Cybersecurity remains a key priority for Hong Kong’s SFC as the number of reported cybersecurity incidents worldwide continues to rise. Following a thematic review undertaken by the SFC last year of the resilience of internet brokers to withstand hacking risks, the SFC issued a consultation paper on 8 May 2017.
The consultation proposes Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet trading (Guidelines) with the aim of setting minimum baseline requirements / standards expected by the SFC from licensed entities engaged in internet trading, such as dealing activities undertaken over the internet by securities dealers (which would include asset managers who distribute their funds through an internet trading facility), futures dealers and leveraged foreign exchange traders.
The Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct) sets out general principles governing electronic trading of securities and futures contracts which are listed or traded on an exchange. The Guidelines supplement the existing provisions of the Code of Conduct and introduce minimum standards focused around the following three areas:
Protection of clients’ internet trading accounts
The SFC proposes the implementation of a two-factor authentication (2FA) process for clients to log into their internet trading accounts. The SFC is aware of the need to balance the overall costs of such requirement having regard to the licensed entity’s business model and has not sought to mandate the type of authentication mechanism, which can vary from passwords to a hardware token (commonly adopted for internet banking).
Licensed entities are also required to implement appropriate measures to detect unauthorised access to a client’s account and to notify clients (via an appropriate medium such as email or SMS message) after certain prescribed activities have occurred in respect of a client account including system log-in and trade execution.
Appropriate measures must also be taken to encrypt certain sensitive information (such as user ID and password and trade date communications).
Infrastructure security management
In ensuring appropriate security of the operational infrastructure, licensed entities must implement the following baseline requirements:
Outsourcing of activities connected with internet trading to third party service providers must be appropriately documented in a formal service level agreement. Responsibility for complying with the relevant provisions of the Code of Conduct and the Guidelines will however remain with the licensed entity.
Cybersecurity management and supervision
The responsible officer or executive officer responsible for the overall management and supervision of the licensed entity’s internet trading must implement an appropriate cybersecurity risk management framework covering certain responsibilities set out in the Guidelines. These responsibilities include: the review and approval of policies and procedures; monitoring and assessment of cybersecurity incidents; business continuity planning and reviewing and approving any outsourcing arrangements with third party internet trading providers.
Policies and procedures must also be put in place to deal with the reporting of cybersecurity incidents internally and externally.
Annual internal cybersecurity awareness training must be provided to all employees who have access to the licensed entity’s internal network and systems. In addition, appropriate client alerts and communications should be issued reminding clients of best practice and preventative measures aimed at addressing cybersecurity when using the internet trading system.
Proposed amendments to the Code of Conduct
As mentioned above, the Code of Conduct (Paragraph 18 and Schedule 7) sets out general principles and requirements in relation to electronic trading, which henceforth will be supplemented by the Guidelines.
The existing provisions of the Code of Conduct in respect of electronic trading currently only extend to securities and futures that are listed or traded on an exchange. The SFC proposes to amend such provisions to also include internet trading of securities that are not listed or traded on an exchange. Furthermore, it is proposed to amend the definition of “internet trading” to reflect that such activities may be accessed via the use of computer, mobile phone or other electronic device.
The timetable for submitting comments on the SFC’s proposals will run until 7 July 2017.