ECF - Cybersecurity

The ECF-C is aimed at persons (referred as ‘Relevant Practitioners’) engaged by AIs undertaking cybersecurity roles. Under the ECF-C, a ‘Relevant Practitioner’ is defined as:

“a new entrant or an existing practitioner engaged by an authorised institution to perform in roles ensuring operational cyber resilience”.

The following categories of staff are excluded from the definition of ‘Relevant Practitioners’:

(a) Those who are not required to perform the three key roles specified under the ECF-C (i.e. IT Security Operations and Delivery, IT Risk Management and Control, and IT Audit); and

(b) Those who performing key roles solely in the information technology operating function of an AI, such as system developers, system operators, helpdesk operators, and IT support.

The qualification structure of the ECF-C comprises the following two levels based on the year of work experience of Relevant Practitioners in performing the tasks:

(a) Core Level - This level is applicable for entry-level staff with less than 5 years of relevant work experience in the cybersecurity function.

(b) Professional Level - This level is applicable for staff with 5 and above years of relevant work experience in the cybersecurity function.

The qualification structure is driven by the key roles based upon the three lines of defence concept under cyber risk governance:

(i) first line of defence: IT Security Operations and Delivery

(ii) second line of defence: IT Risk Management and Control

(iii) third line of defence: IT Audit

Grandfathering arrangement is not applicable for the ECF on Cybersecurity.

To support and facilitate the talent development in the cybersecurity related sector specifically in banking, The Hong Kong Institute of Bankers (HKIB) has developed a learning programme – the “ECF on Cybersecurity (Core Level)” to help individuals attain the Core Level of the competency standards set by the ECF on Cybersecurity. It will facilitate the building of professional competencies and capabilities for relevant practitioners in cybersecurity related sector in banking through attaining a professional qualification by achieving the required competency level.

Programme Intended Learning Outcomes

Upon completion of the programme, participants should be able to

• Describe the foundation of various network protocols and their hierarchical relationship in hardware and software.
• Apply the principles and knowledge of international standards to enhance network and system security.
• Apply cybersecurity related monitoring measures for managing different types of cybersecurity threats.
• Conduct a security incident response process and present an analysis of the results for management’s review.
• Assess security risks in the cyber environment and IT systems by applying the IT Risk Management and Control principles.
• Conduct IT audits and security testing to assess cybersecurity risk protection.

The chapter outline of the training programme is as follows:

The Programme is open to members and non-members of the HKIB. Candidates must fulfil the stipulated minimum entry requirements:

- Students of Associate Degree (AD) / High Diploma (HD) in any disciplines (QF L4); OR

- Equivalent qualifications or above; OR

- Mature Applicants* with 3 years of relevant banking experience with recommendations from employer

* Mature applicants (aged 21 or above) who do not posses the above academic qualifications but with relevant banking experience and recommendation from their employers will be considered on individual merit.

#A digital version of training material (i.e. Study Guide and PPT Slides) will be provided before the training commencement.  Printed version will only be available at an additional cost of HKD600 (including delivery fee) on request by learners.  

Applicant should complete and sign the Application Form, together with the appropriate programme and/or examination fee, and return by email or by hand to HKIB Office on or before the corresponding enrolment deadline.

Late entries for training programmes will be accepted up to 7 days after the stipulated application deadlines. An additional late entry fee of HKD200 will apply.

Late entries examinations will be accepted up to 14 days after the stipulated application deadlines. An additional late entry fee of HKD200 will apply.

A relevant practitioner who performs the relevant tasks in cybersecurity function, completed the "ECF on Cybersecurity (Core Level)" training and passed the corresponding examination is eligible to apply for the certification of ACsP which is issued by HKIB and recognised by HKMA.

You may download the Guidelines of Certification and Certification Application Form for reference.

To ensure the Relevant Practitioners maintain their competency levels by updating their existing knowledge and skill set, they are required to fulfill the CPD requirements as stated by HKMA.

As a general guideline, Relevant Practitioners are expected to maintain a minimum of 20 CPD hours each year and a minimum of 120 CPD hours over every 3 years period.

No CPD is required in the year when the ACsP Professional Qualifications is granted. The CPD requirement starts in the following calendar year and pay for annual certification fee is also required.

Individuals who completed the training and passed at the relevant examinations are eligible to apply exemption to the relevant module under another HKIB programme, namely the Advanced Diploma Programme for Certified Banker (QF Level 4, QR Registration No.:18/000081/L4, Validity Period from 15/02/2018 to 14/02/2022). Upon the completion of the programme and satisfaction of the required years of work experience, they may also be awarded the Certified Banker (Stage I) Professional Qualifications. Advanced Diploma Programme for Certified Banker is a CB professional banking qualification programmes developed and offered by HKIB. It is intended to raise the professional competency of banking and financial practitioners in Hong Kong to meet modern demands, while providing a transparent standard with international recognition.