A two-month consultation on proposed measures to reduce and mitigate cyber security risks associated with internet trading of securities in Hong Kong (the Consultation) was launched on 8 May 2017 by the Securities and Futures Commission (the SFC).
The Consultation follows a recent review by the SFC of resilience of brokers in Hong Kong to cyber-attacks (such as the hacking of trading accounts, installation of ransomware and denial of service attaches) and is set against a backdrop of the increasing number of cyber security incidents to the financial services sector. According to the SFC, in the 18 months prior to 31 March 2017, 27 cyber security incidents were reported by 12 licensed corporations which led to losses by investors of more than HK$110 million.
The proposals include new guidelines for brokers who offer the internet trading of securities, futures contracts or leveraged foreign exchange contracts to reduce and mitigate cyber security risks. The guidelines include 20 baseline cyber security requirements which would represent the minimum cyber security standards expected by the SFC. These requirements are grouped under the following three categories: (i) the protection of clients’ internet trading accounts; (ii) infrastructure security management; and (iii) cyber security management and supervision.
The guidelines include the introduction of a requirement for a two-factor authentication of a client’s identity in order to access a broker’s internet trading system. It is proposed that brokers would be able to choose any two factors they deem appropriate to authenticate the identity of their client. Such factors include: (i) information that only the client knows (such as a password); (ii) something that only the client has (such as a hardware token, a software token, a digital certificate or a one-time password); and (iii) something personal to the client (such as a fingerprint or other piece of biometric data). The guidelines also introduce a requirement to notify clients promptly (by email or SMS) of certain activities relating to their internet trading accounts.
Currently, the scope of the SFC’s cyber security-related regulations applies to the electronic trading of securities and futures contracts that are listed or trading on an exchange. However, the SFC proposes to expand the scope of the cyber security-related regulations to include any “internet trading” of securities which are not listed or traded on an exchange, since such trading would also be susceptible to the same cyber security risks. This broadened scope would therefore also include authorised unit trusts and mutual funds which are not listed or traded on an exchange. The definition of “internet trading” would also be clarified to include any internet-based trading facility that can be accessed through a computer, mobile phone or other electronic device.
Although measures to reduce and mitigate cyber security risks are to be welcomed, there may be concern that the proposals are too onerous. However, the requirements represent the minimum cyber security standards expected by the SFC and, in the case of the two-factor authentication of a client’s identity, allow some flexibility in implementation. The majority of these requirements are also already featured in the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct) and in SFC circulars; however, the proposed guidelines do consolidate and elaborate on the existing requirements.
The Consultation period ends on 7 July 2017 and comments may be submitted to the SFC up until that date. Following the end of the Consultation, the SFC aims to finalise the revised Code of Conduct and the new guidelines by September/October 2017, with the new guidelines only becoming effective six month following publication of the Consultation conclusions.
Our take: The proposals in the proposed guidance represent good practice and should be carefully considered by any party providing facilities for internet trading of securities. Anyone subject to the current requirements should check that their cyber security systems and processes are compliant. In advance of the publication of the revised Code of Conduct and the new guidelines, affected parties should consider whether or not the six month period leaves enough time to implement any new changes and, if not, to plan accordingly.
A copy of Consultation paper is available at the SFC website.