SFC notifies the industry of cybersecurity review on internet/mobile trading systems

The Securities and Futures Commission (SFC) announced the commencement of a cybersecurity review in the fourth quarter with a focus on assessing the cybersecurity preparedness, compliance and resilience of brokers’ internet/mobile trading systems. 

The SFC has received an increasing number of reports from securities brokers that the security of some customers’ internet/mobile trading accounts has been compromised and unauthorized securities trading transactions were conducted through these accounts.  For the 12 months ended 30 September 2016, there were 16 reported hacking incidents which involved 7 securities brokers and total unauthorized trades in excess of $100 million.  While these hacking incidents are still under police investigation, there are indications that brokers and their clients may be able to do more to better protect online trading accounts.

Cybersecurity management is a priority for the SFC’s supervision of licensed corporations (“LCs”).  Since 2013, the SFC has conducted a number of internet trading and cybersecurity reviews and issued a number of circulars¹ to draw industry’s attention to common deficiencies and vulnerabilities identified during these reviews².  The SFC has also suggested wide ranging control measures, including a self-assessment questionnaire. 

Whilst general awareness of cybersecurity seems to have improved, cyber threats have also evolved in tandem with the rapid development of technology-enabled business.  In light of the latest incidents, LCs should, as a matter of priority, critically review and enhance their controls to combat cyberattacks.  This would involve

• Strengthening threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities;

• Implementing reliable preventive, detective and monitoring measures to protect sensitive information and trading systems;

• Being vigilant in monitoring unusual or questionable logins/transactions in client accounts;

• Implementing effective user authentication and access controls to deter potential hacking attempts; and

• Establishing an effective contingency plan which covers, among others, possible cyberattack scenarios where trade and position data are impacted.

Examples of good practices observed in the market place include (i) implementing client data encryption; (ii) putting in place controls to detect internet protocol (IP) ranges used by clients and abnormal buy/sell transactions; (iii) implementing two factor authentication in conjunction with strong password requirements for client’s logon; and (iv) sending timely trade confirmation to clients via SMS.  A combination of these measures enables brokers spot suspicious activities and mitigate against hacking risks.  Where the security of accounts is compromised, early detection enables brokers to send alert to clients to stop further unauthorized trading.

In addition, LCs should take appropriate steps to raise the awareness of their clients about the importance of security precautions they need to take in conducting online securities trading.  For example, brokers should remind their clients to properly safeguard their passwords, not to use public computers or unknown and unsecure networks to access their online accounts and to keep a close eye on trade confirmations to monitor their online accounts.  Brokers can refer their clients to the Investor Education Centre’s website to obtain further security tips when trading online.  (http://www.thechinfamily.hk/web/en/scams/scam-websites.html). 

To better assess the relevant cybersecurity features of brokers’ internet/mobile trading systems as well as the industry’s preparedness for and resilience to cyber risks, the SFC has commenced a new cybersecurity review.  The review comprises three components:

• First, issue of a questionnaire to a mix of small to medium sized securities and futures brokers as well as leveraged foreign exchange traders.  The primary objective is to assess the cybersecurity aspects of internet / mobile trading systems. 

This questionnaire will cover (i) the governance structure for cybersecurity management, (ii) the network infrastructure to protect the confidentiality, integrity and availability of internet/mobile trading systems and information, (iii) contingency plans, (iv) the cybersecurity related functionalities embedded in the internet/mobile trading systems to protect customer accounts and information, and (v) the management of cybersecurity risks pertaining to outsourcing arrangements.

• Second, onsite inspections of selected brokers for a deep dive review of their information technology and other related management controls and an assessment of their design and effectiveness in preventing and detecting cyberattacks.

Special focus will be placed on protection of customer online trading accounts covering, inter alia, authentication, password policy and associated controls and training to staff and clients.

• Third, benchmarking the SFC regulatory requirements and market practices in Hong Kong against requirements of major financial services regulators and other relevant market practices in Hong Kong or elsewhere.

The findings of this review should provide useful input for the SFC to further develop policy to improve overall resilience in the markets.  Industry workshops will also be organized to share a summary of the overall findings.  

Should you have any questions regarding the contents of this circular, please contact Ms Seine Luk at 2231 1696.

Intermediaries Supervision Department
Intermediaries Division
Securities and Futures Commission

End

SFO/IS/032/2016