{"id":29210,"date":"2025-03-07T13:20:07","date_gmt":"2025-03-07T13:20:07","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/insight-and-news\/cybersecurity-lessons-to-learn-from-the-recent-sfc-thematic-review\/"},"modified":"2025-11-14T10:57:32","modified_gmt":"2025-11-14T10:57:32","slug":"cybersecurity-lessons-to-learn-from-the-recent-sfc-thematic-review","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hans\/insight-and-news\/cybersecurity-lessons-to-learn-from-the-recent-sfc-thematic-review\/","title":{"rendered":"Cybersecurity: Lessons to learn from the recent SFC thematic review"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hans\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        Cybersecurity: Lessons to learn from the recent SFC thematic review                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Mar<\/span>\n                        <span class=\"day\">07<\/span>\n                        <span class=\"year\">2025<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"Cybersecurity: Lessons to learn from the recent SFC thematic review\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\">\n<p>More than 95% of all active traders in Hong Kong trade through internet trading systems. In this article,\u00a0<a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a>\u00a0from our\u00a0<a href=\"https:\/\/www.tannerdewitt.com\/practice-areas\/cybersecurity\/\">Cybersecurity<\/a>\u00a0team highlights key points in a report from a recent thematic cybersecurity review of licensed corporations published by the Securities and Future Commission (\u201c<strong>SFC<\/strong>\u201d).<\/p>\n<p><strong><em>Measures against phishing attacks<\/em><\/strong><\/p>\n<p>Phishing attacks remain the most common form of cyberattacks.[1]\u00a0 Recommended anti-phishing measures include:<\/p>\n<ul>\n<li><strong>Provide regular cybersecurity awareness training to all staff<\/strong>.\u00a0 One form of training is regular phishing simulation.\u00a0 Stimulated phishing exercises help test staff\u2019s awareness and response to phishing attacks.\u00a0 To incentivise an appropriate response from staff, corporations may adopt a \u201ccarrot-and-stick\u201d approach.\u00a0 There have been examples where licensed corporations took disciplinary actions against staff who had repeatedly fail the stimulation, while rewarding staff who dealt with the phishing attack appropriately.\u00a0<\/li>\n<li><strong>Deploy multiple means of identifying potential phishing attacks<\/strong>.\u00a0 Licensed corporations should deploy technical security solutions such as filtering tools of email, web and attachment contents. \u00a0Automated solutions to monitor and identify fraudulent websites on the internet are also useful. \u00a0There should be clear reporting procedures for clients to contribute to alerting corporations of any phishing attempts.\u00a0<\/li>\n<li><strong>Send regular cybersecurity alerts and reminders to clients.\u00a0\u00a0<\/strong>Upon identification of phishing activities, licensed corporations should promptly post alert messages on social media to remind clients to stay vigilant.\u00a0 In cases where alerts are sent via SMS, licensed corporations may consider participating in the SMS Sender Registration Scheme, under which scheme, legitimate SMSs are differentiated by the prefixed \u201c#\u201d, which helps clients to verify the senders\u2019 identities.\u00a0<\/li>\n<\/ul>\n<p><strong><em>EOL software management<\/em><\/strong><\/p>\n<p>EOL (end-of-life) software refers to software which has reached the end of its life cycle, and is no longer given technical support and maintenance such as updated security patches and fixes.\u00a0 This puts EOL software at major risk of attackers gaining entry point to penetrate the target\u2019s IT environment.\u00a0 The SFC recommends:<\/p>\n<ul>\n<li><strong>Identity and monitor EOL software and operating systems<\/strong>.\u00a0 For example, as of the date of this article, Windows 7 has reached its lifecycle, while Windows 8 and 10 are being phased out.\u00a0 To keep a close monitor of EOL software, corporations should maintain a complete IT asset inventory list and review it regularly.\u00a0 Licensed corporations should also regularly gather information on software\u2019s EOL from official sources.\u00a0<\/li>\n<li><strong>Cease usage of EOL software on all critical system servers and databases.<\/strong>\u00a0 Internet-facing servers, trading related servers and databases should not be built upon EOL systems.\u00a0 For non-critical system servers and databases, EOL software should be upgraded or replaced in a timely manner unless there are measures in place to properly mitigate the associated cybersecurity risks.<\/li>\n<\/ul>\n<p><strong><em>Remote access management<\/em><\/strong><\/p>\n<p>Remote working has become an integral part of many businesses.\u00a0 However, remote access solutions may give rise to cybersecurity vulnerabilities as attacks gain entry point to infiltrate internal networks.\u00a0 There are ways that corporations may take to counter these risks.\u00a0 They include:<\/p>\n<ul>\n<li><strong>Only grant remote access rights on a \u201cleast privileged\u201d and \u201cneed-to-have\u201d basis.\u00a0\u00a0<\/strong>Accesscredentials should only be assigned to staff of appropriate bands or ranks to limit exposure to data breaches through remote systems.\u00a0 Access rights should be routinely reviewed and adjusted.<\/li>\n<li><strong>Implement multiple security controls.\u00a0\u00a0<\/strong>Common forms of control are remote access via VPN, multi-factor authentication, timeout, and temporary access suspension after multiple invalid login attempts.<\/li>\n<li><strong>Prevent and identify unauthorised remote access or attempt to internal networks.\u00a0<\/strong>\u00a0This may be achieved through blocking remote access from certain IP addresses such as private VPN and sanctioned countries, and when geolocation of a user\u2019s login IP address changes from one country to another within a short period of time.<\/li>\n<\/ul>\n<p><strong><em>Third party provider management<\/em><\/strong><\/p>\n<p>Many licensed corporations engage third party providers of IT services.\u00a0 Cybersecurity breaches at the third party providers\u2019 end can compromise businesses of the service users.\u00a0 The licensed corporation\u2019s responsibility in securing their systems is not absolved by simply outsourcing their IT systems; the licensed corporation must properly manage its service providers.<\/p>\n<ul>\n<li><strong>Conduct proper due diligence on the providers prior to the engagement.<\/strong>\u00a0 Due diligence should include an assessment on the adequacy of the cybersecurity measures proposed by the providers.\u00a0 The SFC noted in its report that some licensed corporations would exchange information with other brokers on providers that they used, conduct interviews with the providers, and request the providers to complete a security checklist. \u00a0<\/li>\n<li><strong>Put in place specific cybersecurity terms in formal contractual arrangements.\u00a0\u00a0<\/strong>Agreements with third party providers should cover security obligations to give contractual assurance and accountability.\u00a0 There should also be specific terms on reporting procedures in the event of a cybersecurity incident, and on contingency plans in the event of disruptions.<\/li>\n<\/ul>\n<p><strong><em>Cloud security<\/em><\/strong><\/p>\n<p>Most businesses host their applications and systems in a cloud environment.\u00a0 Some businesses adopt multiple clouds to help enhance system resilience and minimise risk of service interruption.\u00a0 The downside is that the usage of multiple clouds increases the complexity in managing different cloud environments, giving rise to potential vulnerabilities.\u00a0 The SFC recommended in its report to:<\/p>\n<ul>\n<li><strong>Segregate critical systems and data from others groups that are subject to higher hacking risk exposure.\u00a0<\/strong>\u00a0If necessary, consult and engage a competent third party provider to design and implement the network infrastructure to suit an individual\u2019s business needs and risks.<\/li>\n<li><strong>Back up business records, clients and transaction databases, and servers in an offline medium.\u00a0\u00a0<\/strong>This should be done on at least a daily basis.\u00a0 The backup should be \u201cimmutable\u201d, which means the backup medium should be disconnected from the cloud environment after each backup process.<\/li>\n<\/ul>\n<p><strong>Concluding remarks<\/strong><\/p>\n<p>The thematic review conducted by the SFC is a timely summary of key issues for licensed corporations to keep in mind in respect of cybersecurity. \u00a0The touchstone SFC guideline is the SFC\u2019s Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (<a href=\"https:\/\/www.sfc.hk\/-\/media\/EN\/assets\/components\/codes\/files-current\/web\/guidelines\/guidelines-for-reducing-and-mitigating-hacking-risks-associated-with-internet-trading\/guidelines-for-reducing-and-mitigating-hacking-risks-associated-with-internet-trading.pdf?rev=eb44681c436548c1bb37092f2145f45c\" target=\"_blank\" rel=\"noopener\">link<\/a>).\u00a0 Failure to meet the cybersecurity standards and expectations of the SFC may reflect adversely on a licensed corporation\u2019s and licensed persons\u2019 fitness and properness in conducting regulated activities. \u00a0<\/p>\n<p>The SFC has for some time now placed institutional resilience as a core strategic priority.\u00a0 Cyber resilience, IT strategy and internal control and governance are all elements of cyber resilience.\u00a0 The SFC is very mindful that it is the primary regulatory of Hong Kong\u2019s financial markets, which are a critical infrastructure of Hong Kong.\u00a0 With the imminent introduction into law and force of the Protection of Critical Infrastructures (Computer Systems) Bill in Hong Kong, we expect the SFC to intensify its focus on cybersecurity even more.\u00a0 We can expect that the SFC will be one of the sector regulators that is designated to discharge organisational and preventive obligations under the new laws.\u00a0 This will see the SFC working closely with the new Commissioner on cybersecurity matters.<\/p>\n<p>We are at the dawn of a new era of regulation and oversight of cybersecurity. This thematic review and report by the SFC are incisive reminders to licensed corporations in the financial markets sector to review and strengthen cyber readiness.<\/p>\n<p>\u00a0<\/p>\n<p class=\"has-text-align-right\"><strong><em>P\u00e1draig Walsh and Vanessa Leung<\/em><\/strong><\/p>\n<p>\u00a0<\/p>\n<p>If you want to know more about the content of this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a><\/p>\n<p>Partner | Email<\/p>\n<p>\u00a0<\/p>\n<p>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 07 March 2025.<\/p>\n<p class=\"has-small-font-size\">[1] \u00a717 of the Report.<\/p>\n<\/div>\n<\/div>\n\n\n\n\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>More than 95% of all active traders in Hong Kong trade through internet trading systems. In this article,\u00a0P\u00e1draig Walsh\u00a0from our\u00a0Cybersecurity\u00a0team highlights key points in a report from a recent thematic cybersecurity review of licensed corporations published by the Securities and Future Commission (\u201cSFC\u201d). Measures against phishing attacks Phishing attacks remain the most common form of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[],"insight-category":[1121],"insight-month":[1156],"insight-practice-area":[1142],"insight-year":[1147],"class_list":["post-29210","insight-and-news","type-insight-and-news","status-publish","hentry","insight-category-legal-updates-and-insights","insight-month-march","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1147"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/29210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/users\/1"}],"version-history":[{"count":1,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/29210\/revisions"}],"predecessor-version":[{"id":30423,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/29210\/revisions\/30423"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/media?parent=29210"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/tags?post=29210"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-category?post=29210"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-month?post=29210"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-practice-area?post=29210"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-year?post=29210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}