On 13 October 2016, the Securities and Futures Commission (SFC) announced it had issued a circular launching a cybersecurity review with a focus on assessing the cybersecurity preparedness, compliance and resilience of brokers’ internet and mobile trading systems (Review). The Review has been prompted by an increasing number of reports to the SFC from securities brokers that the security of some customers’ internet/mobile trading accounts has been compromised and unauthorised securities trading transactions were conducted through these accounts. The 13 October circular sets out the components of the Review and, in light of the latest incidents, also states that firms should, as a matter of priority, critically review and enhance their controls to combat cyberattacks.
The Review follows a number of incidents in which security of some customers’ internet and mobile trading accounts has been compromised. In the past 12 months, 16 incidents were reported involving seven securities brokers and total unauthorised trades in excess of $100 million. These cases are under police investigation.
The SFC has therefore launched the Review to better assess the relevant cybersecurity features of brokers’ internet/mobile trading systems as well as the industry’s preparedness for and resilience to cyber risks. The Review comprises three components:
Issue of a questionnaire to a mix of small to medium sized securities and futures brokers as well as leveraged foreign exchange traders, to assess the cybersecurity aspects of their internet and mobile trading systems. The questionnaire will cover: (i) the governance structure for cybersecurity management; (ii) the network infrastructure to protect the confidentiality, integrity and availability of internet/mobile trading systems and information; (iii) contingency plans; (iv) the cybersecurity related functionalities embedded in the internet/mobile trading systems to protect customer accounts and information; and (v) the management of cybersecurity risks pertaining to outsourcing arrangements.
Onsite inspections of selected brokers, for an in-depth review of their IT and related management controls and an assessment of their design and effectiveness in preventing and detecting cyberattacks. Special focus will be placed on protection of customer online trading accounts covering, amongst others, authentication, password policy and associated controls and training to staff and clients.
Benchmarking the SFC’s regulatory requirements and market practices in Hong Kong against requirements of major financial services regulators and other relevant market practices in Hong Kong or elsewhere.
The findings of the Review should provide useful input for the SFC to further develop policy to improve overall resilience in the markets. The SFC will also organise industry workshops to share a summary of the overall findings.
Cybersecurity management – priority area for regulators
Cybersecurity management is a priority for the SFC’s supervision of licensed corporations (LCs). Since 2013, the SFC has conducted a number of internet trading and cybersecurity reviews and issued a number of circulars to draw attention to common deficiencies and vulnerabilities identified during these reviews. For example, on 11 June 2015, the SFC issued a circular following its launch of an internet trading self-assessment checklist on its website. The checklist provides guidance for LCs to conduct regular self-assessment of their internet trading systems, network infrastructure, related policies, procedures and practices in order to identify areas that require improvement and, where needed, enhance the same so as to ensure compliance with the relevant electronic trading requirements.
On 29 January 2016, the SFC issued a circular in which it and the police’s Cyber Security and Technology Crime Bureau (CSTCB) reminded all securities and futures brokers to be on alert for unauthorised activities committed on their clients’ online accounts. The circular listed out certain suggested control measures for monitoring client transactions and safeguarding against unauthorised activities committed in online client accounts.
On 23 March 2016, the SFC issued another circular drawing attention to the following key areas of concern arising out of its reviews: (i) inadequate coverage of cybersecurity risk assessment exercises; (ii) inadequate cybersecurity risk assessment of service providers; (iii) insufficient cybersecurity awareness training; (iv) inadequate cybersecurity incident management arrangements; and (v) inadequate data protection programs (please see our e-bulletin dated 5 April 2016).
13 October 2016 Circular
In the SFC’s most recent circular dated 13 October 2016, the SFC states that, in light of the recent incidents, LCs should, as a matter of priority, critically review and enhance their controls to combat cyberattacks. This would involve:
Strengthening threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities;
Implementing reliable preventive, detective and monitoring measures to protect sensitive information and trading systems;
Being vigilant in monitoring unusual or questionable log-ins/transactions in client accounts;
Implementing effective user authentication and access controls to deter potential hacking attempts; and
Establishing an effective contingency plan which covers, amongst other things, possible cyberattack scenarios where trade and position data are impacted.
In the circular, the SFC also sets out some examples of good practices observed in the market place. They include:
Implementing client data encryption;
Putting in place controls to detect internet protocol ranges used by clients and abnormal buy/sell transactions;
Implementing two factor authentication in conjunction with strong password requirements for client’s log-in; and
Sending timely trade confirmation to clients via SMS.
The SFC also recommends brokers take appropriate steps in raising the awareness of their clients about the importance of security precautions in relation to online securities trading. For example, brokers should remind their clients to properly safeguard their passwords, not to use public computers or unknown and unsecure networks to access their online accounts and to keep a close eye on trade confirmations to monitor their online accounts. Brokers may also refer their clients to the Investor Education Centre’s website to obtain security tips when trading online.
Whilst there is an increasing awareness of the importance of cybersecurity, at the same time there is the ever increasing threat of cyberattacks as a result of rapid developments in technology. These latest incidents serve as an important reminder that firms need to have in place robust controls and procedures to prevent and identify cyberattacks. Firms should also have plans in place to deal with actual cyberattack scenarios. LCs should review their existing controls and strengthen them where necessary, mindful of the cybersecurity controls and practices which the Hong Kong regulators have previously recommended/required (see also our e-bulletin dated 5 November 2015).