Cybersecurity: Lessons to learn from the recent SFC thematic review

More than 95% of all active traders in Hong Kong trade through internet trading systems. In this article, Padraig Walsh from our Cybersecurity team highlights key points in a report from a recent thematic cybersecurity review of licensed corporations published by the Securities and Future Commission (“SFC”).

Measures against phishing attacks

Phishing attacks remain the most common form of cyberattacks.[1]? Recommended anti-phishing measures include:

• Provide regular cybersecurity awareness training to all staff.? One form of training is regular phishing simulation.? Stimulated phishing exercises help test staff’s awareness and response to phishing attacks.? To incentivise an appropriate response from staff, corporations may adopt a “carrot-and-stick” approach.? There have been examples where licensed corporations took disciplinary actions against staff who had repeatedly fail the stimulation, while rewarding staff who dealt with the phishing attack appropriately.?
• Deploy multiple means of identifying potential phishing attacks.? Licensed corporations should deploy technical security solutions such as filtering tools of email, web and attachment contents. ?Automated solutions to monitor and identify fraudulent websites on the internet are also useful. ?There should be clear reporting procedures for clients to contribute to alerting corporations of any phishing attempts.?
• Send regular cybersecurity alerts and reminders to clients.? Upon identification of phishing activities, licensed corporations should promptly post alert messages on social media to remind clients to stay vigilant.? In cases where alerts are sent via SMS, licensed corporations may consider participating in the SMS Sender Registration Scheme, under which scheme, legitimate SMSs are differentiated by the prefixed “#”, which helps clients to verify the senders’ identities.?

EOL software management

EOL (end-of-life) software refers to software which has reached the end of its life cycle, and is no longer given technical support and maintenance such as updated security patches and fixes.? This puts EOL software at major risk of attackers gaining entry point to penetrate the target’s IT environment.? The SFC recommends:

• Identity and monitor EOL software and operating systems.? For example, as of the date of this article, Windows 7 has reached its lifecycle, while Windows 8 and 10 are being phased out.? To keep a close monitor of EOL software, corporations should maintain a complete IT asset inventory list and review it regularly.? Licensed corporations should also regularly gather information on software’s EOL from official sources.?
• Cease usage of EOL software on all critical system servers and databases.? Internet-facing servers, trading related servers and databases should not be built upon EOL systems.? For non-critical system servers and databases, EOL software should be upgraded or replaced in a timely manner unless there are measures in place to properly mitigate the associated cybersecurity risks.

Remote access management

Remote working has become an integral part of many businesses.? However, remote access solutions may give rise to cybersecurity vulnerabilities as attacks gain entry point to infiltrate internal networks.? There are ways that corporations may take to counter these risks.? They include:

• Only grant remote access rights on a “least privileged” and “need-to-have” basis.? Accesscredentials should only be assigned to staff of appropriate bands or ranks to limit exposure to data breaches through remote systems.? Access rights should be routinely reviewed and adjusted.
• Implement multiple security controls.? Common forms of control are remote access via VPN, multi-factor authentication, timeout, and temporary access suspension after multiple invalid login attempts.
• Prevent and identify unauthorised remote access or attempt to internal networks. ?This may be achieved through blocking remote access from certain IP addresses such as private VPN and sanctioned countries, and when geolocation of a user’s login IP address changes from one country to another within a short period of time.

Third party provider management

Many licensed corporations engage third party providers of IT services.? Cybersecurity breaches at the third party providers’ end can compromise businesses of the service users.? The licensed corporation’s responsibility in securing their systems is not absolved by simply outsourcing their IT systems; the licensed corporation must properly manage its service providers.

• Conduct proper due diligence on the providers prior to the engagement.? Due diligence should include an assessment on the adequacy of the cybersecurity measures proposed by the providers.? The SFC noted in its report that some licensed corporations would exchange information with other brokers on providers that they used, conduct interviews with the providers, and request the providers to complete a security checklist. ?
• Put in place specific cybersecurity terms in formal contractual arrangements.? Agreements with third party providers should cover security obligations to give contractual assurance and accountability.? There should also be specific terms on reporting procedures in the event of a cybersecurity incident, and on contingency plans in the event of disruptions.

Cloud security

Most businesses host their applications and systems in a cloud environment.? Some businesses adopt multiple clouds to help enhance system resilience and minimise risk of service interruption.? The downside is that the usage of multiple clouds increases the complexity in managing different cloud environments, giving rise to potential vulnerabilities.? The SFC recommended in its report to:

• Segregate critical systems and data from others groups that are subject to higher hacking risk exposure. ?If necessary, consult and engage a competent third party provider to design and implement the network infrastructure to suit an individual’s business needs and risks.
• Back up business records, clients and transaction databases, and servers in an offline medium.? This should be done on at least a daily basis.? The backup should be “immutable”, which means the backup medium should be disconnected from the cloud environment after each backup process.

Concluding remarks

The thematic review conducted by the SFC is a timely summary of key issues for licensed corporations to keep in mind in respect of cybersecurity. ?The touchstone SFC guideline is the SFC’s Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (link).? Failure to meet the cybersecurity standards and expectations of the SFC may reflect adversely on a licensed corporation’s and licensed persons’ fitness and properness in conducting regulated activities. ?

The SFC has for some time now placed institutional resilience as a core strategic priority.? Cyber resilience, IT strategy and internal control and governance are all elements of cyber resilience.? The SFC is very mindful that it is the primary regulatory of Hong Kong’s financial markets, which are a critical infrastructure of Hong Kong.? With the imminent introduction into law and force of the Protection of Critical Infrastructures (Computer Systems) Bill in Hong Kong, we expect the SFC to intensify its focus on cybersecurity even more.? We can expect that the SFC will be one of the sector regulators that is designated to discharge organisational and preventive obligations under the new laws.? This will see the SFC working closely with the new Commissioner on cybersecurity matters.

We are at the dawn of a new era of regulation and oversight of cybersecurity. This thematic review and report by the SFC are incisive reminders to licensed corporations in the financial markets sector to review and strengthen cyber readiness.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Padraig Walsh

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 07 March 2025.

[1] §17 of the Report.

Visit our website to read the article: Cybersecurity: Lessons to learn from the recent SFC thematic review - Tanner De Witt Solicitors, Law Firm Hong Kong