Hong Kong’s SFC hints at inspections to evaluate compliance with cybersecurity requirements

Maria Nikolova

The Hong Kong regulator says it will conduct surveys and inspections of licensed entities to assess their compliance with the requirements soon.

How secure is your brokerage against cyber attacks?

More than a year has passed since the Hong Kong Securities and Futures Commission (SFC) posted its Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading. The rules require all licensed or registered entities engaged in online trading to implement 20 baseline requirements to enhance their cybersecurity and to minimize hacking risks.

Today, as the Hong Kong regulator published the latest “SFC Compliance Bulletin: Intermediaries“, it indicated it would check how companies comply with the new requirements.

To mitigate hacking risks, the SFC mandated two-factor authentication (2FA) along with 19 other baseline requirements for all Internet brokers, including companies that offer leveraged foreign exchange trading. Since April 27, 2018, logging into online trading systems requires authentication utilising two of the following factors: what you know (such as your login password), what you have (such as an SMS one-time password received via your mobile) and who you are (such as your fingerprint). Other baseline requirements came into effect in July 2018, including prompt notification to clients upon system login and timely patch management.

“To assess compliance, we will conduct surveys and inspections of LCs on a sample basis soon”, the SFC said.

The regulator did not specify how it would choose the companies to be subject to inspections.

Let’s recall that the rules concern data encryption of sensitive information such as client login credentials (ie, user ID and password) and trade data during transmission between internal networks and client devices.

Also, a licensed or registered person has to establish and implement effective policies and procedures to ensure that a client login password is generated and delivered to a client in a secure manner during the account activation and password reset processes. The entities must have in place stringent password policies and session timeout controls and should deploy a secure network infrastructure.

The rules also require from online trading companies to outline contingency plans for cyber incidents. The companies must make all reasonable efforts to cover possible cyber-attack scenarios such as DDoS attacks and total loss of business records and client data resulting from cyber-attacks (eg, ransomware) in the contingency plan and crisis management procedures.

Read this next

Digital Assets

Kraken exits Middle East, closes UAE office

Digital currency exchange Kraken will close down its operations in Abu Dhabi, UAE and lay off the majority of its team focused on the Middle East and North Africa.

Industry News

CFTC comments on ION Cleared Derivatives issues after Russian-linked hack

“The ongoing issue is impacting some clearing members’ ability to provide the CFTC with timely and accurate data. As this incident unfolded, it became clear that the submission of data that is required by registrants will be delayed until the trading issues are resolved.”

Industry News

FCA took down 14 times more misleading ads in 2022 thanks to technology

The FCA has made significant improvements to the digital tools it uses to find problem firms and misleading adverts. These improvements have enabled it to work through a much larger number of cases compared with 2021.

Executive Moves

HKEX appoints ex-Goldman Sachs Matthew Cheong to lead platform’s focus on derivatives

“He has worked for a number of the world’s leading investment banks and his experience will be invaluable to HKEX as we continue to enhance our derivatives product offerings and build on our innovative and robust platform business, connecting capital with opportunities.”

Digital Assets

Zodia Custody and SBI Digital Asset Holdings launch JV for crypto asset custodian in Japan

“Zodia Custody is both proud and excited to be working with SBI DAH to help set up SBI Zodia Custody; the first tier 1 crypto asset custodian for institutions in Japan.”

Digital Assets

Paxos opens R&D center in Israel to focus on transaction signing and crypto custody security

“Paxos is looking to expand its team in Israel in 2023 and beyond, giving engineers the opportunity to work on cutting-edge financial products and shape the future of the global economy.”

Executive Moves

Stash appoints Liza Landsman as CEO to further grow investing app

Stash is an investing and banking app with over 2 million active subscribers. Its subscription plans start at just $3 a month, and offer a range of products including investing, banking, education, and advice.

Institutional FX

Invast Global ramps up its offering with 10 soft commodity CFDs

Sydney-based prime-of-prime provider Invast Global has expanded its offering with the addition of ten soft commodity CFDs, which increases their index and commodity CFD offering to 35 instruments.

Retail FX

FF Simple and Smart Trades says Goodbye to CySEC authorization

The Cyprus Securities and Exchange Commission (CySEC) confirmed that it has wholly withdrawn the Cyprus Investment Firm (CIF) licenses of FF Simple and Smart Trades Investment Services Ltd.

<