[Apr 2016]




Featured images

Circular to All Licensed Corporations on Cybersecurity issued by Securities and Futures Commission

Written by: Ms. Winnie Leung - Risk Manager

In these few years, many financial institutions have frequently been disrupted by different types of cyber-attacks. Securities and Futures Commission (“SFC”) has performed a review of the cybersecurity on selected large-sized Licensed Corporations (“LCs”), which aimed to assess if effective cybersecurity controls have been implemented. It is noted that most of the LCs have spent their resources to improve their cybersecurity control system proactively. However, they are weak in identifying the cybersecurity risks which may lead to significant threats to their businesses. On 23 March 2016, SFC has issued a circular to all LCs and shared the key areas of concerns and suggested cybersecurtiy controls as follows:


Key areas of concerns

  • Insufficient cybersecurity risk assessment exercises

SFC noted that most of the LCs only focus on the assessment of risks associated with their internet-facing systems and infrastructure. Mission critical systems and other non-internet facing systems are not covered. Besides, SFC found that the assessment is not conducted frequently and updated with the latest cybersecurity threats.


  • Insufficient cybersecurity risk assessment of service providers

LCs have not established policy and procedures for conducting cybersecurity risk assessment on its service providers and taken active role to assess the cybersecurity risks faced by the service providers.


  • Insufficient training on cybersecurity

It is found that the training provided to staff is not updated with the latest cybersecurity related issues to keep the staff abreast of the latest cyber threats.


  • Insufficient cybersecurity incident management

There is inadequate disaster recovery plan in LCs. In addition, SFC noted that some of the regular drills exercises in LCs are only conducted for some specific technical components and only technology staff were involved.


  • Insufficient data protection programs

There is inadequate data protection program established to address the cybersecurity threats, such as no documentation for identifying the data flow and no tailor-made data protection processes and technologies established.


Suggested cybersecurity controls

  • Set up a cybersecurity governance framework

SFC suggested allocating sufficient resources to execute and monitor the cybersecurity controls. In addition, cybersecurity topics should be discussed in senior management level meetings. Training and regular evaluation should be conducted to strengthen the understanding of staff and service providers on the cybersecurity controls.


  • Implement cybersecurity management process on service providers

It is suggested that policy and procedures for the management of service providers should be established. Regular cybersecurity risk assessment should be conducted with the service providers and cybersecurity requirements should be included in the agreements with service providers.


  • Improve the security control to guard against advanced cyber-attacks

SFC provides some examples to improve the security control, such as multi-tier network defences (e.g. firewall, intrusion detection system) and privileged user access.


  • Establish information protection program to ensure sensitive information flow is protected

The information protection program should be established and documented. Besides, LCs should also tailor the solutions to enable the detection of malicious activities. Periodical recertification on removable media access should also be conducted. In addition, firm’s applications and information should be separated from staff’s mobile devices.


  • Enhance the management of threat, intelligence and vulnerability

LCs are suggested to conduct regular cybersecurity risk assessment and carry out real-life cyber-attack scenarios and latest trends of cyber-attacks. If there is any deficiency noted, remediation plan should be established, implemented and monitored.


  • Improve incident and crisis management procedures

It is suggested to perform regular drills to ensure the effectiveness of cybersecurity incident and crisis handling procedures.


  • Establish contingency plan

Contingency plan should be established in written form. Periodic testing should be performed to ensure the plan is viable and adequate. Backup tapes should also be encrypted and protected physically.


  • Reinforce user access controls

It is suggested to set the access right of each user according to their role and responsibilities.


LCs should take appropriate measures to review and assess the effectiveness of their cybersecurity control according to the circular issued by SFC.


Source: Circular to All Licensed Corporations on Cybersecurity, Securities and Futures Commission


If there are any aspects which we may assist, please do not hesitate to contact:

Partner In Charge - Mr. Roy Lo
roy.lo@shinewing.hk (Tel. 3583 8048) or

Senior Risk Manager - Ms. Gloria So
gloria.so@shinewing.hk (Tel. 3583 8517)


SHINEWING Risk Services Limited

Contact Us

SHINEWING Risk Services Limited
43/F., Lee Garden One, 33 Hysan Avenue Causeway Bay, Hong Kong,

T. (852) 3583 8000

F. (852) 3583 8532

W. www.shinewing.hk

E. risk@shinewing.hk


product image


SHINEWING Risk Services Limited is an industry leader with many years of experience in risk management and internal control review services in China and Hong Kong. SHINEWING has maintained its leadership position in the market over the years.

Headquartered in Beijing and with branch offices in Hong Kong, Singapore, Japan, Australia, Pakistan, Shenzhen, Chengdu, Shanghai, Xi’an, Tianjin, Qingdao, Changsha, Changchun, Yinchuan, Jinan, Dalian, Kunming, Guangzhou, Fuzhou, Nanjing, Urumqi, Wuhan, Hangzhou, Taiyuan, Chongqing, Nanning and Hefei. SHINEWING is ideally positioned to provide services for our valued clients.


(c)2016 SHINEWING Risk Services Limited. All rights reserved.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.