SFC to tighten cybersecurity measures for internet trading in HK

l        The back-up of business records, client and transaction databases servers and supporting documentation in an offline medium on at least a daily basis

l        The requirement to enter a formal service level agreement with service providers engaged for internet trading, specifying the terms of service and responsibilities of the provider, and ensuring that the services will enable the licensed or registered person to comply with the Code of Conduct and the baseline requirements.

“These requirements set out in the cybersecurity consultation paper are stated to be baseline requirements, and many internet brokers would afford a degree of flexibility in implementation,” Parson and Crawford said

Proposed new measures could face resistance

With the tighter regulatory control that will come with the proposed new cybersecurity measures, Hogan Lovells expects some pushback from the industry.

“There is still the recognition that brokers are driven by the need to remain competitive and any measures that overly compromise performance and speed would clearly be met with resistance, and could be contrary to investors’ interests,” Parsons and Crawford said.

They added: “The encryption of communications between brokers and clients, for example, is a challenging one, as the introduction of encryption controls will inevitably impact the speed of data transmission.

“By proposing to limit encryption, at this stage, to sensitive information passing between brokers and their clients and not, for example, inter-broker communications, the proposals appear to be taking a risk-based approach that address the specific problem of the ‘pump-and-dump’ schemes uncovered by the SFC’s research, which involved client-access passwords being compromised."

In the last 18 months, SFC received reports of 27 cybersecurity attacks from 12 licensed financial firms. Most of these attacks involved hacking of internet trading accounts to carry out pump-and-dump schemes that resulted to unauthorized trades amounting to HK$110 million. Other incidents were DDoS attacks on licensed companies’ websites, accompanied by threats of extortion.

“Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong,” said Ashley Alder, SFC CEO, in a media statement last week. “Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls."