On May 8, 2017, the Hong Kong Securities and Futures Commission (SFC) launched a two-month consultation on proposals to reduce and mitigate hacking risks associated with internet trading. The SFC aims to conclude the consultation and finalize the revised Code of Conduct1 and the new Guidelines2 by September or October 2017. Internet brokers (licensed or registered brokers engaged in internet trading) will then be afforded six months to implement the new requirements.
The proposals include expanding the scope of cybersecurity regulatory principles and requirements, which currently apply only to electronic trading of securities and futures on an exchange, to encompass the internet trading of securities that are not listed or traded on an exchange. The SFC also proposes to update the definition of “internet trading” in the Code of Conduct to clarify that an internet-based trading facility may be accessed through a computer, mobile phone or other electronic devices.
The SFC’s key proposed requirements include two-factor authentication for clients’ system login and prompt notification to clients of certain activities in their internet trading accounts.
Currently, internet brokers are required to implement reliable measures to validate the identity and authority of users to ensure that access to or use of their systems is restricted to persons approved to use them on a need-to-have basis. Such measures commonly include the use of a password at client login. However, the SFC’s 2016 Cybersecurity Review found that passwords alone were not a sufficient safeguard, even if there were stringent password policies and session timeout controls in place. Therefore, the SFC has proposed a two-factor authentication process as a client login requirement. Two-factor authentication refers to a mechanism that uses any two of the following factors:
- What the client knows (e.g., a password)
- What a client has (e.g., a hardware token or a one-time password that will expire in a short period of time)
- Who a client is (i.e., biometric information)
The SFC proposes that internet brokers should notify clients promptly after certain activities have taken place in their internet trading accounts, including system login, trade execution, fund transfers to third parties, change of personal particulars and password reset.
Due to industry concern regarding the possible high compliance costs if all notifications were to be sent by SMS, the SFC has clarified that, under the proposals, internet brokers could send notifications by email, SMS or other push notifications as they deem appropriate. However, notifications should be sent through a different channel than the one used for system login in order to mitigate the risk of interception by hackers.
In response to concerns that certain clients, such as frequent traders, may not want to receive a large number of trade execution notifications, the SFC proposes that, subject to adequate safeguards, clients may opt out of the notifications. To opt out, clients must have received adequate risk disclosures from the internet broker and have acknowledged that they understand the risks associated with opting out.
The consultation paper proposals highlight the SFC’s continued focus on the cybersecurity management practices engaged by licensed corporations. The proposals should strengthen internet brokers’ control practices to address the risks posed by hacking and provide guidance to internet brokers on the standard of cybersecurity controls that the SFC expects them to implement when they engage in internet trading.