Hong Kong regulator tells online trading firms to implement two-factor authentication by April 2018

Hong Kong’s Securities and Futures Commission (SFC) is apparently taking cybersecurity seriously. Today, the regulatory posted its Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading. The new rules require all licensed or registered entities engaged in online trading to implement 20 baseline requirements to enhance their cybersecurity and to minimize hacking risks.

These Guidelines apply to entities that are engaged in online trading and are licensed by, or registered with, the SFC for:

• Type 1 regulated activity (dealing in securities);
• Type 2 regulated activity (dealing in futures contracts);
• Type 3 regulated activity (leveraged foreign exchange trading);
• Type 9 regulated activity (asset management).

A key requirement is to implement two-factor authentication for login to clients’ online trading accounts. In addition, the entity should implement monitoring and surveillance mechanisms to detect unauthorised access to clients’ Internet trading accounts. Other requirements concern data encryption of sensitive information such as client login credentials (ie, user ID and password) and trade data during transmission between internal networks and client devices.

A licensed or registered person should also establish and implement effective policies and procedures to ensure that a client login password is generated and delivered to a client in a secure manner during the account activation and password reset processes. The entities should have in place stringent password policies and session timeout controls and should deploy a secure network infrastructure.

The rules also require from online trading companies to outline contingency plans for cyber incidents. The companies should make all reasonable efforts to cover possible cyber-attack scenarios such as DDoS attacks and total loss of business records and client data resulting from cyber-attacks (eg, ransomware) in the contingency plan and crisis management procedures.

Also, the licensed entity should make sure that the officer(s) or executive officer(s) responsible for the overall management and supervision of the online trading system define a cybersecurity risk management framework, and set out key roles and responsibilities. Examples of such responsibilities include reviewing and approving cybersecurity risk management policies and procedures, as well as reviewing and approving the budget and spending on resources for cybersecurity risk management.

The guidelines also stipulate that licensed and/or registered entities should take all reasonable steps to remind clients about and alert them to cybersecurity risks and recommended preventive and protection measures when using the trading system.

The deadline for the implementation of two-factor authentication is April 27, 2018, while all other requirements will take effect on July 27, 2018.

Although the Guidelines do not have the force of law, a failure to follow their spirit may reflect adversely on the person’s fitness and properness.