SFC puts cybersecurity under spotlight

SFC puts cybersecurity under spotlight

The Hong Kong regulators continue to focus on cybersecurity with the SFC’s recent thematic review of internet brokers. Although online traders were found to be broadly compliant, the deficiencies highlighted have relevance across all regulated firms and serve as a reminder to review your cybersecurity measures.

The SFC released its 2019-2020 report on the thematic cybersecurity review on internet brokers in September. Though the results have indicated most of the inspected firms complying with the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (Cybersecurity Guidelines), the SFC has noted a few deficiencies and pinpointed a list of best practices by the industry players.

It’s worth reviewing these findings against your own approach to cybersecurity.

Two-factor authentication

For the implementation of two-factor authentication (2FA) for system login, the SFC advises against delivering one-time passwords through email. It also recommends that licensed corporations should limit the number of devices registered to an account and check regularly for technical security loopholes. Specifically, the SFC highlighted that it is a breach of the Cybersecurity Guidelines to allow clients to deactivate the 2FA function.

Unauthorised access

When it comes to monitoring and surveillance in detecting unauthorized access, licensed corporations should perform the monitoring process on at least a daily basis, and check thoroughly against design flaws in using automated IP address monitoring tools. Firms with a larger transaction volume should deploy tech in reviewing client transactions rather than carrying them out manually.


Firms are reminded to implement data encryption aligned with the international security standards for example those provided by the National Institute of Standards and Technology. The SFC reminds corporations to review those security standards on an ongoing basis in order to upgrade encryption algorithms appropriately.

Time-out controls

Stringent controls should be implemented to ensure timeout after a period of clients’ inactivity – which the SFC suggests at 30 minutes in general. On a case-by-case basis, clients conducting programme trading should be allowed longer idle timeout periods subject to close monitoring. The SFC reiterates that firms should not allow clients to disable session timeout and should conduct sufficient testing to ensure proper configuration and functioning.

IT audits

The SFC highlighted large numbers of firms interviewed in this thematic review did not conduct sufficient internal IT audit to meet the baseline requirement as illustrated under section 3.1 of Cybersecurity Guidelines. Firms should bear in mind to run their own cybersecurity assessments at least annually.

This report has a bearing on all those who provide online investment services – not just internet brokers. The SFC has highlighted numerous failures to comply with the detailed requirements of the Cybersecurity Guidelines which came into force in 2018. The report clearly indicates the SFC’s increased expectations around cybersecurity controls in response to today’s tech-driven environment. It is a reminder for all firms to actively review cybersecurity procedures internally before the SFC comes knocking.

How Bovill can help

Our consultants can help you review and update your policies and procedures to make sure they are both effective and compliant with the regulator’s expectation. We can also provide up-to-date guidance to help you navigate through the complex regulatory requirements. Get in touch with us to find out more.

Want more insights like this?

Join our mailing list