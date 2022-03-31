SFC issues circular on managing risks of business email compromise The SFC has issued a circular to licensed corporations (LCs) regarding business email compromise, a type of cyber fraud where fraudsters posing as known business contacts dupe unwary staff into making payments or providing sensitive information. The SFC has recently received reports of such incidents from LCs, which resulted in leakage of client information and significant financial losses to the LCs. In the circular, the SFC sets out examples of the typical actions taken by fraudsters, such as forging an email address which appears to be that of a genuine client or business contact to communicate with the target LC. The SFC notes that, in most cases where fraudsters succeeded, the LCs had not verified or properly checked the identities of the email senders, despite the existence of red flags. LCs should note the examples of business email compromise provided in the annex to the circular. The SFC reminds LCs of their obligations regarding internal control procedures and financial and operational capabilities under paragraph 4.3 of the SFC's main code of conduct, especially at times when remote working arrangements are common (see our previous update). They should strengthen internal controls in areas such as keeping of client contact information, amendment of client particulars, and email requests for order placing or fund transfer, and should stay alert to red flags and promptly follow up on irregularities (such as significant payments to overseas bank accounts). The SFC reiterates that it is the senior management's responsibility to oversee LCs' implementation of internal control policies and procedures for the effective management of business email compromise risks, and to ensure that adequate resources are allocated to control functions. LCs should provide regular training to staff to enhance their vigilance and familiarity of internal protocols. LCs are also reminded to refer to the SFC's guidance on control measures and techniques for managing cybersecurity risks and guarding against email scams. [24 Mar 2022]

#CyberFraud