Hong Kong regulator outlines new cyber security requirements for online trading firms
The measures proposed include two-factor authentication for clients, as well as stringent password policies, after study shows a steep rise in cyber security incidents.
Cyber security is one of the issues on the agenda of financial market regulators, with the latest example provided by the Hong Kong Securities and Futures Commission (SFC), which has earlier today published a Consultation Paper on enhanced cyber security requirements for Internet trading brokers. The proposed requirements concern securities dealers, futures dealers and/or leveraged foreign exchange traders, and seek to reduce hacking risks associated with Internet trading.
The baseline requirements, which include 20 cyber security control practices, concern three main areas:
- Protection of clients’ Internet trading accounts;
- Infrastructure security management;
- Cyber security management and supervision.
For instance, brokers have to implement stringent password policies and session timeout controls in their internet trading systems. Also, they will have to introduce two-factor authentication for their clients, as well as rigid surveillance mechanisms to prevent unauthorized access to accounts.
Since hacking of Internet trading accounts, corporate websites and trading systems is the most serious cyber security risk faced by licensed corporations in Hong Kong, the SFC conducted a thematic review of the resilience to hacking risks of brokers engaged in Internet trading with the assistance of an external cyber security expert in late 2016. The review helped the regulator identify basic cyber security controls.
The consultation paper proposes to include these controls into guidelines to be issued under the Securities and Futures Ordinance (SFO).
Comments on the proposals are expected no later than July 7, 2017.
The proposals are released as data shows that the number of cyber security incidents handled by the Hong Kong Computer Emergency Response Team Coordination Centre of the Hong Kong Productivity Council reached 6,058 in 2016, up 23% from 2015. For the 18 months ended March 31, 2017, 12 licensed corporations (LCs) reported 27 cyber security incidents, with the bulk of them involving hackers getting access to customers’ Internet-based trading accounts with securities brokers. This unauthorized access has resulted in unauthorised trades totalling more than $110 million.