Council's Views on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading
1. The Consumer Council (the Council) is pleased to provide its views, from the perspective of consumer protection, on the public consultation put forward by the Securities and Futures Commission (SFC) on reducing and mitigating hacking risks associated with Internet trading by introducing a number of baseline requirements to strengthen the cybersecurity practices for all Internet brokers. Given the extent of reliance on the Internet trading by consumers/investors is increasing and that cybersecurity incidents led to financial losses to affected clients have also increased sharply as noted in the consultation paper, the Council is of the view that ensuring the safety of trading system should be an overriding concern in the operation of any Internet brokers.
2. The Council in general supports SFC's proposals with key requirements such as two-factor authentication for client's system login and prompt notification to clients of certain activities in their Internet trading accounts. Furthermore, the Council supports the expansion of the scope of cybersecurity-related regulatory principles and requirements to electronic trading of securities and futures on exchanges to cover the Internet trading of securities which are not listed or traded on an exchange, as well as the updated definition of "Internet trading" to clarify an Internet-based trading facility may be accessed through any digital device including desktop computer, mobile phone, portable tablets, etc.
3. The Council's views and comments on the specific issues proposed in the consultation paper are as follows:
Proposed controls as entry requirement for potential Internet brokers
4. SFC suggests the proposed cybersecurity requirements for Internet trading be baseline requirements which will also serve as an entry requirement for potential Internet brokers. The Council agrees that Internet brokers should have the responsibilities to reduce any risks of their trading platform and to protect the interest of their clients. In this regard, the Council is of the view that any Internet brokers who are considered not capable to fulfil these minimum requirements should not be allowed to operate Internet trading.
Implement monitoring and surveillance mechanism (proposed requirement 1.2)
5. The Council agrees that implementing detective controls to monitor the accounts and the trading activities, as proposed in the Guidelines, are a useful measure to detect cyberattack in a timely manner and minimise damage to investors. However, monitoring of unusual Internet Protocol (IP) addresses as a baseline requirement may not be adequate. Whilst understanding that identification of irregular trading patterns or investment strategies of individual clients may not be practically feasible for all Internet brokers, the Council is of the view that there may be other less complex indicators such as recording of relatively substantial losses within a certain short period of time in an account, which can also be considered as an event that will trigger an alarm on unauthorised transactions.
Opt-out of "trade execution" notification (proposed requirement 1.3)
6. To better address the concern of frequent traders, an opt-out mechanism for "trade execution" notification is proposed in the Guidelines. To balance between the risks associated in Internet trading and the convenience of the investors, the Council is of the view that, instead of enabling investors to opt-out entirely from receiving notification for each and every transaction (notwithstanding risk disclosures will be provided), option should be made available to investors to receive "trade execution" notifications in batches (e.g. 10 or 20 transactions at once in a given period) as considered to be appropriate as fit in the investor's trading behaviour.
7. Apart from prompt notification, the Council considers that Internet brokers should be required to establish an effective and convenient means of communication which allow investors to report any security incidents once any potential unauthorised activities are identified.
Cybersecurity alert and reminder (proposed requirement 3.4)
8. According to an information security survey quoted in the consultation paper, low client awareness of cybersecurity is one of the weaknesses of the Internet trading platform and only about half of businesses around the world provide training and awareness programmes related to cybersecurity to their users or employees. The Council is of the view that, in addition to providing cybersecurity alert and reminder to clients as proposed in the Guidelines, adequate efforts should also be made by Internet brokers on educating their clients on appropriate and safe use of Internet trading platforms.
Third-party security auditing
9. Auditing plays an important role in cybersecurity management. It can help businesses to assess the existing level of protection to their clients and verify whether their cybersecurity measures are being performed properly. The Council therefore suggests that a requirement be set out in the cybersecurity risk management framework to require the conduct of a security audit on a regular basis by an independent, external auditing party.
Means for implementing the requirements
10. The proposed requirements do not specify the means to be adopted for implementing the requirements. They are to be determined by Internet brokers themselves, taking into account their own circumstances, such as scale of operations, client profiles, budget and resource constraints. While understanding the complexity involved, the Council considers that consumers/investors should be properly informed of the means implemented by Internet brokers and their policies on treatment of liability of loss arising from cybersecurity incidents, prior to making choices of Internet trading platforms.