SFC commences cybersecurity review on brokers’ internet and mobile trading systems

13 Oct 2016



The Securities and Futures Commission (SFC) has launched a review to assess the cybersecurity preparedness, compliance and resilience of brokers’ internet and mobile trading systems (Note 1). 

The review followed a number of reports from securities brokers that the security of some customers’ internet and mobile trading accounts has been compromised and unauthorized securities trading transactions were conducted through these accounts.

In the past 12 months, 16 incidents were reported involving seven securities brokers and total unauthorized trades in excess of $100 million. These cases are under police investigation. 

Cybersecurity management is a priority for the SFC’s supervision of licensed corporations. In the light of the recent incidents, brokers should critically review and enhance their controls to combat cyberattacks, including measures aimed at mitigating hacking risks and enabling them to spot and alert clients to suspicious activities so as to stop further unauthorized trading where security has been compromised.

The latest cybersecurity review has three components:

  • issue of questionnaires to a mix of small to medium sized brokers to assess relevant cybersecurity features of brokers’ internet and mobile trading systems; 
  • onsite inspections of selected brokers for an in-depth review of their information technology and other related management controls and an assessment of their design and effectiveness in preventing and detecting cyberattacks; and
  • benchmarking the SFC’s regulatory requirements and market practice in Hong Kong against other major financial services regulators and other relevant market practices overseas and locally.

Investors should also be mindful of the associated security threats and risks when conducting transactions through online platforms. They should:

  • set a strong password and properly safeguard their login ID and password;
  • closely monitor their online accounts by reviewing trade confirmations;
  • type the website address (URL) or use a bookmark to enter the broker’s website;
  • ensure the security of computer/mobile devices used for online trading by installing anti-virus programs and updating them regularly; and
  • not use public computers or unknown and unsecure networks to access their online accounts.

The findings of this latest cybersecurity review is designed to assist the SFC’s policy formulation to improve overall resilience of the markets. The SFC would also organise workshops to share the summary of the overall findings with the industry.

End

Note:

  1. The SFC today issued a circular to notify the industry of a cybersecurity review on internet and mobile trading systems.


Page last updated : 13 Oct 2016