Compliance Impact Alert:
Thematic Cybersecurity Review of Licensed Corporations
Feb 2025
Disclaimer:
Contents contained in this document including should not be regarded as a substitute legal and / or compliance advice in any circumstances and shall not be reproduced (in whole or in part), distributed or otherwise passed on to any other person without our prior written consent.
Language: English version only
Overview
The Securities and Futures Commission (“SFC”) completed a thematic review of cybersecurity practices among 50 licensed corporations (“LCs”) in Hong Kong engaging in internet trading. The review assessed compliance with Cybersecurity Guidelines and the Code of Conduct, focusing on phishing, end-of-life (“EOL”) software, and third-party provider management. On-site inspections were conducted at 7 internet brokers, and deep-dive discussions were held with 6 globally operating LCs.
The review identified eight significant breaches between 2021 and 2024, linked to issues like weak two-factor authentication (“2FA”), poor security configurations, delayed security patches, inadequate encryption, and unauthorized access to admin accounts. The SFC highlighted insufficient senior management oversight and weak cybersecurity measures as key contributors. To address rising threats, the SFC issued guidelines on phishing prevention, software management, and cloud security.
**For more details, please refer to 2023/24 Thematic Cybersecurity review of LCs**
Findings of Cybersecurity Incidents and Expectations
The SFC surveyed 50 LCs to assess cybersecurity practices. Key findings, impacts and expectations are summarized below:
Findings | Impact | Expections |
1. Ransomware Attacks | One LC's systems and data were encrypted, requiring a full rebuild to resume trading. | Deploy anti-malware, avoid embedded hyperlinks, conduct training, and establish incident handling. |
2. Phishing Vulnerabilities | A ransomware attack traced to a phishing email encrypted an LC’s systems, necessitating a rebuild. | Conduct simulations and ensure effective reporting procedures. |
3. EOL Software Management | EOL software increased risks of unauthorized access to critical systems. | Maintain IT asset inventories, monitor software validity, and cease using EOL systems. |
4. Vulnerability to Unauthorized Access | Cybercriminals exploited unpatched VPNs and unsecured ports to access internal networks. | Enforce least-privilege access, 2FA, VPNs, session timeouts, and monitor third-party access. |
5. Third-Party Provider Management | A cyber-attack on a provider disrupted clearing services; some LCs had non-compliant trading systems. | Conduct due diligence, establish SLAs, monitor performance, and include providers in contingency plans. |
6. Cloud Security | Weak network policies increased data leakage risks. | Secure infrastructure, enforce access controls, manage API keys, and back up data securely. |
Actions and Recommendations
LCs must ensure senior management (e.g. MIC-IT) addresses cybersecurity risks by:
1. Appointing qualified staff and allocating resources.
2. Reviewing and approving risk management policies.
3. Conducting regular cybersecurity reviews and addressing vulnerabilities.
4. Restricting access to sensitive systems and enforcing secure remote access. 5. Maintaining and testing contingency plans.
Requirements are effective immediately, but the SFC will adopt a practical approach for LCs needing time to upgrade systems. Future plans include a comprehensive review of cybersecurity requirements to develop a broader framework for all LCs.
How We Can Help
Our team comprises experienced professionals with deep expertise in compliance, risk management, and policy review and development in identifying gaps between the regulatory expectations in the circular and your current policies and procedures. We understand the complexities of regulatory requirements and provide tailored solutions to meet your specific needs and close any material gaps. Our expertise ensures adherence to regulatory standards and enhances overall compliance practices.
If you have any questions, please feel free to Contact Us.