Circular to Licensed Corporations Engaged in Internet Trading
Good Industry Practices for IT Risk Management and Cybersecurity

27 Oct 2017

Licensed corporations engaged in internet trading (“internet brokers”) are advised that the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (“Guidelines”) are only minimum standards. Senior management, with the help of solution providers or technical consultants if needed, should ensure that all systems and controls are commensurate with the firm’s business needs and operations, and implement additional cybersecurity controls as necessary.

As additional guidance, the Appendix includes a list of good industry practices which internet brokers may wish to consider incorporating into their information technology (IT) and cybersecurity risk management frameworks. This list builds on the controls suggested in past circulars1 and supplements them with recommendations from an external cybersecurity expert2 based on the latest technological developments.

Internet brokers should note that the Guidelines, together with the list of good industry practices, supersede the suggested controls mentioned in past circulars. For the avoidance of doubt, internet brokers are still expected to complete the internet trading self-assessment checklist3 as part of their regular reviews of their internet trading systems.

The SFC would like to point out that the list of good practices is by no means exhaustive and internet brokers should always take into consideration their own circumstances as well as current and emerging cybersecurity threats when adopting these practices or their equivalent.

If you have any queries regarding the contents of this circular, please contact Ms Remy Cheung at 2231 1186.

Intermediaries Supervision Department
Intermediaries Division
Securities and Futures Commission




These include (i) Alert for Cybersecurity Threats dated 26 January 2017; (ii) Cybersecurity dated 23 March 2016; (iii) Tips on Protection of Online Trading Accounts dated 29 January 2016; (iv) Mitigating Cybersecurity Risks dated 27 November 2014; (v) Internet Trading – Information Security Management and System Adequacy dated 26 November 2014; and (vi) Internet Trading - Reducing Internet Hacking Risks dated 27 January 2014.
2 A multinational professional services firm, appointed by the SFC for its 2016 cybersecurity review, with many years of experience advising regulators and the financial services industry on cybersecurity issues. 
 Circular on Internet Trading – Internet Trading Self-Assessment Checklist dated 11 June 2015.

Click here to download the document

Supplementary document:

Page last updated : 30 Oct 2017