Aggregated News From Investment Management Regulators

SFC and HKMA address hacking risks associated with internet trading


Please complete the required fields.

The Securities and Futures Commission (SFC) and the Hong Kong Monetary Authority (HKMA) recognise the need for effective cybersecurity management as cyber risk poses an increasingly significant threat to the integrity, efficiency and soundness of financial markets worldwide. Over the past few years, the SFC and the HKMA have provided a range of guidance on cybersecurity to the intermediaries they regulate (Note 1).

Today the SFC issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading requiring all licensed or registered persons engaged in internet trading (Note 2) to implement 20 baseline requirements to enhance their cybersecurity resilience and to reduce and mitigate hacking risks (Note 3). Also today, the HKMA issued a circular requiring registered institutions to enhance the security of their internet trading services having regard to the requirements in the SFC’s guidelines.

One key control, the implementation of two-factor authentication for clients to login to their internet trading accounts, will take effect on 27 April 2018, while all other requirements will take effect on 27 July 2018.

“Robust preventive and detective controls are essential to reduce and mitigate cybersecurity risks,” said Ms Julia Leung, SFC Executive Director. “Given that passwords have not proven effective to prevent hacking, two-factor authentication is an important part of effective cybersecurity risk management.”

Mr Arthur Yuen, Deputy Chief Executive of the HKMA, said, “I am glad that consensus has been reached for the banking and the securities industries to adopt two-factor authentication for internet trading and strengthen related cybersecurity controls. These enhancements are necessary to protect investors from cyber threats targeted at them.”

The release of the SFC’s guidelines follows a public consultation (Note 4) to which 36 responses from the securities and banking industry were received.



  1. As defined in Schedule 1 to the Securities and Futures Ordinance, “intermediary” means a licensed corporation or a registered institution. “Registered institutions” are authorised institutions under the Banking Ordinance which are registered with the SFC to conduct regulated activities.
  2. This refers to licensed or registered persons who, through internet-based trading facilities, are engaged in dealing in securities or futures contracts, in leveraged foreign exchange trading or in distributing funds under management.
  3. In Consultation Conclusions on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading, also issued by the SFC today, the application of Paragraph 18 and Schedule 7 of the Code of Conduct for Persons Licensed by or Registered with the SFC is expanded to cover intermediaries which conduct internet trading of securities that are not listed or traded on an exchange.
  4. On 8 May 2017, the SFC issued a Consultation Paper on Proposals to Reduce and Mitigate Hacking Risk Associated with Internet Trading.

Source link

Regulator Information

Abbreviation: SFC
Jurisdiction: Hong Kong

Recent Articles

SEC Approves Registration of First Security-Based Swap Data Repository; Sets the First Compliance Date for Regulation SBSR

The Securities and Exchange Commission today announced that it has approved the registration of its first security-based swap data repository (SDR).

Regulation for a different world

Speech by our CEO, Nikhil Rathi, delivered at Association of Foreign Banks – CEO Programme 2021 – The UK Regulatory Landscape Post-Brexit and Beyond.  Speaker: Nikhil...

Keynote speech by the Chairman of the FSMA at a high-level conference on sustainability reporting organized by the European Commission

On Wednesday, 6 May 2021, Jean-Paul Servais, Chairman of the FSMA and Vice Chair of IOSCO, gave a speech at a major conference of...

Credit Suisse Bonds / Suisse Capital Wealth Bonds (Clone of FCA authorised firms)

Fraudsters are using the details of firms we authorise to try to convince people that they work for a genuine, authorised firm. Find out...

We believe this firm may be providing financial services or products in the UK without our authorisation. Find out why you should be wary...

Get the latest from Regulatory.News in your inbox!