SFC consults on proposals to reduce hacking risks in internet trading

8 May 2017



The Securities and Futures Commission (SFC) today launched a two-month consultation on proposals to reduce and mitigate hacking risks associated with internet trading (Note 1).

The proposals incorporate new guidelines (Note 2) which set out baseline cybersecurity requirements for internet brokers (Note 3) to address hacking risks and vulnerabilities and to clarify expected standards of cybersecurity controls. Some of these requirements already feature in the Code of Conduct or SFC circulars (Note 4) and are being elaborated and consolidated into the proposed guidelines.

Key proposed requirements include two-factor authentication (Note 5) for clients’ system login and prompt notification to clients of certain activities in their internet trading accounts.

In addition, the SFC proposes to expand the scope of cybersecurity-related regulatory principles and requirements which now apply to electronic trading of securities and futures on exchanges (Note 6) to cover the internet trading of securities which are not listed or traded on an exchange. This includes authorised unit trusts and mutual funds because they are subject to the same hacking risks. The SFC also proposes to update the definition of “internet trading” to clarify that an internet-based trading facility may be accessed through a computer, mobile phone or other electronic device.

“Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong,” said Mr Ashley Alder, the SFC’s Chief Executive Officer. “Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls.”

The consultation follows the SFC’s recent thematic review of Hong Kong’s brokers’ resilience to hacking risks. In formulating its proposals, the SFC considered local and overseas market practices and regulatory requirements, the effectiveness and relevance of a variety of controls, implementation costs and potential implications for the user experience.

Interested parties are invited to submit their comments to the SFC on or before 7 July 2017. Written comments may be submitted online via the SFC website (www.sfc.hk), by email to 2017_cybersecurityconsultation@sfc.hk, by post or by fax to 2293 4087.

End

Notes:

  1. For the 18 months ended 31 March 2017, 12 licensed corporations reported 27 cybersecurity incidents, most of which involved hackers gaining access to clients’ internet-based trading accounts with securities brokers, resulting in unauthorised trades totalling more than $110 million. Other incidents involved distributed denial-of-service attacks, where multiple compromised computer systems attacked licensed corporations’ websites and caused a denial of service for their users, accompanied by threats of extortion.
  2. The proposed guidelines set out 20 baseline cybersecurity requirements which will be implemented by means of Guidelines for Reducing and Mitigating Hacking Risks associated with Internet Trading issued under the Securities and Futures Ordinance.
  3. Brokers engaged in internet trading of securities, futures contracts or leveraged foreign exchange contracts.
  4. The Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission. Related SFC circulars include: (i) Alert for Cybersecurity Threats dated 26 January 2017; (ii) Cybersecurity dated 23 March 2016; (iii) Tips on Protection of Online Trading Accounts dated 29 January 2016; (iv) Internet Trading – Internet Trading Self-Assessment Checklist dated 11 June 2015; (v) Mitigating Cybersecurity Risks dated 27 November 2014; (vi) Internet Trading – Information Security Management and System Adequacy dated 26 November 2014; and (vii) Internet Trading - Reducing Internet Hacking Risksdated 27 January 2014.
  5. Two-factor authentication (2FA) means at least two factors are used for authentication: (i) what a client knows (eg, a password); (ii) what a client has (eg, a hardware token); and (iii) who that client is (eg, a fingerprint or other biometrics). Firms are free to choose any 2FA solution they deem appropriate.
  6. At present, the main cybersecurity-related regulatory principles and requirements which apply to the electronic trading of securities and futures contracts listed or traded on an exchange are included in Paragraph 18 and Schedule 7 of the Code of Conduct. These regulatory principles and requirements currently apply to securities dealers, futures dealers, leveraged foreign exchange traders and fund managers.


Page last updated : 8 May 2017