The Securities and Futures Commission (SFC) launched a two-month consultation on proposals to reduce and mitigate hacking risks associated with internet trading.
The proposals incorporate new guidelines which set out baseline cybersecurity requirements for internet brokers to address hacking risks and vulnerabilities and to clarify expected standards of cybersecurity controls. Some of these requirements already feature in the Code of Conduct or SFC circulars and are being elaborated and consolidated into the proposed guidelines.
Key proposed requirements include two-factor authentication for clients’ system login and prompt notification to clients of certain activities in their internet trading accounts.
In addition, the SFC proposes to expand the scope of cybersecurity-related regulatory principles and requirements which now apply to electronic trading of securities and futures on exchanges to cover the internet trading of securities which are not listed or traded on an exchange. This includes authorised unit trusts and mutual funds because they are subject to the same hacking risks. The SFC also proposes to update the definition of “internet trading” to clarify that an internet-based trading facility may be accessed through a computer, mobile phone or other electronic device.
Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong,” said Mr Ashley Alder, the SFC’s Chief Executive Officer. “Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls.
The consultation follows the SFC’s recent thematic review of Hong Kong’s brokers’ resilience to hacking risks. In formulating its proposals, the SFC considered local and overseas market practices and regulatory requirements, the effectiveness and relevance of a variety of controls, implementation costs and potential implications for the user experience.