Hong Kong consults the public on how to improve internet trading security

Adrian M. Reodique

The Securities and Futures Commission (SFC) of Hong Kong has opened a two-month consultation for its proposal to reduce and mitigate hacking risks in internet trading.

The consultation paper proposes new guidelines that set out baseline cybersecurity requirements for internet brokers.

"Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong," said Ashley Alder, chief executive officer of SFC. "Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls."

Among the proposed requirements is the implementation of two-factor authentication (2FA) for client login. Companies are free to choose two factors among what a client knows (eg. password), what a client has (eg. hardware token), and who that client is (e.g. biometrics).

Meanwhile, the current cybersecurity-related regulatory principles and requirements, included in the Code of Conduct, only apply to electronic trading of securities and futures contracts listed or traded on an exchange. As such, SFC also proposes to expand the scope of these principles and requirements to cover internet trading of securities, which are not listed or traded on exchange. This includes unit trusts and mutual funds.

In addition, SFC proposes updating the definition of internet trading in the Code of Conduct. It will clarify that an internet-based trading facility may be accessed through a computer, mobile device or other electronic device.

The public and the industry can provide comments for the consultation from now till 7 July 2017.