Today, the consultation by the Securities and Futures Commission (SFC) on proposals to reduce and mitigate hacking risks associated with internet trading closed. The consultation follows on from the SFC’s thematic review of the resilience to hacking risks of brokers engaged in internet trading (internet brokers) in late 2016 (Cybersecurity Review). The SFC aims to publish its consultation conclusions by September or October 2017. Internet brokers will then be allowed 6 months to implement the new requirements.
The existing requirements for cybersecurity management are set out in paragraph 18 and schedule 7 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct).
The SFC proposes to issue the Guidelines for Reducing and Mitigating Hacking Risks associated with Internet Trading, which contain 20 cybersecurity control practices for internet brokers to reduce and mitigate hacking risks, and clarify expected minimum standards regarding cybersecurity controls. Most of the requirements under the proposed guidelines are already featured in the Code of Conduct but require elaboration. The proposed guidelines also consolidate relevant guidance from previous SFC circulars (Circulars). The 20 control practices are grouped into three categories: (a) protection of clients’ internet trading accounts; (b) infrastructure security management; and (c) cybersecurity management and supervision.
The control practices include preventive and detective controls, such as two-factor authentication for client login, prompt notification to clients through a second channel after certain activities take place in their internet trading accounts, and ensuring arrangements with third party service providers are formalised.
1. SCOPE OF APPLICATION
The key cybersecurity-related regulatory principles and requirements as set out in the Code of Conduct currently only apply to securities dealers, futures dealers, leveraged foreign exchange traders and fund managers which conduct electronic trading (including internet trading) of securities and futures contracts listed or traded on an exchange.
The SFC considers that the internet trading of securities that are not listed or traded on an exchange (eg, authorised unit trusts and mutual funds) exposes brokers and clients to the same risks as the internet trading of securities that are listed or traded on an exchange. Therefore, it is proposed that the scope of application of the Code of Conduct be expanded to include such activities.
The SFC also proposes to update the definition of “internet trading” in the Code of Conduct to clarify that an internet-based trading facility may be accessed through a computer, mobile phone or other electronic device.
The 20 cybersecurity control practices in the proposed guidelines (an overview of which is provided below) are to be read in conjunction with the relevant requirements under the Code of Conduct.
2. PROTECTION OF CLIENTS’ INTERNET TRADING ACCOUNTS
Internet brokers are currently required to employ reliable techniques to authenticate the identity and authority of system users to ensure that access to or use of their systems is restricted to persons approved to use them on a need-to-have basis. Such measures typically include the use of password at client login. However, following findings from the Cybersecurity Review on recent hacking incidents, the SFC considers passwords alone not to be an adequate safeguard, and proposes that two-factor authentication (2FA) be a requirement for client login as an effective measure to prevent hacking.
2FA refers to an authentication mechanism which utilises any of the following two factors:
What a client knows (eg, password);
What a client has (eg, hardware token, one-time password that will expire in a short period of time); and
Who a client is (ie, biometric details).
Internet brokers have flexibility to decide on any 2FA solution that they deem appropriate.
Prompt notification to clients
The SFC considers that in circumstances including unauthorised access to client’s internet trading accounts and where hackers have undertaken certain activities in those accounts including trade execution and fund transfers to third parties, prompt notification to clients can provide an effective second line of defence for detection. This detective control is a new requirement that was not previously mentioned in the Circulars.
In response to industry concern relating to high compliance costs if notifications were to be sent by SMS, the SFC has clarified that it is flexible on the methods of notification, with email, SMS or push notifications being acceptable forms of communication. However, to mitigate the risk of disruption by hackers, notifications should be sent through a channel which is different from the one used for system login.
Clients may choose to opt out of trade execution notifications, provided that they have received adequate risk disclosures from the internet broker and have acknowledged that they understand the risks of opting out. However, opting out of receiving notifications for any other activities is not permitted.
Monitoring and surveillance mechanisms
The SFC notes from the Cybersecurity Review that two major monitoring and surveillance mechanisms currently adopted by internet brokers to detect suspicious activities are the monitoring of unusual internet protocol addresses and the identification of irregular trading patterns.
It is proposed that internet brokers should be required to implement monitoring and surveillance mechanisms to detect unauthorised access to their clients’ internet trading accounts. Brokers are entitled to decide on the means to satisfy this requirement. The SFC further considers that it is unrealistic and impractical to require internet brokers to monitor suspicious trading patterns, and proposes to include this control only as an example of good practice.
Other control practices under in this section include those relating to data encryption, protection of client login passwords, and stringent password policies and session timeout controls.
3. INFRASTRUCTURE SECURITY MANAGEMENT
Security controls to help prevent against unauthorised intrusion and cyber-attacks
The SFC proposes to codify and standardise security controls implemented by internet brokers surveyed during the Cybersecurity Review. The following are new preventive requirements which have not been mentioned in the Circulars:
Execute and update anti-virus and anti-malware solutions on a timely basis to detect malicious applications and malware on critical servers and workstations; and
Establish physical security policies and procedures and prevent unauthorised physical access to the facilities hosting the internet trading system and the critical system components.
There is also a requirement for internet brokers to implement the latest security patches or hotfixes released by software providers within a newly introduced timeframe of one month.
Management of third party service providers
It is proposed that in cases where internet brokers utilise the services of third party service providers, they should formalise that relationship by entering into a service agreement with the service provider which specifies the terms of service and responsibilities of the provider. The SFC further emphasises that internet brokers should ensure that services offered by the provider will enable them to comply with the relevant regulatory requirements.
Other control practices under this section include those relating to the deployment of a secure network infrastructure, user access management, security controls over remote connection, prevention of unauthorised installation of hardware and software, system and data back-up, and contingency planning.
4. CYBERSECURITY MANAGEMENT AND SUPERVISION
Roles and responsibilities of cybersecurity management
The Cybersecurity Review revealed that some internet brokers only had informally-defined roles and responsibilities for cybersecurity risk management with no requirements for structured delegation and operating. This lack of ownership of key cybersecurity risk management activities may expose the broker to a higher risk of cyber-attacks.
The Circulars previously suggested that a cybersecurity risk management framework be developed. It is now proposed that this requirement should be further expanded to specify key roles and responsibilities of the responsible officers or executive officers in charge of the overall management and supervision of the internet trading system, thereby strengthening overall cybersecurity governance.
Although the responsibilities can be delegated to a designated committee or operational unit, overall accountability remains with the responsible officers or executive officers.
Cyber-related incident reporting, training and alerts
Additional guidelines include the requirement for internet brokers to put in place policies and procedures for escalating and reporting (both internally and externally) any cybersecurity incident, to provide cybersecurity awareness training to all internal system users on a yearly basis as a minimum, and to take reasonable steps to alert and remind clients of cybersecurity risks as well as advise on protection measures when using the internet trading system.
5. CONCLUSION AND NEXT STEPS
The SFC views cybersecurity management as a continuing key priority for the supervision of licensed corporations. The proposed requirements are based on the results of the Cybersecurity Review, and set out the minimum standards for cybersecurity management. They aim to toughen control practices to address hacking risks and vulnerabilities, standardise and codify common cybersecurity control practices for their consistent adoption by internet brokers across the industry, and provide internet brokers with clear and practical guidance on the SFC’s expected standards of cybersecurity controls.
We will be watching for the consultation conclusions as well as the revised Code of Conduct and new guidelines, and will provide an update in due course.