The SFC is launching a two-month consultation on the proposed guidelines that set out 20 baseline cybersecurity requirements to mitigate against hacking risks.

The regulatory body says that for the 18 months ended 31 March 2017, 12 licensed corporations reported 27 cybersecurity incidents, most of which involved hackers gaining access to clients’ internet-based trading accounts with securities brokers, resulting in unauthorised trades totalling more than $110 million. 

Other incidents involved distributed denial-of-service attacks, accompanied by threats of extortion.

Key proposed requirements include two-factor authentication, for clients’ system login and prompt notification to clients of unusual activities in their internet trading accounts.

In addition, the SFC proposes to expand the scope of cybersecurity-related regulatory principles to cover the trading of securities which are not listed or traded on an exchange and to update the definition of 'internet-trading' to include mobile phones. 

“Hacking of internet trading accounts is the most serious cybersecurity risk faced by internet brokers in Hong Kong,” says Ashley Alder, the SFC’s chief executive officer. “Brokers must strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls.”