[31 January 2018] Open with your browser  
Featured images

Consultation Conclusions on Proposals to Reduce
and Mitigate Hacking Risks Associated with
Internet Trading by SFC

Written by: Mr. Ellis Ho – Risk Consultant

With rapid technological advancement, many trading systems now enable login via mobile device applications or internet trading platforms. However, the corresponding cybersecurity management is not at a consistent pace of development, increasing the risks for financial services industry and its clients who would be exposed to the hackers’ attacks. In view of this, the Securities and Futures Commission (“SFC”) published a consultation paper on “Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading” in May 2017. After considering the opinions from various sectors, the SFC issued the related guidelines in October 2017, requiring all licensed or registered persons engaging in internet trading such as securities, futures and other regulated activities to enhance the cybersecurity measures.

Three types of cybersecurity measures can be summarized from the guideline, namely protection of clients’ internet trading accounts, infrastructure security management and cybersecurity management and supervision. The key contents are highlighted as follows:

Protection of Clients’ Internet Trading Accounts

Two-factor authentication
Licensed or registered persons should implement two-factor authentication for clients’ login. For example, requiring the clients to enter a one-time password generated by Security Device or transmitted through SMS for secondary authentication.

Implementing monitoring and surveillance mechanisms
Implement effective monitoring system to supervise suspicious or abnormal clients’ login.

Prompt notification to clients
When transaction or other client activities (e.g. system login, password reset, or fund transfer to third party accounts, etc.) take place, licensed or registered persons should immediately notify customers by SMS or email.

Data encryption
Adopt strong encryption algorithm to protect the transmission of sensitive information (e.g. transaction data, clients’ login information, etc.).

Protection of client login passwords
Implement effective policy and procedures for account activation and password reset to ensure the login passwords of clients are securely generated by the systems randomly and sent to the clients without human intervention. If the login passwords are not generated by the system, licensed or registered persons should protect the clients through implementing other security measures, such as compulsory change of password upon the first login.

Stringent password policy and session timeout controls
Establish and execute password policy and session timeout control measures. For example, setting minimum password length and complexity, sending regular reminders on changing password, monitoring invalid login attempts and setting session timeout after a period of inactivity.

Infrastructure Security Management

Deploying a secure network infrastructure
Deploy appropriate network segmentation (e.g. multi-tiered firewalls) to protect major trading system and clients’ data.

Login and remote connection management
To ensure an exclusive system connection by authorized persons, licensed or registered persons should establish proper policy and procedures. Besides, they should also implement cybersecurity monitoring measures to manage remote access to its internal network.

End-point protection
Use anti-virus and anti-malware and update the software on a timely basis to detect and monitor malicious applications and malware.

Physical security
Establish policy and procedures of physical security to protect the critical system (e.g. servers and network devices) and to prevent unauthorized physical access to the critical components of the internet trading system.

System and data backup
Back up business records, client and transaction databases, servers and supporting documentation on a daily basis. In addition, licensed or registered persons should adopt an appropriate recovery method to ensure that major system can be restored successfully.

The current system does not mandatorily require the listed issuers to make excess applicatioent or compensatory arrangement for unsubscribed shares. Without the two ta entit

Cybersecurity Management and Supervision

Roles and responsibilities of cybersecurity management
Establish the cybersecurity risk management framework and define the roles and responsibilities of responsible persons or management, including:

  • Reviewing and approving cybersecurity risk management policy and procedures
  • Periodically reviewing cybersecurity risk management framework
  • Assessing major findings identified from internal and external audits, and monitoring the progress of remedial measures

Cybersecurity incident reporting
Establish written policy and procedures illustrating how to report internally and externally when a suspected or actual cybersecurity incident occurs.

Cybersecurity awareness training for internal system users
Provide sufficient and appropriate cybersecurity awareness training for internal system users on a yearly basis. Licensed or registered persons should consider its cybersecurity risks and the level when they design the training content.

Cybersecurity alert and reminder to clients
Licensed or registered persons should adopt all appropriate procedures to remind their clients the risks associated with cybersecurity, and provide them with suggestions on related preventive and protective measures on internet trading.

The measures on two-factor authentication will firstly be effective on or after 27 April this year while the other requirements will be effective from 27 July. Sound cybersecurity measures are the cornerstone of the expansion of internet trading. Government should continually pay close attention to the development of internet trading and revise the policy on an appropriate and timely manner to protect public interest.


Consultation Paper on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading, The Securities and Futures Commission, May 2017.

Consultation Conclusions on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading, The Securities and Futures Commission, October 2017.

If there are any aspects which we may assist, please do not hesitate to contact:

Principal - Ms. Gloria So
gloria.so@shinewing.hk (Tel. 3583 8517)

SHINEWING Risk Services Limited

Contact Us

SHINEWING Risk Services Limited
43/F., Lee Garden One, 33 Hysan Avenue Causeway Bay, Hong Kong,

T. (852) 3583 8000

F. (852) 3583 8532

W. www.shinewing.hk

E. risk@shinewing.hk


product image


SHINEWING Risk Services Limited is an industry leader with many years of experience in risk management and internal control review services in China and Hong Kong. SHINEWING has maintained its leadership position in the market over the years.

Headquartered in Beijing and with branch offices in Hong Kong, Singapore, Japan, Australia, Pakistan, Egypt, Shenzhen, Chengdu, Shanghai, Xi’an, Tianjin, Qingdao, Changsha, Changchun, Yinchuan, Jinan, Dalian, Kunming, Guangzhou, Fuzhou, Nanjing, Urumqi, Wuhan, Hangzhou, Taiyuan, Chongqing, Nanning, Hefei and Zhengzhou. SHINEWING is ideally positioned to provide services for our valued clients.


Copyright © 2018 SHINEWING Risk Services Limited. All rights reserved.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.


Home | Open in browser | Unsubscribe