SFC releases 20 mandatory minimum control requirements including 2FA to be effective in 2018, and a set of recommended controls for internet trading
For many investors, internet trading is now an everyday interaction with the financial market. Targeted cyber-attacks, leading to hundreds of millions in losses in the securities sector, have led to a call for more security in internet trading. In view of the evolving threat landscape that the financial services industry is facing, the Securities and Futures Commission (SFC) and Hong Kong Monetary Authority (HKMA) have tightened regulatory requirements over the years in order to enhance and safeguard the security, efficiency and resilience of the financial markets.
On 27 October 2017, the SFC released the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (“the Guidelines”), mandating 20 minimum control requirements over internet trading, including the implementation of two-factor authentication (2FA). They also released Good Industry Practices for IT Risk Management and Cybersecurity (“the Circular”) to promote additional controls that licensed corporations (LCs) engaged in internet trading could consider incorporating into their information technology and cybersecurity risk management frameworks.
As stated in the Guidelines, from 27 April 2018, it will be a mandatory control for internet brokers to implement 2FA for clients logging into their internet trading account. Mandatory minimum control requirements are to be implemented and LCs must comply on or before 27 July 2018.
This brochure looks at what 2FA authentication is, walks through the 20 mandatory controls in the Guidelines, highlights additional good practices recommended by the SFC, and explains how KPMG can help.