Senior Management of firms ("LCs") licensed by the Securities and Futures Commission ("SFC") should take heed of the twin circulars recently issued by the regulator, which broadly address the security and integrity of a firm's information management system. These SFC circulars follow a recent circular from the Hong Kong Monetary Authority ("HKMA") to licensed banks in Hong Kong on the same topic.
The SFC issued circulars to LCs on 26 and 27 November 2014 which concern "Internet Trading Information Security Management and System Adequacy" and "Mitigating Cybersecurity Risks" respectively (the "26th November Circular" and "27th November Circular" or collectively, the "Circulars"). Copy of the two Circulars can be accessed here (and the appendix) and here.
The 26th November Circular
This Circular mainly focuses on internet trading systems and is a follow up on a circular issued by the SFC on 27 January 2014. The SFC recently reviewed the internet trading systems of selected LCs: the most important of the identified deficiencies are summarized below:
- No formal information technology ("IT") management policies and procedures for certain specific matters.
- Lack of comprehensive and regular security penetration tests
- Lack of comprehensive and regular IT risk assessment
- Infrequent and inadequate IT security awareness training
- Insufficient service levels prescribed in the service level agreements
- Insufficient authentication and password controls implemented on the internet trading systems to prevent unauthorized access
- Infrequent and inadequate testing on the contingency plan for ensuring its viability and adequacy
Based on the deficiencies identified, a list of 35 suggested controls and procedures was included in the Appendix to the 26th November Circular which LCs should carefully consider. The suggested controls and procedures are grouped under the following categories and sub-categories:
- Management Supervision and Information Technology Governance
- Management oversight
- System security and customer awareness
- Vendor management
- Operational Controls
- User access controls
- Password controls
- System implementation, upgrade and modification
- Network infrastructure architecture design
- Monitoring and Contingency
- Backup and contingency
The SFC expects that senior management of firms to take into consideration the suggested controls and procedures when establishing and providing secure internet trading services. Senior management should also regularly review the LCs' internet trading systems, network infrastructure, related policies, procedures and practices. Reference should be made to the new provisions, namely paragraph 18 and Schedule 7, in the Code of Conduct for Persons Licensed by or Registered with the SFC ("the Code") which came into effect on 1 January 2014 when considering whether any enhancements should be made. Paragraph 18 of the Code is of particular relevance as it deals specifically with "Electronic Trading".
The 27th November 2014 Circular
LCs are asked to conduct a self-assessment so they may prevent, detect, mitigate and manage (by way of damage control) the risk of potential loss of the firm's own and investors' information or assets due to cybersecurity attacks. LCs are expected to implement commensurate controls to address any issues identified during the self-assessment.
The SFC's request stems from a recent massive cyber-attack on a financial institution overseas in which, it is reported, hackers stole the contact information of a significant number of clients. The SFC reminded LCs that they were required to establish policies and procedures to ensure the integrity, security, availability, reliability and thoroughness of all information, including documentation and electronically stored data, relevant to the firm's business operation.
In general, the SFC suggested the following steps to be taken:
- Review the policies and procedures to manage cybersecurity threats
- Identify cybersecurity risks and critically assess potential implications and major areas of vulnerabilities in the IT systems
- Assess the enhancement needs of the IT security controls to mitigate cybersecurity risks and the potential damage arising from such events
- Consider the cybersecurity controls of third-party service providers
- Ensure continuity of critical activities and systems
Separately to the SFC, the HKMA issued its circular on 14 October 2014 to all Authorized Institutions ("AIs") requiring AIs to complete a critical review of the adequacy of their existing controls for protection of customer data by the end of the first quarter of 2015. Click here to see our e-bulletin on the HKMA Circular.
Regulators see cybersecurity as a key risk area upon which senior management should focus their attention. All these circulars make clear that the regulators will closely scrutinize the way the senior management is managing the issue. This is not merely a technical issue that senior managers can leave in the hands of IT experts (whether internal or external). Senior managers must take a close interest in IT security issues and must be able to evidence that interest.