WFH Guidance from the HK SFC to Manage Cybersecurity Risks 

May, 2020 -

As a result of the COVID-19 pandemic, many people have been forced to work from home and this has created new opportunities and very fertile ground for the emergence of cyber threats. Accordingly, on 29 April 2020, the Intermediaries Supervision Department of the Hong Kong Securities and Futures Commission (SFC) issued a circular (Circular) containing examples of controls and procedures firms can put in place to manage their cybersecurity risks.

Cyberattacks can affect any business but SFC licensed firms are subject to various regulatory obligations requiring them to ensure that they have the operational capability to protect their operations and their clients from financial loss arising from theft, fraud and other dishonest acts, and to ensure the integrity and security of all information relevant to their business operations. In the Circular, the SFC pointed to paragraph 4.3 of the Code of Conduct and Part IV of the Internal Control Guidelines as the regulatory sources for this guidance.

We have highlighted below some of the examples provided by the SFC which we think are particularly relevant to asset management clients.

1.

If a firm allows staff to remotely access the firm’s internal network and system through a Virtual Private Network (VPN):

  • Only use a robust VPN. Make sure that the VPN provides strong encryption and multiple layers of protection as well as use multiple VPN servers, to help protect sensitive data during transmission.

  • Use of strong passwords and two-factor authentication. Using a combination of two (or more) authentication factors (i.e. what a user knows, what a client has, and who a client is) is known to be one of the most effective controls. Criminals might manage to steal one type of proof of identity but it is difficult for them to steal the correct combination where more than one is required.

  • Limit access by external parties. Firms should avoid granting standing or permanent access to external parties and only allow system vendors to access specific systems during pre-determined timeframes.

  • Update VPN software regularly. Security patches and hotfixes are often added by the VPN developer to address vulnerabilities in their system so it is important to update the VPN software regularly.

  • Implement network segmentation. Network segmentation helps limit access to the network by outside security threats. If an attacker successfully breaches a network that is segmented, it will take them more time to break out of that portion of the network to get the information they really want (e.g. client personal data).

2.

Where firms allow staff to use videoconferencing platforms:

  • Do not share meeting links on social media. Invite participants via legitimate channels such as office emails and do not share links to videoconferences via social media posts, as this makes it easier for unauthorised persons to gain access to the videoconference meeting.

  • Control access to videoconferences. Restrict access to videoconferences by checking the email address of each attendee and authenticate their identity, making use of “waiting room” features, etc.

  • Lock the conference meeting. Once all attendees have joined a meeting, lock the meeting to prevent others from entering the virtual meeting room.

  • Choose platform carefully and keep software up to date. Firms should assess the security features of a videoconferencing platform before using it and should make sure staff are always using the latest version of the software (with security patches).

  • Do not use personal meeting IDs. Use random meeting IDs instead.

3.

In addition:

  • Provide cybersecurity training regularly. Provide cybersecurity training to users to ensure that they are kept abreast of emerging cybersecurity threats and trends (e.g. phishing and ransomware) and to educate them on precautionary security measures (e.g. use of secure Wi-Fi networks ).

  • Detect unauthorised access. Implement monitoring and surveillance mechanisms to detect unauthorised access to internal networks and systems.

  • Incident management and reporting mechanism. Develop and maintain an effective incident management and reporting mechanism.

 



Link to article

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots