SFC notifies the industry of cybersecurity review on internet/mobile trading systems

13 Oct 2016

The Securities and Futures Commission (SFC) announced the commencement of a cybersecurity review in the fourth quarter with a focus on assessing the cybersecurity preparedness, compliance and resilience of brokers’ internet/mobile trading systems. 

The SFC has received an increasing number of reports from securities brokers that the security of some customers’ internet/mobile trading accounts has been compromised and unauthorized securities trading transactions were conducted through these accounts.  For the 12 months ended 30 September 2016, there were 16 reported hacking incidents which involved 7 securities brokers and total unauthorized trades in excess of $100 million.  While these hacking incidents are still under police investigation, there are indications that brokers and their clients may be able to do more to better protect online trading accounts.

Cybersecurity management is a priority for the SFC’s supervision of licensed corporations (“LCs”).  Since 2013, the SFC has conducted a number of internet trading and cybersecurity reviews and issued a number of circulars1 to draw industry’s attention to common deficiencies and vulnerabilities identified during these reviews2.  The SFC has also suggested wide ranging control measures, including a self-assessment questionnaire. 

Whilst general awareness of cybersecurity seems to have improved, cyber threats have also evolved in tandem with the rapid development of technology-enabled business.  In light of the latest incidents, LCs should, as a matter of priority, critically review and enhance their controls to combat cyberattacks.  This would involve

Examples of good practices observed in the market place include (i) implementing client data encryption; (ii) putting in place controls to detect internet protocol (IP) ranges used by clients and abnormal buy/sell transactions; (iii) implementing two factor authentication in conjunction with strong password requirements for client’s logon; and (iv) sending timely trade confirmation to clients via SMS.  A combination of these measures enables brokers spot suspicious activities and mitigate against hacking risks.  Where the security of accounts is compromised, early detection enables brokers to send alert to clients to stop further unauthorized trading.

In addition, LCs should take appropriate steps to raise the awareness of their clients about the importance of security precautions they need to take in conducting online securities trading.  For example, brokers should remind their clients to properly safeguard their passwords, not to use public computers or unknown and unsecure networks to access their online accounts and to keep a close eye on trade confirmations to monitor their online accounts.  Brokers can refer their clients to the Investor Education Centre’s website to obtain further security tips when trading online.  (http://www.thechinfamily.hk/web/en/scams/scam-websites.html). 

To better assess the relevant cybersecurity features of brokers’ internet/mobile trading systems as well as the industry’s preparedness for and resilience to cyber risks, the SFC has commenced a new cybersecurity review.  The review comprises three components:

This questionnaire will cover (i) the governance structure for cybersecurity management, (ii) the network infrastructure to protect the confidentiality, integrity and availability of internet/mobile trading systems and information, (iii) contingency plans, (iv) the cybersecurity related functionalities embedded in the internet/mobile trading systems to protect customer accounts and information, and (v) the management of cybersecurity risks pertaining to outsourcing arrangements.

Special focus will be placed on protection of customer online trading accounts covering, inter alia, authentication, password policy and associated controls and training to staff and clients.

The findings of this review should provide useful input for the SFC to further develop policy to improve overall resilience in the markets.  Industry workshops will also be organized to share a summary of the overall findings.  

Should you have any questions regarding the contents of this circular, please contact Ms Seine Luk at 2231 1696.

Intermediaries Supervision Department
Intermediaries Division
Securities and Futures Commission



 These circulars are: (i) Cybersecurity, dated 23 March 2016, (ii) Tips on Protection of Online Trading Accounts, dated 29 January 2016, (iii) Internet Trading – Internet Trading Self-Assessment Checklist, dated 11 June 2015; (iv) Mitigating Cybersecurity Risks, dated 27 November 2014; (v) Internet Trading – Information Security Management and System Adequacy, dated 26 November 2014; and (vi) Internet Trading - Reducing Internet Hacking Risks, dated 27 January 2014.
  Examples include the lack of system security awareness by the LC and the client, the lack of comprehensive and/or regular cybersecurity / IT risk assessment, inadequate operation controls, such as user access controls, password controls and system change management

Click here to download the document

Page last updated : 13 Oct 2016