Hong Kong’s SFC probes brokerages’ cybersecurity preparedness after HK$100 million in unauthorised trades
Securities regulator urges steps be taken to curb hackers after reported security breaches
Hong Kong’s securities watchdog has begun a review to assess brokerages’ cybersecurity readiness, rules compliance and resilence of their trading systems, after HK$100 million of unauthorised trades were reported.
The review follows a number of reports from securities brokers that the security of some customers’ internet and mobile trading accounts has been compromised, and unauthorised securities trading transactions were conducted through these accounts.
“In the light of the recent incidents, brokers should critically review and enhance their controls to combat cyberattacks, including measures aimed at mitigating hacking risks and enabling them to spot and alert clients to suspicious activities so as to stop further unauthorised trading where security has been compromised,” the Securities and Futures Commission said in a statement on Thursday.
The commission noted that in the past 12 months, 16 incidents were reported involving seven securities brokerages and total unauthorised trades in excess of HK$100 million.
These cases are under police investigation.
Questionnaires will be sent out to small to medium-sized brokerages to assess their cybersecurity features on both their desktop and mobile trading systems.
In-depth on-site inspections will be conducted on selected brokerages, on how well their information technology systems and related management controls perform in preventing and detecting cyber-attacks.
The commission’s regulatory requirements and market practises in Hong Kong will also be benchmarked against those overseas.
The SFC urged investors to set strong passwords and safeguard their login identities and passwords, closely monitor activities in their online securities accounts, type in the web-site address of their brokerages or use bookmarks to enter their sites, install anti-virus programs in their computers and mobile devices and avoid using public networks to access their online accounts.
