentration risks

Equally concerning from a market stability perspective are the risks emanating from the ownership concentration of the AI sector. A very small number of service providers currently supply the necessary technology and infrastructure to develop and run AI models. This has given rise to misgivings about the operational resilience of the financial firms using this technology – how would they be able to maintain critical operations and client services if their service provider fails?

Moreover, this concentration also results in a ‘herding’ risk, which is likely to exacerbate shocks and amplify market volatility in times of market stress. If financial market participants are all using the same AI models supplied by the same providers, the risk is then that all these AI models would behave in the same way and this herding behaviour could undermine financial stability.

Cybersecurity risks

Cybersecurity risks are a top concern for organisations across all sectors of the economy and society, but those associated with using Gen AI technology are still relatively underappreciated. Mr Tsang walked the ACRU audience through the many ways that cybercriminals have sought to exploit AI models and their underlying data. These range from hackers stealing confidential information used to train the AI, through to tricking AI models into outputting the desired answers via adversarial attacks, data poisoning or prompt injection attacks.

How is the market adapting?

To conclude, Mr Tsang examined how the SFC-regulated firms are adapting to the above risks. Methods include:

  • having a human in the loop to review the AI outputs for factual accuracy
  • warning users that answers created by AI may not be accurate, and
  • using Retrieval Augmented Generation – a technique for enhancing the accuracy and reliability of Gen AI responses by providing a ground truth from which to retrieve accurate and up-to-date information.

Data security

Another issue that has been high on the agenda of governance professionals over the past years is the increased vigilance needed with regards to data security. Two speakers from the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), updated ACRU on the latest developments relating to this theme.

Data security and managing data breaches

Brad Kwok, Chief Personal Data Officer, Compliance & Enquiries Division, PCPD, shared some relevant statistics from the PCPD on the upward trend in the number of data breach incidents reported in Hong Kong. In 2023, the PCPD received 157 data breach notifications, while the number of data breach incidents involving hacking more than doubled, showing a significant increase from 29 cases in 2022 to 64 cases last year. In light of this, Mr Kwok focused his presentation on how organisations can improve their data security measures and how they can best handle data breaches to minimise the damage caused.

Improving data security measures. Data Protection Principle 4 in Schedule 1 to the Personal Data (Privacy) Ordinance (PDPO) requires data users to take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. Mr Kwok stressed the need for data users to establish clear internal policies and procedures on data governance and data security. This will include appointing a suitable individual in a leadership role to have specific responsibility for data security. Moreover, data users should provide sufficient training to staff on a regular basis. Data users should also implement technical and operational security measures, as well as carry out periodic risk assessments to identify risks and draw up mitigation measures for the identified risks in a timely manner. In the event that a data user engages a data processor to process personal data, the data user should adopt contractual or other means to properly manage the data processor to ensure compliance with the data security requirements.

Devising a data breach response plan. The impacts of a data breach incident – both in terms of reputational damage and financial cost – can be devastating. Mr Kwok outlined a number of recommendations on how data users can manage a data breach to minimise the harm caused.

The key takeaway here is to devise a data breach response plan. This plan should include a set of procedures to be followed in the event of a data breach, as well as the strategy for identifying, containing, assessing and managing the impact brought about by the incident from start to finish.

Mr Kwok also addressed the essential steps involved when responding to a data breach. These steps entail the immediate gathering of all the essential information, containing the data breach and assessing the risk of harm. Once information has been gathered, organisations should consider giving data breach notifications to the affected data subjects, the PCPD and other law enforcement agencies, and should ensure that the breach is adequately documented for a post-breach review.

Cross-boundary flow of personal information within the GBA

Personal information processors and recipients who are registered (for organisations) or located (for individuals) in the Greater Bay Area (GBA) may now easily carry out cross-boundary transfers of personal information by executing agreements that adopt the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC), in compliance with the requirements of the relevant laws and regulations of their respective jurisdictions, including, in particular, the Personal Information Protection Law of the PRC and the PDPO of Hong Kong. In this context, Clemence Wong, Senior Legal Counsel (Acting), PCPD, centred her ACRU presentation on the obligations and responsibilities of personal information processors and recipients under the GBA SC.

She emphasised at the outset that the PCPD recommends that data users adopt the GBA SC, which applies to cross-boundary transfers of personal information between Hong Kong and nine cities in the Chinese mainland that are within the GBA.

‘By adopting the GBA SC, enterprises and organisations can demonstrate that they have taken all reasonable precautions and have exercised due diligence to ensure that the relevant data will not be collected, held, processed or used in the Chinese mainland in any manner that, if it took place in Hong Kong, would be in contravention of the PDPO,’ she said.

Under the GBA SC, personal information processors are required, among other things, to:

  • obtain the consent of personal information subjects prior to the cross-boundary transfer of personal information, in accordance with the laws and regulations of the jurisdiction concerned
  • execute agreements that adopt the GBA SC, and
  • conduct a personal information protection impact assessment on the intended transfer within three months before the filing date.

Data users in Hong Kong who wish to rely on the GBA SC when conducting cross-boundary flows of personal data from Hong Kong to the specified Chinese mainland cities are also reminded of their existing obligations, including the six Data Protection Principles, under the PDPO.

Paperless communications

This year’s ACRU updated participants on the legislative and regulatory reforms aimed at modernising and streamlining corporate communications for both listed and non-listed companies.

The implications for listed companies

In December 2023, Hong Kong Exchanges and Clearing Limited (HKEX) revised the Listing Rules to enhance its listing regime on paperless communications. In his ACRU presentation, Patrick Yu, Senior Vice-President, Listed Issuer Regulation, Listing Division, HKEX, highlighted the three major changes under the revised rules:

  • issuers are required to send submissions to HKEX electronically only
  • the number of documents that need to be submitted to HKEX has been reduced, and
  • issuers are mandated to send corporate communications to shareholders through electronic means.

Regarding point three above, Mr Yu explained that a listed company may rely on implied consent for disseminating corporate communications electronically, provided that this is permissible under its articles of association and the relevant laws of the jurisdiction where the company is incorporated. He added that over 90% of issuers do not have articles that restrict electronic submission.

Mr Yu added that issuers can choose to fulfil the requirement for electronic disseminations either by sending the documents to shareholders individually through electronic means (for example, by email), or by making the documents available on the HKEX’s and issuer’s websites. One caveat here, however, is that actionable corporate communications (such as documents seeking shareholder instructions as to how they want to exercise their rights) must be sent to shareholders individually. These communications can be disseminated in hard copy form only if functional electronic contact details are not provided, or if the laws and regulations applicable to the listed company concerned do not allow electronic communication. An exception, as Mr Yu pointed out, is the provisional allotment letter for a rights issue. The letter, in addition to being an actionable corporate communication, is also a temporary document of title and, accordingly, must be despatched in printed form under the Listing Rules.

The wider implications for Hong Kong

The above measures are germane to listed companies, but the government is keen to promote paperless communications more widely in Hong Kong. To this end, it has proposed amendments to the Companies Ordinance to enable both listed and non-listed companies incorporated in Hong Kong to benefit from the implied consent mechanism. The government hopes to introduce a Companies Ordinance amendment bill to this effect into the Legislative Council in the second half of 2024.

Carol Hau, Solicitor (Company Law Reform), Companies Registry, updated ACRU on these proposed amendments to the Companies Ordinance. Similar to the HKEX reforms, the amendments to the Companies Ordinance would introduce an implied consent regime for listed and non-listed companies incorporated in Hong Kong for dissemination of corporate communications by means of a website, where there is a provision in their articles of association that permits dissemination of corporate communications by this means. Ms Hau explained that companies should therefore first examine their articles of association to assess whether there is such a provision.

In addition, companies would need to comply with the requirement to send a first-time notification to their shareholders in hard copy form, or electronically if the express consent of such shareholders has been obtained, to inform them of the new arrangements before the implementation. Listed companies are not required to send a separate notification to each shareholder every time a new document is uploaded to their website, under the implied consent regime. However, non-listed companies must first obtain the express consent of each shareholder before the requirement for separate notification can be obviated. Companies should also bear in mind that shareholders are entitled to request that companies provide documents or information in hard copy form under the Companies Ordinance. The implied consent regime would be additional to the existing express consent and deemed consent regimes for dissemination of corporate communications by means of a website under the Companies Ordinance.