Hacking of internet trading accounts is the most serious cybersecurity risk facing internet brokers in Hong Kong, said Ashley Alder, chief executive of the SFC. Photo: David Wong

Hong Kong regulator SFC seeks input on tighter cybersecurity measures

Twenty new measures proposed include coverage of online fund sales and increased security for mobile phone trading

The Securities and Futures Commission has proposed a range of measures to tighten cybersecurity for all of the 500 Hong Kong stockbrokers and fund managers in the city, according to a consultation paper that seeks to collect views from the market over the next two months.

The regulator’s action came after 27 hacking attacks on 12 licensed financial firms in the 18 months to the end of March led to investor losses totalling HK$110 million (US$14.2 million), the commission said in an statement on Monday.

“Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong,” said Ashley Alder, chief executive of the SFC.

“Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls.”

The proposed guidelines set out 20 baseline cybersecurity requirements for brokers, fund managers and financial firms which offer online trading for investors.

They include two-factor authentication for client’s system logins and prompt notification to clients of certain activities seen in their internet trading accounts.

In addition, the SFC proposes to expand the scope of cybersecurity-related regulation to cover those securities that are not listed on an exchange. Existing cybersecurity requirements only apply to products traded on the stock or futures exchange.

The expansion would mean unit trusts and mutual funds, which are usually not listed on the stock exchange but may also be sold online, would also be covered by the [NEW?] requirements. Fund houses which sell products online would also need to have measures in place to protect customers against the risk of hackers.

The SFC also proposes to update the definition of “internet trading”, by clarifying that an internet-based trading facility is one that can be accessed through a computer, mobile phone or other electronic device.

The consultation process continues until July 7.

Christopher Cheung Wah-fung, Hong Kong lawmaker for the financial services sector, welcomed more protection measures for investors but said he hopes the new measures would not make it too difficult for brokers to do business.

This article appeared in the South China Morning Post print edition as: SFC seeks to boost cybersecurity after hacking attacks