The SFC issued a circular to all licensed corporations yesterday, following its recent review of cybersecurity within selected larger licensed corporations. Firms will wish to give careful consideration to the SFC's recommendations regarding appropriate cyberscurity controls.

Whilst the SFC found that most of the licensed corporations had prioritised resources for maintaining cybersecurity controls, it identified the following key areas of concern:

  • inadequate coverage of cybersecurity risk assessment exercises;
  • inadequate cybersecurity risk assessment of service providers;
  • insufficient cybersecurity awareness training;
  • inadequate cybersecurity incident management arrangements; and
  • inadequate data protection programs.

Nonetheless, the SFC has also identified various sound and effective cybersecurity controls among the licensed corporations reviewed. Details of the above areas of concern and recommended cybersecurity controls are set out in the appendix to the circular.

The SFC states that:

"[c]yber security within licensed corporations [LCs] has, for some time, been of concern to the SFC and is increasingly being viewed by the SFC as a matter of priority given the ongoing occurrence of cybersecurity incidents being reported across the financial services industry".

It will focus on the "cybersecurity preparedness" of licensed corporations and expects them to take appropriate measures to critically review and assess their cybersecurity controls.