In last November's newsletter, we discussed the need for an SFC licence where a regulated activity is carried on online. The SFC expects licensed companies to protect the company's and its clients' assets and to prevent unauthorised access to records or data, whether business is conducted in the real world or online. In January 2014, the SFC issued a circular to urge licensed companies to review and enhance their IT security controls and gave some specific recommendations. Licensees are asked as a matter of priority to review their existing internet trading systems and related policies, procedures and practices. They should make enhancements where needed, so as to establish and maintain a proper IT security management framework. Licensed companies that do not offer internet trading should still pay attention to this circular. Their websites should contain accurate and up-to-date information in addition to having preventative measures in place to reduce internet hacking risk. It is likely that the SFC will focus on this in future inspections. Licence holders are advised to conduct appropriate reviews from time to time.