New Circular to All Licensed Corporations on Cybersecurity
Securities and Futures Commission (SFC) latest circular
In recent years, many financial institutions have been targeted for different types of cyber-attacks. Securities and Futures Commission (SFC) has recently issued a new circular on 23 March 2016, regarding Circular to All Licensed Corporations on Cybersecurity with the aim to strengthen the cybersecurity management in the licensed corporations.
The ERS Cyber Risk Team helps clients identify and address risks associated with cybersecurity and regulatory requirements. Please do not hesitate to contact ERS Cyber Team to assist you further regarding the latest circular.
Key summary of the new circular
1. Key concerns on cyber security management on licensed corporations (LCs):
- Inadequate coverage of cybersecurity risk assessment exercises
- Inadequate cybersecurity risk assessment of service providers
- Insufficient cybersecurity awareness training
- Inadequate cybersecurity incident management arrangements
- Inadequate data protection programs
2. Licensed corporations are expected to ensure:
- Comprehensive and effective review and assessment of their cybersecurity risks is in place
- Any weaknesses identified have been, or are in the process of being, rectified
- Enhancement of their cybersecurity controls is being treated as a matter of priority
3. Licensed corporations are expected to take appropriate measures (including seeking advice from external contracted vendors if they do not possess such expertise and/or resources in-house) to critically review and assess the effectiveness of the cybersecurity controls in place within their business environments and to further enhance their cybersecurity control frameworks with reference to the suggested cybersecurity controls.
What should licensed corporations do?
To strengthen their cybersecurity preparedness and continue to improve their cybersecurity management through: