The article details a report by the Securities and Futures Commission ("SFC") on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations. It highlights eight significant cybersecurity incidents over the period 2021-2024, including ransomware attacks and data breaches. The report identifies deficiencies in cybersecurity compliance, such as unqualified two-factor authentication, lax firewall configurations, and delay in implementing patches. It sets out expected standards for network security, patch management, data encryption, and user access rights to mitigate risks. The SFC also emphasizes the responsibility of senior management to ensure cybersecurity policies, regular reviews, and contingency plans are in place. The report calls for a comprehensive review of the existing cybersecurity framework for all licensed entities to better manage cybersecurity risks.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
Hong Kong: A Checklist To Recovering Monies Transferred As A Result Of Email Wire Fraud
Businesses who transfer money as a result of email scams and frauds must act quickly to recover funds including taking steps to freeze bank accounts
FAQS on Debt Collection in Hong Kong and Internationally
Law firms can apply both business and legal leverage in debt collection, applying pressure through reputation, bankruptcy proceedings and court orders
SPOTLIGHT ON
FAMILY OFFICES
Today is: February 11, 2025, article written on 6 Feb 2025.
The Securities and Futures Commission ("SFC") today issued its Report on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations (Report). The Report is based on the SFC’s recent thematic review of selected internet brokers’ compliance with the Cybersecurity Guidelines and Code of Conduct, collectively referred to as “Cybersecurity Requirements.” The Report also includes cybersecurity incidents reported by licensed corporations ("LCs") over the past years. The report outlines expected standards in relation to phishing detection and prevention, use of end-of-life ("EOL") software, remote access management, third-party IT service provider (Third Party Provider) management, and cloud security.
Cybersecurity incidents
Eight material cybersecurity incidents were reported by LCs between 2021 and 2024, causing significant business disruptions or hacking of client accounts.
Two LCs faced ransomware attacks, affecting all their IT systems and causing severe operational disruptions.
Another LC experienced a back-office service disruption due to a compromised vendor's network, exacerbated by the lack of an adequate contingency plan.
Some LCs encountered security loopholes in their networks, leading to unauthorized access and modifications by fraudsters.
LCs must be vigilant about potential cybersecurity threats, rectify vulnerabilities, and take proactive measures to protect both themselves and their clients from cyber-attacks.
The use of End-Of-Life ("EOL") software in systems and servers by LCs may have contributed to these cyber-attacks.
Compliance with the Cybersecurity Requirements
Improved compliance with cybersecurity requirements was noted, yet significant deficiencies remained, including unqualified two-factor authentication, lax system server security, delayed patch implementation, weak encryption, excessive admin access, and lack of audit trails. Key areas for improvement include network security, regular technical cybersecurity reviews, patch management, strong encryption for data-in-transit and data-at-rest, limited user access rights, effective logging and monitoring, and monitoring client accounts for unauthorized access.
Emerging cybersecurity threats and risks
As digitalization and automation increase, LCs often engage Third Party Providers for IT services, risking system disruption and data leaks. Proper management and supervision of these providers are essential.
LCs adopting cloud services for trading or back-office systems must understand and implement corresponding security measures to protect against breaches.
Potential risks include phishing attacks, use of EOL software, unpatched VPN solutions, and ransomware via phishing. LCs should set standards for phishing prevention, EOL software management, remote access, Third Party Provider management, and cloud security.
While SMS one-time passwords ("OTPs") are common for system login and device binding, they face security risks such as interception via malware. LCs should adopt more secure methods like biometrics or software tokens and avoid SMS OTPs for authentication.
Senior management responsibility
LCs are reminded that senior management, particularly the MIC-IT, bears ultimate responsibility for identifying, monitoring, and mitigating cybersecurity risks.
Senior management must:
- Appoint qualified staff and third-party providers, and deploy adequate technology and financial resources.
- Regularly review and approve cybersecurity risk management policies and procedures.
- Conduct regular cybersecurity reviews of their network and systems, and ensure identified issues are properly followed up.
- Establish and regularly review and test contingency plans for cybersecurity scenarios.
These requirements are immediate, but the SFC will take a pragmatic approach in assessing LC compliance.
Way forward
In 2025, the existing cybersecurity requirements for internet brokers will be reviewed to address non-internet trading businesses' increasing dependency on technology. An industry-wide cybersecurity framework will be developed to guide all licensed corporations ("LCs") in managing cybersecurity risks.
The review will focus on LCs engaged in non-internet trading, who are also vulnerable to cyber-attacks. This review will aim to expand the current guidelines, which primarily target internet brokers. For further guidance, reference is made to the 2020 Cybersecurity Review Circular and the Cybersecurity Guidelines outlined in the Code of Conduct and Schedule 7. Unnecessary service ports and access should be limited to mitigate risks.
LCs are required to log and retain activities in critical email servers and review them regularly. End-of-life ("EOL") software should be identified and replaced to ensure security patches and updates are available.
Virtual Private Networks ("VPN") should be used for secure connectivity to corporate applications. Paragraphs 4.1 and 4.3 of the Code of Conduct and sections of the Cybersecurity Guidelines provide detailed instructions for secure practices.
View the full article:Source