RegulationAsia article

HK Brokers Face Cost Squeeze from Cybersecurity Guidelines

Brokers will be required to use 2FA for client log-ins; implement raft of new measures including management responsibility, stress tests.

Hong Kong’s SFC (Securities and Futures Commission) issued the results of a consultation on cybersecurity for intermediaries, with the guidelines likely to substantially increase costs for small and mid-sized brokers in the Special Administrative Region.

The guidelines have 20 baseline requirements, including 2FA (two-factor authentication) for client log ins to securities trading accounts. Apart from the 2FA requirement, firms have nine months rather than an initially proposed six months to implement them.

“Given that passwords have not proven effective to prevent hacking, two-factor authentication is an important part of effective cybersecurity risk management,” SFC executive director Julia Leung said in a statement.

But Dmitri Hubbard, general counsel for technical and strategic crisis response firm Blue Dragon, suggested 2FA via SMS – a lower cost option which will be popular among smaller brokers – might not provide sufficient security.

“Additional safeguards are needed,” he explained. “There is an inherent risk in using a phone as the device for 2FA as if it is compromised or lost, this and other personal data may be stored in the same device. This is a powerful combination for a staged attack involving identity theft. As the device may also be used to access the online trading account, this would not only defeat 2FA, but hand all the personal data and both factors to a hacker.”

According to the guidelines, intermediaries should also use encryption to secure client login details “and trade data during transmission between internal networks and client devices.”

This and the other measures are likely to increase the costs of small and mid-sized brokers, according to Josephine Chung, founder of consulting firm Compliance Plus.

“Small and medium sized firms should also beef up their cybersecurity controls in protection of client login passwords; secure network infrastructure; user access management; security controls over remote connection; end-point protection; unauthorised installation of hardware and software; physical security; roles and responsibilities of management; cybersecurity incident reporting; awareness training for internal system users; and alerts and reminders to clients,” she added.