Data Protection Report - Norton Rose Fulbright

The Hong Kong Securities and Futures Commission (SFC) has launched a new cybersecurity review to assess the cybersecurity preparedness, compliance and resilience of brokers’ internet and mobile trading systems. This follows the increasing number of security incidents in which customers’ internet and mobile trading accounts were hacked, including 16 incidents involving seven securities brokers and unauthorized trades in excess of $100 million over the past 12 months.

Enhanced cybersecurity control

In the light of the incidents:

  • The SFC advised that licensed corporations (LCs) should critically review and enhance their controls to combat cyberattacks. For example, by implementing measures to proactively identify and remediate cybersecurity vulnerabilities, to protect sensitive information and to deter potential hacking attempts; by monitoring unusual or questionable logins/transactions in client accounts; and by establishing an effective contingency plan;
  • The SFC recommended that LCs should observe some good practices in the market, which include implementing client data encryption and sending timely trade confirmation to clients via SMS; and
  • The SFC also suggested that LCs should take appropriate steps to raise the awareness of their clients about the importance of taking security precautions they need to take for online and mobile trading. For example, LCs should remind their clients to property safeguard passwords and not to use public computers or unknown and unsecure network to access accounts.

New cybersecurity review

The cybersecurity review comprises of 3 steps:

  1. First, issuance of questionnaires to a mix of small- to medium-sized brokers to assess relevant cybersecurity features of brokers’ internet and mobile trading systems;
  2. Second, onsite inspections of selected brokers for an in-depth review of their information technology and other related management controls and an assessment of their design and effectiveness in preventing and detecting cyberattacks; and
  3. Third, benchmarking the SFC’s regulatory requirements and market practice in Hong Kong against other major financial services regulators and other relevant market practices overseas and locally.

The findings of this cybersecurity review is designed to assist the SFC’s policy formulation to improve overall resilience of the markets.

Continued focus on cybersecurity

Cybersecurity within LCs has, for some time, been of concern to the SFC and is increasingly being viewed by the SFC as a matter of priority. The SFC has issued a number of circulars on the topic to improve LCs resilience to cyber risks, the most recent one being the Circular to All Licensed Corporations on Cybersecurity (see our previous post).