[31 May 2017] Open with your browser  
Featured images

Cybersecurity Risks associated with Internet Trading

Written by: Ms. Melody Guo – Associate

The advent of Internet Finance has brought a new dimension to the traditional financial services in Hong Kong. Increasing number of people rely on computers or other mobile devices to carry out internet transactions. However, a series of cybersecurity problems, such as hacking, ransomware and denial of services, are inevitably derived from the rise of Internet Finance. According to the Securities and Futures Commission (“SFC”) and Hong Kong Computer Emergency Response Team Coordination Centre, a total of 12 licensed corporations reported that they encountered cybersecurity incidents as of March 2017. There were 27 incidents of illegal access of computer systems, resulting in unauthorized trades totaling more than HKD$110 million.

To tackle the frequent cyber attack incidents and cybersecurity problems, the external internet experts appointed by the SFC reviewed the circumstances through onsite inspection and questionnaire survey in late 2016. The survey result showed that although most of the securities brokers had established cybersecurity mechanism, they were weak in safeguarding the internet trading account security of the clients and resisting hacking.

In order to strengthen the security measures of internet trading and protect clients’ interests, the SFC proposes new guidelines on baseline cybersecurity requirements to enhance the mechanism in detecting suspicious trading and to reduce the hacking risks. It is proposed to expand the current electronic trading of securities and futures on exchanges to cover the internet trading of securities which are not listed or traded on an exchange. The SFC has started a 2-month consultation in early May and aims to publish the consultation conclusion in September or October this year. The SFC indicated that the new guidelines will only become effective 6 months after the consultation conclusion so there will be sufficient time to implement the baseline requirements.

The SFC has classified the 20 baseline requirements into 3 categories, which are protection of clients’ internet trading accounts, infrastructure security management and cybersecurity management and supervision. The main content of the proposed requirements include: two-factor authentication are required to be implemented when the clients log in to the transaction system. Any two of the following authentication mechanism must be used during login: what a client knows (e.g. password), what a client has (e.g. hardware token, one-time-password that will expire in a short period of time), and who a client is (i.e. biometrics). Besides, the SFC proposes that whenever there are certain activities taken place in the internet trading accounts, including trade execution, fund transfers to third parties, change of personal particulars and password reset, the clients must be notified.

Facing the general trend of informatization, there is an increasing demand for standardization on the internet. Both government and businesses should bear the responsibilities in protecting the cybersecurity. Apart from regular monitoring of internet equipment, they should also provide cybersecurity training to the related staff on a timely basis in order to reduce the risks.

Consultation Paper on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading, The Securities and Futures Commission, 8 May 2017.

SFC commences cybersecurity review on brokers’ internet and mobile trading systems, The Securities and Futures Commission, 13 October 2016.

If there are any aspects which we may assist, please do not hesitate to contact:

Managing Partner - Mr. Roy Lo
roy.lo@shinewing.hk (Tel. 3583 8048) or

Senior Risk Manager - Ms. Gloria So
gloria.so@shinewing.hk (Tel. 3583 8517)


SHINEWING Risk Services Limited

Contact Us

SHINEWING Risk Services Limited
43/F., Lee Garden One, 33 Hysan Avenue Causeway Bay, Hong Kong,

T. (852) 3583 8000

F. (852) 3583 8532

W. www.shinewing.hk

E. risk@shinewing.hk


product image


SHINEWING Risk Services Limited is an industry leader with many years of experience in risk management and internal control review services in China and Hong Kong. SHINEWING has maintained its leadership position in the market over the years.

Headquartered in Beijing and with branch offices in Hong Kong, Singapore, Japan, Australia, Pakistan, Egypt, Shenzhen, Chengdu, Shanghai, Xi’an, Tianjin, Qingdao, Changsha, Changchun, Yinchuan, Jinan, Dalian, Kunming, Guangzhou, Fuzhou, Nanjing, Urumqi, Wuhan, Hangzhou, Taiyuan, Chongqing, Nanning and Hefei. SHINEWING is ideally positioned to provide services for our valued clients.


Copyright © 2017 SHINEWING Risk Services Limited. All rights reserved.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.


Home | Open in browser | Unsubscribe