Hong Kong regulators move to tighten cybersecurity rules after hacks cost stockbrokers over $14M

A string of 20 cyberattacks against Hong Kong stockbrokers led to $14.2 million (HK$110 million) in losses over the last 18 months, according to Hong Kong’s Securities and Futures Commission. In response, the regulator is tightening cybersecurity requirements.

The specifics of the new legal framework are still being figured out. In a Wednesday press conference, the regulator launched a “market consultation” on cybersecurity upgrade requirements expected to cost over $125,000 for larger brokers, according to a report in the South China Morning Post.

“We have to require all [brokers] to invest more to enhance the cybersecurity of their computer systems after customers lost up to HK$110 million from hacker attacks. The police have been investigating these cases,” a SFC spokesperson said on Wednesday. “The upgrade may cost money but it will ensure investors can trade safely when using their computers or mobile phones.”

The new regulatory push follows a review begun last year that directed corporations to improve their cybersecurity footing by strengthening threat intelligence, vulnerability management, network monitoring, user authentication and contingency plans for inevitable breaches.

“The SFC has received an increasing number of reports from securities brokers that the security of some customers’ internet/mobile trading accounts has been compromised and unauthorized securities trading transactions were conducted through these accounts,” the regulator said in a release announcing the cybersecurity review. “While these hacking incidents are still under police investigation, there are indications that brokers and their clients may be able to do more to better protect online trading accounts.”

Reuters reported in January that Hong Kong police were struggling to stop “digital pump-and-dump schemes” in which hackers invested in the Chinese territory’s penny stocks and manipulated their share prices by trading from hacked brokerage accounts. The hackers then sell the stocks before the fraud is caught.