The Securities and Futures Commission (SFC) has released its latest report on cybersecurity, highlighting critical observations and expected standards for Licensed Corporations (LCs). Here’s what you need to know.
1. Cybersecurity Incidents: A Growing Concern
Between 2021 and 2024, LCs reported 8 material cybersecurity incidents, including:
- Ransomware attacks disrupting trading, settlement, and back-office systems.
- Unauthorized access to client accounts, leading to fraudulent transactions.
- Vendor network compromises causing operational disruptions.
- End-of-Life (EOL) software and unpatched systems were identified as contributing factors in some attacks.
2. Compliance with Cybersecurity Requirements
While there has been improvement in some areas, significant deficiencies remain.
Weaknesses identified:
- Unqualified two-factor authentication.
- Lax security controls on servers and firewalls.
- Delays in implementing security patches.
- Weak encryption for sensitive data.
- Excessive user access to critical systems.
- Lack of audit trails hindered investigations into cybersecurity incidents.
3. Expected Cybersecurity Standards
The SFC emphasizes the following areas for improvement:
Network Security:
- Disable unnecessary service ports.
- Conduct regular vulnerability scans and penetration testing.
Patch Management:
- Implement security patches within one month of testing.
Data Encryption:
- Use strong encryption for data-in-transit and data-at-rest.
User Access Rights:
- Grant access on a need-to-have basis and limit admin privileges.
Audit Logs:
- Retain and review logs for critical systems to detect unauthorized activities.
Client Account Monitoring:
- Implement mechanisms to detect unauthorized changes to client details.
4. Emerging Cybersecurity Threats
- Phishing and Ransomware: Remain significant threats, often initiated through phishing.
- Third-Party Providers: LCs must manage risks associated with IT service providers.
- Cloud Security: LCs adopting cloud services must implement tailored security measures.
- SMS OTP Risks: Consider replacing SMS one-time passwords with more secure methods like biometrics or software tokens.
5. Senior Management Responsibility
MIC-IT (Manager-In-Charge of IT) and senior management are responsible for:
- Ensuring adequate resources and policies for cybersecurity.
- Regularly reviewing and updating risk management procedures.
- Establishing and testing contingency plans for cybersecurity scenarios.
6. Way Forward
- The SFC plans to review and expand cybersecurity requirements in 2025, developing an industry-wide framework to address risks for all LCs, not just internet brokers.
What LCs Should Do Now
- Critically review cybersecurity frameworks, procedures, and controls.
- Address vulnerabilities and align with SFC’s expected standards.
- Stay proactive in adopting advanced security measures to protect client data and systems.
This report underscores the importance of robust cybersecurity practices in an increasingly digital landscape.
For further details, refer to the full report here.
Learn how Dual Layer IT can help your organization to implement cybersecurity standards and a compliance to SFC’s expected guidelines.
Contact us and one of our staff will revert as soon as possible.