The proposals comprise 20 cyber security control practices and are classified into three groups: the protection of clients’ internet trading accounts, infrastructure security management, and cyber security management and supervision, according to the consultation paper released by the regulator.
The baseline requirements target brokers, but also include asset management firms that distribute funds through their internet-based trading facilities.
Key proposed requirements include a two-factor authentication for clients’ system login and prompt notifications to clients about certain activities in their internet trading accounts.
In addition, the SFC is proposing to expand the scope of cyber security-related regulatory principles and requirements to cover the internet trading of securities that are not listed or traded on an exchange, such as unit trusts and mutual funds.
Currently, the regulations are only applied to electronic trading of securities and futures listed or traded on exchanges, according to the consultation paper.
“Hacking of internet trading accounts is the most serious cyber security risk faced by internet brokers in Hong Kong,” Ashley Alder, SFC’s CEO, said in a statement. “Brokers must strengthen their resilience to hacking and other cyber security risks by adopting robust preventive and detective controls,” he added.
The consultation is open for two months until 7 July.
Separately, the SFC launched a separate consultation last week, proposing additional protective measures for selling complex products via online distributing platforms and for providing robo-advisory services, as reported.