Executive summary

On 27 October 2017, Hong Kong’s Securities and Futures Commission (SFC) issued its Consultation Conclusions on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading.

This has resulted in:

  • the issuance of Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the Guidelines), setting out baseline requirements to be adopted by licensed corporations engaged in internet trading, in order to reduce or mitigate hacking risks associated with such activities;
  • the issuance of FAQs concerning implementation of the Guidelines as well as a Circular to licensed corporations as to what is considered good industry practices which internet brokers should consider building into their information technology and cyber risk management frameworks; and
  • amendments to the Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct) which extend Paragraph 18 and Schedule 7 of the Code of Conduct to cover internet trading of securities that are not listed or traded on an exchange.

Implementation timetable

In response to concerns raised during the consultation period concerning the proposed six-month implementation period in respect of the Guidelines and amendments to the Code of Conduct, the SFC has agreed to extend the period for complying with the Guidelines and revisions to the Code of Conduct to nine months (i.e. effective from 27 July 2018) with the exception of the requirement in the Guidelines to implement a two-factor authentication (2FA) client account login process, which comes into effect within six months (i.e. with effect from 27 April 2018).

Summary of the Guidelines

The Guidelines supplement the existing provisions of the Code of Conduct and introduce minimum standards around the following three areas:

  • Protection of clients’ internet trading accounts;
  • Infrastructure security management;
  • Cybersecurity management and supervision.

Protection of clients’ internet trading accounts

The Guidelines require the implementation of 2FA process for clients to login to their internet trading accounts.

In its FAQs, the SFC clarifies that internet brokers are free to select 2FA (including in-house developed) solutions commensurate with their business model. The SFC has also clarified that the 2FA solution must comprise an authentication mechanism which utilises any two of the following factors: what the client knows, what the client has and who the client is. A dual password model will not fulfil such requirements unless it comprises a password and hardware token or one-time-password that will expire within a short period. Licensed entities are also required to implement appropriate measures to detect unauthorised access to client accounts and to notify clients (via appropriate medium such as email or SMS message) after certain prescribed activities have occurred in respect of the client account, including system login and trade execution. Appropriate measures must also be taken to encrypt certain sensitive data (such as user ID, passwords and trade data communications).

Infrastructure security management

In ensuring appropriate security of the operational infrastructure, licensed entities must implement the following baseline requirements:

  • a secure network infrastructure with multi-tiered firewalls;
  • policies and controls around user access management;
  • controls to prevent unauthorised installation of software and hardware;
  • updated anti-virus and solutions to detect and address cyber threats to critical systems;
  • systems to backup business records, client and transaction databases in an offline medium on at least a daily basis; and
  • implementation of appropriate contingency planning and crisis management in the event of cybersecurity scenarios.

The Guidelines permit licensed entities to outsource activities to third party service providers subject to execution of formal service-level agreements clearly identifying the terms of service responsibilities. Responsibility for complying with the relevant provisions of the Code of Conduct and the Guidelines will however remain with the licensed entity.

Cybersecurity management and supervision

The responsible officer or executive officers responsible for the overall management and supervision of the licensed entities’ internet trading, must implement an appropriate cybersecurity risk management framework covering responsibilities set out in the Guidelines. These responsibilities include: review and approval of policies and procedures; monitoring and assessment of cybersecurity incidents; business continuity planning and review and approving any outsourcing arrangements with third party internet trading providers. The Guidelines also require policies and procedures to be implemented dealing with reporting cybersecurity incidents internally and externally.

Annual internal cybersecurity awareness training must be provided to all employees who have access to the internal network and systems. In addition, the Guidelines require a licensed entity to take all reasonable steps to remind clients about and alert them to cybersecurity risks and recommended preventative measures when utilising the internet trading system.

The SFC Consultation Conclusions together with the Guidelines, FAQs and Circular concerning good industry practices can be accessed from the following links: