The SFC has asked for feedback on proposed new guidelines that set out minimum cybersecurity requirements for internet brokers. These include two-factor authentication for client login to systems and prompt notification to clients of certain activities on their accounts.
Some of these are already set out in the SFC's code of conduct or in its circulars, it said, but have been elaborated upon.
The SFC also proposed to expand the cybersecurity-related principles and requirements on electronic trading of securities and futures on exchanges to cover the internet trading of securities which are not listed or traded on an exchange. This would include authorised unit trusts and mutual finds, because these are subject to the same hacking risks, the SFC said.
The definition of "internet trading" should also be updated to clarify that an internet trading facility can now be accessed from a computer, mobile phone or other electronic device, the Commission said.
Ashley Alder, the SFC’s chief executive said: "Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong. Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls."
The consultation follows a recent review of Hong Kong’s brokers’ resilience to hacking risks, the SFC said.
In the 18 months to 31 March, 27 cybersecurity incidents were reported on 12 licensed Hong Kong corporations, the SFC said.
Most of the incidents involved hackers gaining access to clients’ internet-based trading accounts with securities brokers, resulting in unauthorised trades totalling more than HK$110 million ($14 million), it said.
Other incidents involved distributed denial-of-service attacks, where multiple compromised computer systems attack licensed corporations’ websites and cause a denial of service for their users, accompanied by threats of extortion, it said.
Hong Kong's Monetary Authority introduced new cybersecurity obligations for banks in May last year, while Hong Kong's privacy commissioner Stephen Wong Kai-yi said at the time that changes to EU data protection laws and advancements in technology will prompt a review of Hong Kong's own data protection regime over the next 18 months