SFC Responsible Officers (RO) and related Manager-In-Charge (MIC) should know what cyber security means to their business in technology and now also in regulatory perspective.
As of March 2017, over a hundred and ten million of Hong Kong dollars of unauthorized transactions were reported at 12 securities brokers in Hong Kong by the Securities and Futures Commission (SFC). Half of them happened in those brokers that did not enforce 2FA.
On 27 October 2017, the regulator announced 20 baseline cyber security requirements that address the concern of internet trading hacking risks. There are six guidelines for protection of clients’ internet trading accounts, ten for management of license corporate’s infrastructure security, four for management and supervision of cyber security.
Securities brokers and asset managers that have client facing internet trading facilities are most concerned. In particular, the two-factor authentication (2FA) requirement will be effective late April 2018 and it means there is merely six months for licensed corporates to put the 2FA in place. Remaining 19 requirements will be effective late July 2018.
If you don't have sufficient capacity to upgrade your cyber security infrastructure, the regulator asks you to seek external assistance. It means that you don't have an excuse for not implementing the requirements. The RO and MIC are supposed to put the guidelines into action before the deadline.