SFC to tighten cybersecurity measures for internet trading in HK

The Securities and Futures Commission (SFC) of Hong Kong has issued last week a consultation paper that proposes tighter cybersecurity measures to reduce and mitigate hacking risks associated with internet trading.

The paper contains 20 baseline cybersecurity requirements that the regulator wants to introduce as guidelines under the Securities and Futures Ordinance that govern the estimated 500 stockbrokers and fund managers in the city.

The SFC is currently running a public consultation to seek inputs on the proposed cybersecurity measures. Comments are open through July 7, 2017.

Executives at international legal firm Hogan Lovells noted that the proposed new measures are more prescriptive than the SFC’s existing security requirements.

“They will go some way towards bridging the gap between the HKMA’s and SFC’s approach to cybersecurity,” said Mark Parsons and Louise Crawford at Hogan Lovells.

Parsons and Crawford pointed out that in contrast to HKMA, the SFC’s existing cybersecurity controls under its Code of Conduct are stated in general terms that “reflect a principles based, risk-based approach, rather than prescriptive in its requirements on cybersecurity”.

Key baseline cybersecurity requirements

Hogan Lovells cites key highlights among the new cybersecurity measures. Foremost of these is the requirement for two-factor authentication (2FA) for clients’ system login.

2FA requires two forms of authentication for account access such as password plus hardware/virtual token, or fingerprint.

“The consultation paper notes that a number of hacking incidents have occurred as a result of brute force attacks using applications that decode single or dual passwords, but there have been no reported hacking incidents in cases where 2FA has been enforced,” Parsons and Crawford said.

Both the Hong Kong Monetary Authority and the Monetary Authority of Singapore have long required 2FA for internet banking systems. The MAS went further last December by extending this requirement to all online trading accounts with the exception of institutional investors.

Other noteworthy baseline requirements proposed by the SFC consultation paper include:

l         The requirement to evaluate the software security patches or hotfixes released by  software providers on a timely basis and, subject to evaluation, to implement them with one month of release

l         Encryption of sensitive information such as client login credentials and trade data during transmission between internal networks and client devices, recognizing that encryption of all data would significantly slow down transmission, which could be contrary to investors’ interests

l          The requirement to conduct a review of user-access to systems on at least an annual basis

l          The need to notify clients of account activities such as system login, password reset, trade executions, third-party fund transfers and changes to account information with clients being allowed to opt-out of “trade execution’ notification only