On 27 October 2017, the Securities and Futures Commission (SFC) issued a circular and Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (Guidelines), which require all licensed or registered persons engaged in internet trading to implement 20 baseline requirements to enhance their cybersecurity resilience and reduce and mitigate hacking risks. The Guidelines were issued following the SFC’s publication of their conclusions on the related consultation on the same day.
The SFC has also issued:
FAQs providing further guidance and practical examples for implementing the Guidelines; and
A circular attaching Good Industry Practices for IT Risk Management and Cybersecurity (Good Industry Practices) which internet brokers may wish to incorporate into their information technology and cybersecurity risk management frameworks.
The implementation of two-factor authentication (2FA) for clients’ system login will take effect on 27 April 2018, while all other requirements will take effect on 27 July 2018.
Please also see here for our previous bulletin dated 7 July 2017 on the SFC’s consultation on the proposed Guidelines.
1. SCOPE OF APPLICATION
Currently, paragraph 18 and Schedule 7 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct) only apply to all persons engaged in internet trading and licensed by the SFC as securities dealers, futures dealers, leveraged foreign exchange trading and fund managers, regardless of whether the securities and futures contracts are listed or traded on an exchange. As a result of the consultation, the SFC has expanded the scope of application so that the provisions also apply to securities not listed or traded on an exchange.
The additional controls in the Guidelines are to be read in conjunction with the relevant provisions of the Code of Conduct. The Guidelines confirm that “internet trading” is to have the same meaning as in paragraph 18.2(f) of the Code of Conduct, as amended to include internet-based trading facilities “accessed through a computer, mobile device or other electronic device”.
2. PROTECTION OF CLIENTS’ INTERNET TRADING ACCOUNTS
One of the key additional controls in the Guidelines is the requirement that clients use 2FA to access their internet-trading accounts. Instead of relying on a simple password, 2FA is an authentication mechanism that utilises a combination of two factors specific to an individual client.
This proposed requirement was met with widespread support during the consultation although respondents were clear that an individual assessment of the appropriate 2FA solution was necessary, due to the diverse size and financial capabilities of internet brokers. Accordingly, the Guidelines allow internet brokers to assess and implement a 2FA solution that is appropriate to their business model. Further details of the 2FA requirement are set out in our previous bulletin.
Prompt notification of clients
The Guidelines require clients be notified promptly after certain client activities have taken place in their internet trading accounts. The Guidelines list the activities that should be included and state that notification can occur via email, short message service (SMS) or other push notifications, although the method of notification must be different from the one used for system login.
The SFC maintains that prompt notification to clients can complement 2FA as an effective detective control, although clients may choose to opt out of trade execution notifications, provided that they have received adequate risk disclosures from the internet broker and the client has acknowledged that they understand the risks involved in doing so.
Respondents to the consultation suggested that if 2FA is mandatory for system login, it may be unnecessary to provide an additional notification of each system login. In response, the SFC has suggested in the FAQs that internet brokers can allow clients to opt-out of notifications of each system login provided that:
The internet broker has the capability to identify irregular logins and promptly notify clients of irregular logins;
The internet broker has provided adequate risk disclosures to clients who have acknowledged that they understand the risks involved in opting-out from notifications of each system login; and
The clients have not opted out from trade execution notifications.
Monitoring and surveillance mechanisms
While no respondents opposed the proposed requirement to implement an effective monitoring and surveillance mechanism to detect unauthorised access to clients’ internet trading accounts, a number of respondents commented on the operational challenges of monitoring internet protocol (IP) addresses. The SFC has clarified that while monitoring IP address is a useful tool, it was merely an example included for illustration and has accordingly been removed from the Guidelines.
Stringent password policies and session timeout controls
All respondents acknowledged that there was a need to establish stringent password policies and session timeout controls. A number of respondents queried the effectiveness of the “maximum password age” in the proposed Guidelines and the SFC has accordingly revised the Guidelines to replace this proposed requirement with a policy focused on periodic reminders for clients who have not changed their password for a long time.
In response to the consultation, the SFC has also amended the requirement in relation to invalid login attempts, so that internet brokers have flexibility as to the appropriate controls they put in place. The SFC has, however, set out in their FAQs that the following controls may be implemented on invalid login attempts:
Exponential back-off between successive failed login attempts; and
Brute-force attacks detection with appropriate responses.
Other control practices in this section include those relating to data encryption and protection of client login passwords.
3. INFRASTRUCTURE SECURITY MANAGEMENT
Security controls to help prevent against unauthorised intrusion and cyber-attacks
The proposed Guidelines included two new preventative requirements in relation to updating anti-virus and anti-malware solutions and establishing physical security policies at facilities hosting the internet trading system. These proposals received minimal feedback from respondents and have therefore been included in the Guidelines.
In relation to the requirement for internet brokers to implement the latest security patches or hotfixes released by software providers, respondents suggested that the timeframe of one month was not sufficient and instead favoured a more flexible approach. The SFC maintains that time is of the essence for effective patch management and that security patches and hotfixes should be implemented within one month of the necessary testing. The Guidelines provide, however, for internet brokers to evaluate the impact of the security patches and hotfixes and so internet brokers are free to set their implementation schedule based on evaluation results.
Management of third party service providers
The proposal that internet brokers should enter into a formal service agreement with a third party service provider which specifies the terms of service and responsibilities of the provider was widely supported by respondents. The SFC has clarified that this requirement only covers outsourcing arrangements associated with the internet-based trading facility used to send order instructions to the internet broker.
Other control practices under this section include those relating to the deployment of a secure network infrastructure, user access management, security controls over remote connection, prevention of unauthorised installation of hardware and software, system and data back-up and contingency planning.
4. CYBERSECURITY MANAGEMENT AND SUPERVISION
The proposed Guidelines in relation to cybersecurity management, incident reporting and awareness training received minimal feedback from respondents and have therefore been included in the Guidelines.
5. IMPLEMENTATION OF THE GUIDELINES
The SFC initially proposed a six-month implementation deadline for the proposed Guidelines. Respondents to the consultation indicated that this may be insufficient for some internet brokers to implement all of the required controls. Therefore the Guidelines and the amendments to the Code of Conduct will become effective on 27 July 2018, nine months after publication of the Guidelines, with the exception of the 2FA requirement which will become effective on 27 April 2018, six months after publication of the Guidelines.
6. GOOD INDUSTRY PRACTICES AND HKMA’S CIRCULAR
As additional guidance, the SFC has published the Good Industry Practices which internet brokers may wish to consider incorporating into their cybersecurity risk management frameworks. The list is by no means exhaustive and internet brokers should always take into account their own circumstances as well as current and emerging cybersecurity threats when adopting these practices.
The Hong Kong Monetary Authority has also published a circular(attaching the Guidelines) reiterating the significance of implementing the requirements according to the stipulated timeline and highlighting that the requirements will be incorporated in the Supervisory Policy Manual module TM-E-1 on “Risk Management of E-banking”.
7. CONCLUSIONS AND NEXT STEPS
As commented by Mr Ashley Alder, the SFC’s Chief Executive Officer, “hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong”. The publication of the Guidelines therefore illustrates the SFC’s continued commitment to ensuring that cybersecurity management remains a top priority. Impacted firms should promptly review their existing cybersecurity systems and policies and make appropriate amendments to ensure timely compliance with the requirements.
Given that the Guidelines only set out the minimum standards required and are by no means exhaustive, senior management should also ensure that all systems and controls are commensurate with the firm’s business needs and operations and that additional cybersecurity controls are implemented where necessary.