The Securities and Futures Commission (SFC) noted material cybersecurity incidents in recent years involving cyberattacks against licensed corporations (LC) had resulted in significant business disruptions or hacking of client accounts.
Issued today, the SFC’s Report on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations (Report) noted eight incidents of material cybersecurity breach reported to the SFC between 2021 and 2024. In some incidents, fraudsters conducted unauthorised trades in clients’ accounts after gaining control of them by infiltrating the LCs’ networks through network security loopholes. The use of end-of-life software and weak algorithm for encrypting client data are some of the common weaknesses identified in these incidents (Note 1).
Such vulnerabilities indicate the LCs’ insufficient senior management oversight and inadequate controls on cybersecurity measures.
In addition, to address the emerging cybersecurity risks, the SFC has set out in the Report standard of conduct expected of LCs in relation to phishing detection and prevention, end-of-life software management, remote access, third-party IT service providers management and cloud security.
“Licensed firms must take all necessary measures to ward off increasingly sophisticated and prevalent cyberattacks in a highly interconnected and digitalised world. Failing to address the growing threat and mitigating the associated risks, licensed firms would not only jeopardise their own security, but also that of their clients and even our financial system as a whole,” said Dr Eric Yip, the SFC’s Executive Director of Intermediaries. “To this end, senior management must also recognise the critical importance of safeguarding the cybersecurity of their firms, without leaving these responsibilities to only their IT department.”
The SFC, together with the Hong Kong Police Force, will host cybersecurity webinars in February to further share the findings of the thematic review and the common cybersecurity threats in Hong Kong (Note 2).
The SFC will also conduct another comprehensive review on the existing cybersecurity requirements and expected standards in 2025, in order to develop an industry-wide cybersecurity framework and guide LCs on better managing cybersecurity risks.
Notes:
- End-of-life software refers to software which has reached the end of its useful life. The software provider has stopped supporting it and no updated security patches and fixes are available.
- Please refer to the Circular to licensed corporations, SFC-licensed virtual asset service providers and associated entities - Cybersecurity webinar for details.
