On 7 July 2017, the consultation by the Securities and Futures Commission (SFC) on proposals to reduce and mitigate hacking risks associated with internet trading closed. The consultation follows on from the SFC’s thematic review of the resilience to hacking risks of brokers engaged in internet trading (internet brokers) in late 2016. The SFC aims to publish its consultation conclusions by September or October 2017. Internet brokers will then be allowed 6 months to implement the new requirements.
The existing requirements for cybersecurity management are set out in paragraph 18 and schedule 7 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct).
The SFC proposes to issue the Guidelines for Reducing and Mitigating Hacking Risks associated with Internet Trading, which contain 20 cybersecurity control practices for internet brokers to reduce and mitigate hacking risks, and clarify expected minimum standards regarding cybersecurity controls. Most of the requirements under the proposed guidelines are already featured in the Code of Conduct but require elaboration. The proposed guidelines also consolidate relevant guidance from previous SFC circulars. The 20 control practices are grouped into three categories: (a) protection of clients’ internet trading accounts; (b) infrastructure security management; and (c) cybersecurity management and supervision.
The control practices include preventive and detective controls, such as two-factor authentication for client login, prompt notification to clients through a second channel after certain activities take place in their internet trading accounts, and ensuring arrangements with third party service providers are formalised.