Hong Kong’s SFC hints at inspections to evaluate compliance with cybersecurity requirements

Maria Nikolova

The Hong Kong regulator says it will conduct surveys and inspections of licensed entities to assess their compliance with the requirements soon.

How secure is your brokerage against cyber attacks?

More than a year has passed since the Hong Kong Securities and Futures Commission (SFC) posted its Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading. The rules require all licensed or registered entities engaged in online trading to implement 20 baseline requirements to enhance their cybersecurity and to minimize hacking risks.

Today, as the Hong Kong regulator published the latest “SFC Compliance Bulletin: Intermediaries“, it indicated it would check how companies comply with the new requirements.

To mitigate hacking risks, the SFC mandated two-factor authentication (2FA) along with 19 other baseline requirements for all Internet brokers, including companies that offer leveraged foreign exchange trading. Since April 27, 2018, logging into online trading systems requires authentication utilising two of the following factors: what you know (such as your login password), what you have (such as an SMS one-time password received via your mobile) and who you are (such as your fingerprint). Other baseline requirements came into effect in July 2018, including prompt notification to clients upon system login and timely patch management.

“To assess compliance, we will conduct surveys and inspections of LCs on a sample basis soon”, the SFC said.

The regulator did not specify how it would choose the companies to be subject to inspections.

Let’s recall that the rules concern data encryption of sensitive information such as client login credentials (ie, user ID and password) and trade data during transmission between internal networks and client devices.

Also, a licensed or registered person has to establish and implement effective policies and procedures to ensure that a client login password is generated and delivered to a client in a secure manner during the account activation and password reset processes. The entities must have in place stringent password policies and session timeout controls and should deploy a secure network infrastructure.

The rules also require from online trading companies to outline contingency plans for cyber incidents. The companies must make all reasonable efforts to cover possible cyber-attack scenarios such as DDoS attacks and total loss of business records and client data resulting from cyber-attacks (eg, ransomware) in the contingency plan and crisis management procedures.

Read this next

Digital Assets

Midas launches investment strategies for the ‘crypto winter’

Midas.Investments has released three new investment strategies on its custodial CeDeFi platform, creating new opportunities during the ‘crypto winter’.   The platform merges diverse approaches to digital asset management into single-click products to let investors gain steady profits in any market conditions — including the ongoing bear market. a custodial CeDeFi platform, CeDeFi: Unlocking the […]

Digital Assets

Bitcoin.com Wallet adds several ERC-20 tokens

The product expansion includes representatives of the DeFi world, the Metaverse, and the largest stablecoins.

Market News

Savvy Investors to Profit Whether the Stock Market Rebounds or Not

Equities have gone up enormously since the low. SP500 has gained 13.88% since June 17. In August, the indices drifted sideways. On Wall Street, veteran investors expect a move in either direction.

Industry News

Wall Street-backed MEMX obtains SEC approval for options trading platform

The company has raised more than $135 million in funding from 18 stock trading and investing heavyweights, including BlackRock, Citadel Securities, and Morgan Stanley.

Industry News

Amundi US launches ESG strategy that seeks to outperform S&P 500

Amundi’s Responsible investing team includes more than 45 specialists, and its ESG analysis covers more than 13,500 issuers across debt and equity.

Industry News

Verto launches embedded FX payments solution

The Verto API automates currency conversions, tracks payments and exchange rates in real-time, and is being launched in the follow-up of a $10 million in Series A funding last year.

Industry News

SEC awards over $16m to whistleblowers after another successful enforcement action

The program is 10 years-old and has arguably played a critical role in the Division of Enforcement’s ability to effectively detect wrongdoing, protect investors and the marketplace, and bring violators to justice.

Digital Assets

Ripple submits most succint explanation of Hinman issue in XRP lawsuit

It might be useful to get up to date as this could be the end of the road for the SEC.

Retail FX

TradingView integrates first Brazilian broker, Órama Investimentos

Órama offers all kinds of investment products, from fixed income to crypto-related funds.

<