Circular to intermediaries Cybersecurity review of selected licensed corporations

The Securities and Futures Commission (SFC) has issued a circular addressed at financial market intermediaries to inform that it will launch a cybersecurity review of selected licensed corporations (LCs) to evaluate LCs‘ cybersecurity management, compliance, and information system resilience against cyber threats. This review aligns with the SFC’s emphasis on cybersecurity and follows a review of recent cybersecurity incidents and on-site inspections which revealed various security vulnerabilities such as the use of end-of-life software (the vendor no longer supports the product) or inadequate controls against remote access and phishing attacks.
Thus, to evaluate the industry’s readiness and resilience to cyber risks, particularly those firms using third-party providers and / or relying on cloud services, the SFC will conduct a cybersecurity review in September 2023. This review will include
1. a survey of selected LCs of various sizes and types, covering cybersecurity management, incident reporting, system and data integrity, cloud security, remote access controls, IT asset management, and third-party vendor risk management;
2. meetings with selected LCs „to understand their cybersecurity governance and controls“; and
3. on-site inspections of some LCs to assess their information technology controls, compliance with the SFC’s Cybersecurity Guidelines, and other standards.
The findings from this review will guide the SFC in providing further industry guidance and sharing observations with relevant stakeholders.
—
In this context, the SFC also reminds firms of their obligation to adhere to system security requirements outlined in the Code of Conduct. Those offering internet trading must also comply with baseline requirements specified in aforementioned Cybersecurity Guidelines, FAQs, and standards from the 2019-20 thematic cybersecurity review of internet brokers.