SFC orders tighter safeguards to stop hackers invading online trading accounts

The 20 rules include the obligation to set up two factor authentication for their clients to log in to their internet trading accounts.

Two factor authentication uses two of “what a client knows”, “what a client has”, or “who a client is” to improve security of the logging in process.

“Robust preventive and detective controls are essential to reduce and mitigate cybersecurity risks,” said Julia Leung, SFC executive director, in a statement.

“Given that passwords have not proven effective to prevent hacking, two-factor authentication is an important part of effective cybersecurity risk management.”

In the 18 months to the end of March 2017, 12 licensed corporations in Hong Kong reported 27 cybersecurity incidents, most of which involved unauthorised access to client trading accounts held by securities brokers. These resulted in unauthorised trades totalling more than HK$110 million, according to the SFC.

According to a report from cybersecurity company ESET, Hong Kong was the second most targeted place in Asia by cyberattacks in the past three years.

The report also said that 55 per cent of cyber breaches during the period at small to medium sized businesses were caused by a lack of two-factor authentication.

The Hong Kong Monetary Authority also issued a circular on Friday requiring registered banking institutions in the city to ensure that their internet trading services meet the SFC’s requirements.

Other rules in the SFC’s circular require stringent protocols on passwords, a secure network infrastructure and a cybersecurity risk management framework.

“The financial services sector is one of the most targeted private sectors for physical and cyberattacks,” said Ben Wootliff, partner and head of cybersecurity in Asia Pacific at Control Risks.

He was speaking after an exercise on Friday carried out by the Hong Kong Financial Services Business Continuity Management Forum and Control Risks to test Hong Kong financial services sector’s readiness to respond to cyber and physical attacks.


Source: South China Morning Post (http://www.scmp.com/business/article/2117363/sfc-orders-tighter-safeguards-stop-hackers-invading-online-trading-accounts)