The Securities and Futures Commission (SFC) recently issued two circulars in relation to internet security. The Circular on Internet Trading – Information Security Management and System Adequacy was issued on 26 November 2014, followed by the Circular on Mitigating Cybersecurity Risks on 27 November 2014.
Both circulars remind licensed corporations that it is senior management’s responsibility to supervise their firm’s operations under General Principle 9 of the Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct) and such supervision should extend to establishing and providing secure internet trading services and ensuring data and system integrity. Senior management should also take into account the electronic trading requirements, under paragraph 18 and Schedule 7 of the Code of Conduct which came into force on 1 January 2014, and regularly review and enhance their internet trading systems, network infrastructure, related policies, procedures and practices accordingly.
The circular on internet trading follows on from an SFC circular on internet trading issued in January 2014 and outlines important design and control deficiencies which might expose licensed corporations to security and integrity risks. The appendix to the circular details controls and procedures for maintaining internet trading security systems.
The circular on cybersecurity reminds licensed corporations that cybersecurity threats may potentially impact upon any business, irrespective of size and mode of operation. Part IV of the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC requires firms to establish policies and procedures to ensure the integrity, security, availability, reliability and thoroughness of all information, including documentation and electronically stored data, relevant to the firm’s business operation.
Licensed corporations should conduct a self-assessment on their ability to prevent, detect, mitigate and manage (by way of damage control) the risk of potential loss of the firm’s and investors’ information or assets due to cybersecurity attacks and should implement commensurate controls.