Cybersecurity Essentials
In recent times and in line with its investor protection mandate, the SFC has turned focus to cybersecurity arrangements within licensed corporations.
Within this publication, we review the baseline requirements of the Cybersecurity Guidelines, as well as recommended good practices for adoption as identified by the SFC in its previous cybersecurity thematic review.
PDF version: Cybersecurity Essentials
Introduction
As a general mandate, one of the objectives of the Securities and Futures Commission (“SFC”) as empowered by the Securities and Futures Ordinance (“SFO”), is to provide protection for the investing public. Under Section 399 of the SFO therefore, the SFC is empowered to issue guidelines and other regulatory codes in furtherance of its regulatory objectives.
Accordingly, in October 2017, the SFC issued the Cybersecurity Guidelines to set out baseline requirements essential for safeguarding both traders and the licensed corporations involved in internet trading activities. These guidelines specifically apply to licensed corporations engaged in regulated activities such as dealing in securities (Type 1), dealing in futures contracts (Type 2), leveraged foreign exchange trading (Type 3), and asset management – to the extent of distributing funds through their online trading platforms (Type 9). However, it is key to note that all licensed companies, regardless of their specific activities, are obligated to comply with the SFC’s Code of Conduct, which includes requirements relating to the security of electronic trading systems.
Protection of Clients' Internet Trading Accounts
1. Two-Factor Authentication
The first of the measures outlined for the protection of client trading accounts is the implementation of two-factor authentication (2FA) for logging into clients’ internet trading accounts. This security measure typically involves utilizing either of the following factors: ‘what the client knows’, ‘what the client has’, or ‘who the client is’.
For a ‘what the client knows’ account, the licensed corporation may adopt a user ID and password tool. For ‘what the client has’, a licensed corporation may elect to deliver a one-time password (“OTP”), generated from a hardware token given to the client, or any other similar technical tool of the same standard. Where the licensed corporation adopts a ‘who the client is’ authentication check, this should constitute a validation of the client’s biometric identity against a version maintained by the licensed corporation.
It should be noted that the choice of 2FA should align with the nature of risks commensurate with the licensed corporation’s business model.
2. Implement Monitoring and Surveillance Mechanisms
To detect unauthorised access to clients’ internet trading accounts, licensed corporations should implement effective monitoring and surveillance mechanisms. As timely detection could prevent potential security breaches, licensed corporations should follow up on any identified breaches and relevant remedial actions. These remedial actions could include suspension of accounts, cancelled transactions, or transaction freezes.
Examples of good practices in this regard include the using computer-assisted monitoring tools such as Intrusion Detection Systems and Intrusion Prevention Systems to detect vulnerability exposures and improve internet systems.
3. Prompt Notification to Clients
Clients should receive prompt notifications, via email, short message service (“SMS”), or other push notifications, regarding significant activities in their internet trading accounts. These activities, at a minimum, should include system logins, password resets, trade executions, fund transfers to third-party accounts, and any changes to client and account-related information.
In instances where clients may choose to opt out of only ‘trade execution’ notifications, this should be accompanied comprehensive risk disclosures from the licensed corporations and confirmations received from the client.
4. Data Encryption
Sensitive information, such as login credentials and trade data, should be encrypted during transmission between internal networks and client devices. Additionally, client login passwords stored within the internet trading system should be adequately protected using strong encryption algorithms.
Licensed corporations are encouraged to provide additional safeguards such as using salting (to increase the uniqueness and complexity of passwords, in order to reduce password attacks).
5. Protection of Client Login Passwords and Session Timeout Controls
To ensure optimum and secure client login password management, licensed corporations should establish and implement policies and procedures for secure password generation and delivery during account activation and password reset processes. Typically, this could involve passwords being randomly generated by the system and sent through secure channels that are free from human interference.
Stringent password and session timeout controls, including minimum password length, periodic reminders to change passwords, complexity requirements, control over invalid login attempts, and session timeout after inactivity, should be established within the internet systems.
Infrastructure Security Management
1. Secure Network Infrastructure
A secure network infrastructure, including network segmentation with multi-tiered firewalls, is critical to protect critical systems and client data against cyberattacks. Licensed corporations should therefore consider implementing mechanisms such as clean-pipe services and other anti-distributed denial of service (“DDoS”) solutions.
Other measures for improving internet trading systems could include anti-Advanced Persistent Threat solutions and web application firewalls.
2. User Access Management
Access to systems should be granted on a need-to-have basis, and regular reviews of user access lists should be conducted to ensure compliance and security.
In view of this, it is recommended that licensed corporations implement Privileged Identity Management (“PIM”) or other user re-certification processes that would be reviewed on a periodic basis.
Stringent password and session timeout controls, including minimum password length, periodic reminders to change passwords, complexity requirements, control over invalid login attempts, and session timeout after inactivity, should be established within the internet systems.
3. Security Controls Over Remote Connection
Remote access to internal networks should be granted sparingly, and strict security monitoring and controls should be in place for such access. To mitigate associated risks with remote access, licensed corporations are encouraged to implement multifactor authentication for remote access by employees, vendors, and other users.
4. Patch Management and End-Point Protection
Timely monitoring and implementation of security patches or hotfixes released by software providers is essential to mitigate vulnerabilities.
Additionally, licensed corporations are obligated to regularly update its anti-virus and anti-malware solutions in order to enhance its abilities in detecting and preventing malicious applications and malware presence on critical system servers and workstations.
5. Physical Security and Unauthorized Installations
Licensed corporations are expected to establish policies relating to physical security in order to protect critical system components and prevent unauthorized access to facilities hosting the internet system depositaries.
Additionally, there should be relevant controls in place to prevent unauthorized hardware and software installations.
6. System and Data Backup
Daily off-line backups of business records, client and transaction databases, servers, and supporting documentation should be maintained by licensed corporations. This is in addition to ensuring that suitable recovery methods should be in place in the event of major system changes.
Licensed corporations should consider implementing assessments of its system and backup arrangements during its business contingency drill tests which should be done at least on an annual basis.
7. Contingency Planning for Cybersecurity Scenarios
Licensed corporations’ contingency plans should cover various possible cybersecurity scenarios, including distributed denial-of-service (DDoS) attacks, data leakages, ransomware attacks and total loss of business records and client data.
These plans must be regularly updated and tested to ensure that suitable crisis management policies are in place to support the licensed corporation in returning business to normal operating conditions.
8. Third-Party Service Providers
Licensed corporations outsourcing internet services to third-party service providers should establish proper service-level agreements that align with regulatory requirements. These agreements should be regularly reviewed and should provide clarity on the scope of maintenance and technical assistance to be received from the third-party.
Senior Management
Cybersecurity Management and Supervision
Senior management of the licensed corporations overseeing internet and trading systems must establish a cybersecurity risk management framework that define key roles and responsibilities to relevant to teams or units while retaining ultimate accountability.
Some of these delegations could relate to oversight of cybersecurity risk management including policy approvals, budgeting, routine self-assessment, issue escalation, audit findings, threat monitoring, contingency planning, and service-level agreements.
Written Policies & Procedures
For escalating and reporting suspected/ actual cybersecurity incidents, both internally and externally. Furthermore, internal system users within the licensed corporation should undergo yearly cybersecurity awareness trainings tailored to the specific risks they may encounter in the course of conducting its regulated activity business.
Internet Trading System
Efforts should be made to continually remind and alert clients about cybersecurity risks and recommended preventive measures when using the internet trading system. As a matter of good practice and on frequent basis, licensed corporations should update their clients with necessary information on latest cyber-attacks and vulnerabilities in order to such relevant risks.
Conclusion
In conclusion, the Cybersecurity Guidelines, in setting the expectations discussed above for licensed corporations, emphasize the importance of maintaining robust cybersecurity measures.
It is worth reiterating that though a significant spectrum of these requirements rests on licensed corporations holding Types 1, 2, 3 and 9 (if applicable) licenses, all licensed corporation remain obligated by the Code of Conduct to:
- Implement robust internal controls and capabilities to protect their operations, clients, and licensed individuals from financial losses arising from theft, fraud, misconduct, or negligence.
- Safeguard the reliability, security, and capacity of its electronic systems, while also having contingency plans in place.
Compliance with these guidelines is not therefore only a mandatory obligation, but also can form basis for the assessment of a licensed corporation’s fitness and properness to continue to conduct regulated activities in Hong Kong. Licensed corporations should accordingly review its arrangements and ensure compliance.
