Hong Kong’s SFC hints at inspections to evaluate compliance with cybersecurity requirements
The Hong Kong regulator says it will conduct surveys and inspections of licensed entities to assess their compliance with the requirements soon.
More than a year has passed since the Hong Kong Securities and Futures Commission (SFC) posted its Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading. The rules require all licensed or registered entities engaged in online trading to implement 20 baseline requirements to enhance their cybersecurity and to minimize hacking risks.
Today, as the Hong Kong regulator published the latest “SFC Compliance Bulletin: Intermediaries“, it indicated it would check how companies comply with the new requirements.
To mitigate hacking risks, the SFC mandated two-factor authentication (2FA) along with 19 other baseline requirements for all Internet brokers, including companies that offer leveraged foreign exchange trading. Since April 27, 2018, logging into online trading systems requires authentication utilising two of the following factors: what you know (such as your login password), what you have (such as an SMS one-time password received via your mobile) and who you are (such as your fingerprint). Other baseline requirements came into effect in July 2018, including prompt notification to clients upon system login and timely patch management.
“To assess compliance, we will conduct surveys and inspections of LCs on a sample basis soon”, the SFC said.
The regulator did not specify how it would choose the companies to be subject to inspections.
Let’s recall that the rules concern data encryption of sensitive information such as client login credentials (ie, user ID and password) and trade data during transmission between internal networks and client devices.
Also, a licensed or registered person has to establish and implement effective policies and procedures to ensure that a client login password is generated and delivered to a client in a secure manner during the account activation and password reset processes. The entities must have in place stringent password policies and session timeout controls and should deploy a secure network infrastructure.
The rules also require from online trading companies to outline contingency plans for cyber incidents. The companies must make all reasonable efforts to cover possible cyber-attack scenarios such as DDoS attacks and total loss of business records and client data resulting from cyber-attacks (eg, ransomware) in the contingency plan and crisis management procedures.
