SFC Issues Guidelines On Combating Cyber-Crime

Robbie Lawther

1 November 2017

The (SFC) has issued a set of guidelines for reducing and mitigating hacking risks associated with internet trading. Alongside this, the (HKMA) has also issued a circular to registered institutions to enhance security in regard to SFC’s requirements.

The 20 baseline requirements, which will be implemented, are aimed at licensed or registered persons who, through internet-based trading facilities, are engaged in dealing in securities or futures contracts, in leveraged foreign exchange trading or in distributing funds under management, the SFC said in a statement.

Over the past few years, the SFC and the HKMA have provided a range of guidance on cyber-security to the institutions they regulate.

The guidelines are split into three categories: protection of clients’ internet trading accounts, infrastructure security management and cyber-security management and supervision.

Within the guidelines, there are themes such as; two-factor authentication system for clients, surveillance and monitoring carried out by a registered person, data encryption, strict password policies, deployment of a secure network infrastructure, system backups, unauthorised installation of hardware/software, cyber-security management, training and contingency planning.

One key control, the implementation of two-factor authentication for clients to login to their internet trading accounts, will take effect on 27 April 2018, while all other requirements will take effect on 27 July 2018.

"Robust preventive and detective controls are essential to reduce and mitigate cybersecurity risks," said Ms Julia Leung, SFC executive director. "Given that passwords have not proven effective to prevent hacking, two-factor authentication is an important part of effective cybersecurity risk management."

Cyber-security has become a real menace and big issue for financial institutions globally. However some firms’ systems and defence preparation are not good enough to stop a massive cyber-attack.

In September, this publication reported on a global study by MyPrivateBanking, which found almost a third of firms lag in providing top-notch security features.