Hong Kong - SFC reminder to manage cybersecurity risks associated with remote office arrangements

In light of the increased use of remote office arrangements, the SFC issued a Circular to remind licensed corporations (“LCs”) to assess their operational capabilities and implement appropriate measures to manage the cybersecurity risks associated with these arrangements, such as the use of video-conferencing.  

The circular reminds LCs of the requirements under paragraph 4.3 of the Code of Conduct, which sets out that LCs are expected to have internal control procedures and financial and operational capabilities which can be reasonably expected to protect their operations and their clients and other licensed or registered persons from financial loss arising from theft, fraud, and other dishonest acts, professional misconduct or omissions. In addition, Part IV of the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission requires LCs to ensure the integrity, security, availability, reliability and thoroughness of all information, including documentation and electronically stored data.

The SFC has set out a non-exhaustive list of examples of controls and procedures recommended to assist in the protection of LC’s internal networks and data.  LCs should review the suggestions in the circular and ensure that the measures they have implemented  are tailored based on the work situation, and size and complexity of each LC’s operations.

The examples are grouped in the following three topics:

(A)      Remote access to internal network and systems

Appropriate control techniques and procedures to mitigate the cybersecurity risks associated with remote access, including the vulnerabilities of the infiltration of Virtual Private Network (“VPN”) software may include:

  • Implement robust VPN solutions (and at times appropriate, multiple VPN servers), which provide strong encryption and two or more layers of protection, to protect the integrity of data
  • Avoid granting standing or permanent access to external parties and only allow vendors to access specific systems during pre-determined timeframes;
  • Implement different levels of remote access, such as by equipping computers and mobile devices supplied by LCs with greater capabilities than employee-owned devices;
  • Implement security controls to prevent unauthorised installation of hardware and software on computers and devices provided to staff; and
  • Implement robust network segmentation to segregate system servers and databases, based on criticality, to better protect more critical and sensitive data, such as clients’ personal data.

(B)      Use of videoconferencing platforms

Security issues with videoconferencing platforms have been reported from time to time. To mitigate the risk of unauthorised access and leakage of critical or sensitive data, appropriate control techniques and procedures may include:

  • Assess the security features of videoconferencing platforms before use;
  • Require participant registration for attendance in videoconferences;
  • Allow only authenticated and authorised users to join the videoconference, eg, by checking their email addresses or making use of “waiting room” features;
  • Use a random meeting ID, rather than a personal meeting ID;
  • Invite participants via conferencing software or other legitimate channels, eg, office emails, and refrain from sharing links to conferences via social media posts;
  • Enable the password protection feature on the videoconferencing platform;
  • Lock the conference meeting once all the participants have joined, as appropriate; and
  • Use the latest version of the software with the most up-to-date security patches installed.

(C )     Other measures supporting remote office arrangements

In addition, SFC reminds LCs to have in place other measures to continuously assess system capability, ensure adequate surveillance and incident handling, and have regular cybersecurity training and alerts available to internal system users and to clients to support the remote office arrangements.