The Securities and Futures Commission ("SFC") has reminded licensed corporations ("LCs") of their obligations regarding phishing detection and prevention, following an increase in phishing attacks that have caused financial losses to clients. The SFC has outlined key cybersecurity standards, emphasizing the importance of not using hyperlinks for transactions and not requesting sensitive information via links. LCs must implement effective monitoring systems and notify clients of phishing incidents. They are required to report any material system failures or market misconduct to the SFC.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
SFO, s. 300: Fraudulent & Deceptive Conduct Provisions to Combat Insider Dealing and Other Misconduct
The Court of Appeal decision in Securities and Futures Commission v. Young Bik Fung confirmed that insider dealing as well as other market misconduct could be r
Market Misconduct Tribunal: A Guide to Penalties and Other Consequences for Misuse of Insider Information
Market Misconduct Tribunal proceedings for mishandling of insider information can result in fines and disgorgement orders
SPOTLIGHT ON
FAMILY OFFICES
On May 21, 2025, the Securities and Futures Commission ("SFC") issued a circular reminding SFC-licensed corporations ("LCs") of their obligations regarding phishing detection and prevention.
The circular underscores a recent surge in phishing attacks that have resulted in substantial financial losses for clients, notably via SMS messages containing embedded hyperlinks.
LCs are required to adhere to the standards outlined in the Code of Conduct and to promptly report any phishing incidents to the SFC.
The SFC stresses the importance of proactive measures to safeguard client accounts and deter unauthorized transactions.
LCs are instructed not to send electronic messages containing hyperlinks to their websites or applications for transactions. Requests for sensitive information, such as login credentials and one-time passwords, must not be made via hyperlinks.
Regular cybersecurity alerts and reminders must be sent to clients, and LCs must implement effective monitoring systems to detect unauthorized access to clients' internet trading accounts.
LCs must inform clients that they will not request sensitive information through hyperlinks and advise them not to share login information on unverified websites.
In the event of a phishing incident, LCs must notify affected clients to report to the Police and inform others promptly.
LCs offering internet trading must establish robust risk management and supervisory controls, including automated pre-trade and post-trade monitoring.
Under Code of Conduct paragraph 12.5(e), LCs must immediately report any material failure or error in their trading, accounting, clearing, or settlement systems to the SFC. Similarly, paragraph 12.5(f) requires LCs to report suspected market misconduct by clients to the SFC, providing relevant details.
The circular is titled 'SFO/IS/015/2025' and relates to the 'Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission'.
The document provides guidelines for reporting material failures, errors, defects in systems, and potential client market misconduct. It was last updated on May 21, 2025.
Intermediaries Division
Securities and Futures Commission
View the full article:Source
