SFC orders tighter safeguards to stop hackers invading online trading accounts
Passwords have not proven effective at preventing hacking, says SFC in announcing 20 new guidelines
The Securities and Futures Commission issued new guidelines on Friday requiring those licensed to trade in securities or futures on the internet to take steps to improve their cybersecurity.
The 20 rules include the obligation to set up two factor authentication for their clients to log in to their internet trading accounts.
Two factor authentication uses two of “what a client knows”, “what a client has”, or “who a client is” to improve security of the logging in process.
“Robust preventive and detective controls are essential to reduce and mitigate cybersecurity risks,” said Julia Leung, SFC executive director, in a statement.
“Given that passwords have not proven effective to prevent hacking, two-factor authentication is an important part of effective cybersecurity risk management.”
In the 18 months to the end of March 2017, 12 licensed corporations in Hong Kong reported 27 cybersecurity incidents, most of which involved unauthorised access to client trading accounts held by securities brokers. These resulted in unauthorised trades totalling more than HK$110 million, according to the SFC.
According to a report from cybersecurity company ESET, Hong Kong was the second most targeted place in Asia by cyberattacks in the past three years.
The report also said that 55 per cent of cyber breaches during the period at small to medium sized businesses were caused by a lack of two-factor authentication.
The Hong Kong Monetary Authority also issued a circular on Friday requiring registered banking institutions in the city to ensure that their internet trading services meet the SFC’s requirements.
Other rules in the SFC’s circular require stringent protocols on passwords, a secure network infrastructure and a cybersecurity risk management framework.
He was speaking after an exercise on Friday carried out by the Hong Kong Financial Services Business Continuity Management Forum and Control Risks to test Hong Kong financial services sector’s readiness to respond to cyber and physical attacks.