The SFC has always had in place a Code of Practice for Persons licensed or registered with the SFC and all licensed entities are required to follow the guidelines for Intermediaries in order that their fitness and properness to remain licensed or registered will not be prejudiced.
Now, on 27th October 2017 SFC issued a new guideline as indicated above (“the Guidelines”) following a public consultation. This is an official reaction to a rapidly growing environment of internet scams.
At the same time the Hong Kong Monetary Authority (“HKMA”) also issued a circular requiring regulated institutions regulated by HKMA and also registered with or licenced by the SFC to conduct regulated activities in implementation of the Guidelines in order to enhance the security of their internet trading services.
The internet trading services concerned relate to those provided by licensed securities dealers and licensed futures dealers. They extend also to banking institutions registered with the SFC being all together defined as “Intermediaries”.
The issues addressed are complex and the Guidelines are extensively set out and are stated by the SFC to apply to the following persons engaged in internet trading being licensed by, or registered with, the SFC for :-
- Type 1 Regulated Activity (Dealing and Securities);
- Type 2 Regulated Activity (Dealing in Futures Contracts);
- Type 3 Regulated Activity (Leveraged Foreign Exchange Trading);
- Type 9 Regulated Activity (Asset Management) to the extent that an Intermediary distributes funds under its management through its internet base trading facility.
Only those Intermediaries engaged in internet trading are required by the Guidelines to implement 20 base line requirements to enhance cyber security resilience and reduce and mitigate hacking risks.
It is clearly stated in the Guidelines that the controls and measures specified therein are only able to reduce or mitigate hacking risks associated with internet trading but cannot eliminate them. The Guidelines set minimum standards but are not exhaustive and licensed or registered persons are expected to implement adequate and effective measures which are commensurate with their structure, business operations and needs. This accordingly sets a high bar for due and responsible compliance.
The Guidelines while having a substantially wide range and scope do not have the force of law. However, as mentioned above, failure to follow them in spirit is likely adversely to reflect on the fitness and properness of an intermediary to continue as licensee or registered person.
The basic protections under the Guidelines stipulate that licensed or registered persons must meet the following :-
PROTECTION OF CLIENT’S ACCOUNTS
1.1 Two-Factor Authentication
to access and implement a two-factor client authentication trading account login solution commensurate with its own business model.
Any two of the following can be taken :-
- what the client knows;
- what the client has in account; and
- identifying the client.
1.2 Implementation of Monitoring and Surveillance Mechanism
implement an effective monitoring and surveillance mechanism to detect unauthorised access to an internet trading account.
1.3 Prompt Notification to Client
notify clients (email or SMS will suffice) promptly after certain client activities have taken place on their internet trading accounts. These activities should at least include :-
- system log in;
- password reset;
- trade execution;
- fund transfer to third party accounts (which have not already been registered with the licensed or registered person for fund transfer purposes prior to a transfer in question); and
- changes to client and account related information
The channel of notification to clients should be different from the one used for system login.
1.4 Data Encryption
use of a strong encryption algorithm to encrypt sensitive information and to protect client user ID and login passwords in the internet trading system of the licensed or registered person.
1.5 a secure login password should be randomly generated by the system and sent to a client through a channel of communication free from human intervention and staff tampering.
2. INFRASTRUCTURE SECURITY MANAGEMENT
2.1 Secure Network Infrastructure
Deployment of a secure network infrastructure through proper network segmentation with multi-tiered firewalls.
2.2 Need to have User Access
Should have in place policies and procedures to ensure system access or that use of the systems are granted to users on a need-to-have basis for review on a not less than yearly basis for access updating and restriction.
2.3 Security Controls and Remote Connection
Should grant remote access to its internal network only on a need-to-have basis.
2.4 Patch Management
Monitor and evaluate security patches or hotfixes on a timely basis and subject to individual e-valuation.
2.5 End Point Protection
Implement and update anti-virus and anti-malware solutions.
2.6 Unauthorised Installation of Hardware and Software
Implement security controls to prevent unauthorized installation of hardware and software.
2.7 Physical Security
Establish internal security policies and procedures to protect critical system components in a secure environment.
2.8 System and Data Backup
At least daily backup business records, client and transaction databases, servers and supporting documentation in an off line medium and implement an appropriate recovery system.
2.9 Contingency Planning for Cyber Security Happenings
Make all reasonable efforts to cover possible cyber attack happenings such as distributed denial-of-service attacks.
2.10 Third-Party Service Providers
Ensure execution of a formal service level agreement with a service provider specifying the terms of the service and the responsibilities of the provider.
3. CYBERSECURITY MANAGEMENT AND SUPERVISION
3.1 Ensure defining by responsible officers/executive officers for overall management and supervision to set out key roles and responsibilities including the following eight heads :-
- reviewing and approving cybersecurity risk management policies and procedures.
- reviewing and approving the budget and spending on resources for cybersecurity risk management.
- arranging to conduct a self assessment of the overall cybersecurity risk management framework on a regular basis.
- reviewing significant issues which escalate from cybersecurity incident report.
- review of major findings identified from internal and external audits.
- monitoring and assessing the latest cybersecurity threats and attacks.
- review and approve contingency plan covering cybersecurity scenarios and related contingency strategies developed for the internet trading system.
- where applicable, review and approval of the service level agreement and contract with a third party service provider relating to internet trading.
It is possible for the licensee or registered person to delegate these eight responsibilities to a committee or operational unit but overall accountability stays with the responsible officer or executive officer of the licensee or registered person.
3.2 Reporting of Incidents
Establish written policies and procedures and specify the method of escalation of a cybersecurity incident for internal report and external communication to clients, the SFC, HKMA and other enforcement body.
3.3 Awareness Training on Internal System Use
Provide at least yearly an adequate cybersecurity awareness training to all internal system users.
3.4 Client Reminder Risk Warnings
Take all reasonable steps to remind clients about and alert them to cybersecurity risks and recommended preventive and protection measures such as that login credentials should be properly safeguarded and cannot be shared.
Implementation of the requirement of the two-factor authentication will take effect on 27th April 2016. All other requirements will become effective on 27th July 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.