Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
News & Insights
On 27 October 2017, Hong Kong’s Securities and Futures Commission (SFC) issued its Consultation Conclusions on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading.
This has resulted in:
In response to concerns raised during the consultation period concerning the proposed six-month implementation period in respect of the Guidelines and amendments to the Code of Conduct, the SFC has agreed to extend the period for complying with the Guidelines and revisions to the Code of Conduct to nine months (i.e. effective from 27 July 2018) with the exception of the requirement in the Guidelines to implement a two-factor authentication (2FA) client account login process, which comes into effect within six months (i.e. with effect from 27 April 2018).
Summary of the Guidelines
The Guidelines supplement the existing provisions of the Code of Conduct and introduce minimum standards around the following three areas:
Protection of clients’ internet trading accounts
The Guidelines require the implementation of 2FA process for clients to login to their internet trading accounts.
In its FAQs, the SFC clarifies that internet brokers are free to select 2FA (including in-house developed) solutions commensurate with their business model. The SFC has also clarified that the 2FA solution must comprise an authentication mechanism which utilises any two of the following factors: what the client knows, what the client has and who the client is. A dual password model will not fulfil such requirements unless it comprises a password and hardware token or one-time-password that will expire within a short period. Licensed entities are also required to implement appropriate measures to detect unauthorised access to client accounts and to notify clients (via appropriate medium such as email or SMS message) after certain prescribed activities have occurred in respect of the client account, including system login and trade execution. Appropriate measures must also be taken to encrypt certain sensitive data (such as user ID, passwords and trade data communications).
Infrastructure security management
In ensuring appropriate security of the operational infrastructure, licensed entities must implement the following baseline requirements:
The Guidelines permit licensed entities to outsource activities to third party service providers subject to execution of formal service-level agreements clearly identifying the terms of service responsibilities. Responsibility for complying with the relevant provisions of the Code of Conduct and the Guidelines will however remain with the licensed entity.
Cybersecurity management and supervision
The responsible officer or executive officers responsible for the overall management and supervision of the licensed entities’ internet trading, must implement an appropriate cybersecurity risk management framework covering responsibilities set out in the Guidelines. These responsibilities include: review and approval of policies and procedures; monitoring and assessment of cybersecurity incidents; business continuity planning and review and approving any outsourcing arrangements with third party internet trading providers. The Guidelines also require policies and procedures to be implemented dealing with reporting cybersecurity incidents internally and externally.
Annual internal cybersecurity awareness training must be provided to all employees who have access to the internal network and systems. In addition, the Guidelines require a licensed entity to take all reasonable steps to remind clients about and alert them to cybersecurity risks and recommended preventative measures when utilising the internet trading system.
The SFC Consultation Conclusions together with the Guidelines, FAQs and Circular concerning good industry practices can be accessed from the following links:
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries please contact us at firstname.lastname@example.org.
Tel: +852 2825 9211