The Securities and Futures Commission (SFC) and the Hong Kong Monetary Authority (HKMA) are increasingly focused on cyber security in light of the threat posed to the integrity, efficiency and soundness of financial markets by cyber threats and hacks.
On 27 October 2017, the SFC issued new Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (Guidelines). The Guidelines set out 20 minimum requirements aimed at enhancing cyber security and reducing the risks posed by hackers. The Guidelines apply to all licensed and registered persons engaged in internet trading who carry on the following regulated activities: type 1 (dealing in securities), type 2 (dealing in futures contracts), type 3 (leveraged foreign exchange trading) or type 9 (asset management) (to the extent asset managers distribute funds they manage through internet trading facilities), and seek to prevent, detect and control the risks posed by hacking.
On the same day, the HKMA issued a circular requiring Hong Kong licensed banks which are registered with the SFC to conduct regulated activities to increase the security of their internet trading services, in line with the Guidelines.
All of the requirements will take effect on 27 July 2018, other than the requirement for two-factor authentication for client logins to trading accounts which will take effect on 27 April 2018. The Deputy Chief Executive of the HKMA, Arthur Yuen, stated that “these enhancements are necessary to protect investors from cyber threats targeted at them”.
The SFC also published Frequently Asked Questions to provide further guidance on the implementation of the Guidelines, a copy of which can be found here.