The Securities and Futures Commission (the SFC) has issued a circular to provide guidance to licensed corporations (LCs) on managing cybersecurity risks associated with remote working arrangements. The circular sets out some examples of controls and procedures that LCs can implement to protect their internal networks and data under remote working arrangements. The SFC expects that any measures implemented to be commensurate with the size and complexity of an LC’s operations.

Remote access to internal network and systems

The SFC has referred to a recent cybersecurity incident reported by an LC to emphasise that known vulnerabilities of Virtual Private Network (VPN) software in the market could be exploited by cyber-criminals to infiltrate an LC’s network (e.g. to access client data and execute unauthorised fund transfers).

To mitigate such risks, appropriate controls and procedures may include:

  • implementing robust VPN solutions that provide strong encryption and two or more layers of protection, to protect the integrity of data transmitted between remote users’ devices and internal systems;
  • implementing multiple VPN servers for additional protection;
  • promptly implementing security patches or hotfixes released by VPN software providers;
  • requiring the use of strong passwords and two-factor authentications for remote access logins, particularly when privileged accounts and sensitive data repositories are being accessed;
  • avoid granting external parties standing or permanent access to internal networks and systems, and allowing vendors to access specific systems only during pre-determined timeframes;
  • implementing different levels of remote access;
  • implementing security controls to prevent any unauthorised installation of hardware and software on computers and devices provided to staff by LCs; and
  • implementing robust network segmentation to segregate system servers and databases depending on their importance to better protect more critical and sensitive data, e.g. clients’ personal data.

Use of video conferencing platforms

The following control and procedures may be adopted to mitigate the risk of security issues (e.g. leakage of sensitive data) arising when video conferencing platforms are used:

  • security features of video conferencing platforms should be assessed before use;
  • requiring participants to register before attending video conferences;
  • only permitting authenticated and authorised users to join video conferences e.g. using “waiting room” features;
  • using a meeting ID chosen at random, rather than a personal meeting ID;
  • using legitimate channels only to invite participants to video conferences;
  • enabling password protection features on video conferencing platforms;
  • locking the video conference meeting once all participants have joined; and
  • using the latest version of the relevant video conferencing software, with the most up-to-date security patches installed.

Additional measures to support remote working arrangements

The SFC has also indicated that LCs should put in place, as appropriate, the following measures to enhance operational capabilities and the monitoring of remote working arrangements:

  • System capabilities: LCs should assess whether their existing information technology infrastructures, software (e.g. network bandwidth) and hardware are adequate to support remote office arrangements and enhance these if necessary;
  • Surveillance and incident handling: LCs should implement appropriate mechanisms for monitoring and surveillance e.g. reviewing lists of unauthorised access attempts and detecting the use of unapproved applications. This should be supported by the development and maintenance of an effective incident management and reporting system.
  • Cybersecurity training and alerts: Internal system users should be provided with adequate cybersecurity training. In addition, appropriate reminders and alerts should be issued to clients  regularly e.g. advice on precautionary security measures, emerging cybersecurity threats and trends (including phishing and ransomware).