News //
Financial Services Alert - June 2017 (SFC Cybersecurity)
Submitted by // K Bowers, Partner / Solicitor Advocate
29 June 2017

Cybersecurity update: SFC to set minimum standards


The Securities and Futures Commission ("SFC") recently announced a Consultation Paper on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading ("Consultation"). Announced on 9 May 2017, the Consultation will run until 7 July 2017. The SFC aims to conclude the Consultation and publish the finalised proposals in September/October 2017. The finalised proposals will become effective 6 months after publication.

Proposed measures in the Consultation

The SFC introduced two main proposals in the Consultation. Firstly, the SFC has proposed to amend the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission ("Code of Conduct"). Secondly, it has proposed to issue a new cybersecurity guideline ("Guideline") under s. 399(1) of the Securities and Futures Ordinance ("SFO").

Changes to the Code of Conduct

Paragraph 18 and Schedule 7 are the main provisions in the Code of Conduct which apply to licensed or registered persons who conduct electronic trading of securities and futures contracts ("Internet Brokers"). Currently, Paragraph 18 and Schedule 7 only apply to securities and futures contracts that are listed or traded on an exchange. The SFC is proposing to widen the definition in Paragraph 18 and Schedule 7 to include securities that are not listed or traded on an exchange. For example, this would include electronically traded authorised unit trusts and mutual funds.

Additionally, the SFC is also proposing to change Paragraph 18.2(f) of the Code of Conduct. Paragraph 18.2(f) currently defines "internet trading" as "an arrangement where order instructions are sent to a licensed or registered person through its internet-based trading facility". The SFC wants to amend this paragraph by adding the line "an internet-based trading facility may be accessed through a computer, mobile device or other electronic device", which will mean that any internet brokering service accessible from any of these devices should fall within the scope of Paragraph 18 and Schedule 7.

Proposed Guideline

In the Consultation, the SFC has proposed to issue a new Guideline under s. 399(1) of the SFO. The Guideline will set out a list of cybersecurity measures which will act as baseline requirements that Internet Brokers will be expected to comply with, including the following:-

1. Using two-factor authentication ("2FA") to identify clients

Schedule 7 of the Code of Conduct currently requires Internet Brokers to implement reliable methods of authenticating or validating the identity and authority of its users. Whilst the use of a password at login is sufficient under the current rules, the proposed Guideline will impose a tougher standard by recommending 2FA as a baseline for identifying and authenticating clients. In essence, 2FA means using any combination of a password, a hardware or software token, or biometric data to authenticate the identity of a user accessing the system.

2. Using security controls to help prevent unauthorised intrusion and cyber-attacks

In the Consultation, the SFC has noted that most Internet Brokers already have some security controls to prevent hacking or cyber-attacks. The SFC wants to codify these security control practices through the Guideline by recommending Internet Brokers to:-

• deploy a secure network infrastructure through proper network segmentation;

• implement and update anti-virus and anti-malware solutions in a timely manner to detect malicious applications and malware on critical servers and workstations;

• implement monitoring and surveillance mechanisms such as IP logging, and

• establish physical security policies and procedures to prevent unauthorised physical access to the facilities hosting the internet trading system.

3. Limiting remote access to internal network on a need-to-have basis

The Guideline recommends restricting remote access of internal networks to a need-to-have basis, as remote access exposes internal networks to the risk of cyber-attacks. Security controls should also be implemented over remote access from external networks.

4. Data encryption

Under the Guideline, the SFC specifies that client login passwords stored on systems should be encrypted using a strong encryption algorithm. In addition, Internet Brokers should use end-to-end encryption for transmitting sensitive data, such as client login credentials and trade data, during transmission between internal networks and client devices.

5. Roles and responsibilities of cybersecurity management

Under the Guideline, Internet Brokers will be required to establish an appropriate cybersecurity risk management framework at the board or senior management level. Responsible officer(s) or executive officer(s) responsible for the overall management and supervision of the internet trading system should define a cybersecurity risk management framework and set out key roles and responsibilities. These responsibilities may be delegated to a designated committee or operational unit, but the overall accountability remains with the responsible officer(s) or executive officer(s).

6. Backup and contingency planning

The Guideline will require Internet Brokers to make all reasonable efforts to ensure that their business continuity plan and crisis management procedures cover possible cyber-attack scenarios, such as DDoS
1 and total loss of business records and client data resulting from cyber-attacks (e.g. ransomware).

7. Third-party service providers

The Guideline also recommends Internet Brokers with outsourced internet trading activities to enter into a formal service-level agreement with their service providers. The agreement should specify the terms of service and the responsibilities of the providers. Internet Brokers should ensure the services provided by the third-party service provider comply with all the relevant requirements.

Effect of the proposed measures

The Consultation proposals are expected to be finalized in a few months' time. Whilst changes are expected, the majority of the proposals are uncontroversial and it is expected that most of the proposals will be included in the final Guideline.

In anticipation of the upcoming changes, Internet Brokers should review their cybersecurity policies and ensure they will be able to comply with the new requirements. Internet Brokers using cloud or outsourced services should also consider whether their existing service providers will be able to meet the new requirements.

As highlighted in our Financial Services Law Alert - May 2017, cyber-attacks are becoming more prevalent, and recent headlines have shown that cyberattacks can cause major losses and disruption. The SFC Consultation presents a good opportunity for organizations to evaluate their cybersecurity measures and patch up any existing vulnerabilities.

1 Distributed Denial of Service ("DDos") is the intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers.

About Us

Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.

Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; banking; financial services/corporate regulatory and compliance.

As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.

Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice.  Please contact if you have any questions about the article.