The SFC issued a circular to all licensed corporations yesterday, following its recent review of cybersecurity within selected larger licensed corporations. Firms will wish to give careful consideration to the SFC's recommendations regarding appropriate cyberscurity controls.
Whilst the SFC found that most of the licensed corporations had prioritised resources for maintaining cybersecurity controls, it identified the following key areas of concern:
- inadequate coverage of cybersecurity risk assessment exercises;
- inadequate cybersecurity risk assessment of service providers;
- insufficient cybersecurity awareness training;
- inadequate cybersecurity incident management arrangements; and
- inadequate data protection programs.
Nonetheless, the SFC has also identified various sound and effective cybersecurity controls among the licensed corporations reviewed. Details of the above areas of concern and recommended cybersecurity controls are set out in the appendix to the circular.
The SFC states that:
"[c]yber security within licensed corporations [LCs] has, for some time, been of concern to the SFC and is increasingly being viewed by the SFC as a matter of priority given the ongoing occurrence of cybersecurity incidents being reported across the financial services industry".
It will focus on the "cybersecurity preparedness" of licensed corporations and expects them to take appropriate measures to critically review and assess their cybersecurity controls.
For further information, please contact Will Hallatt or Valerie Tao.
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.