Capiteq recently participated in a panel discussion hosted by Marex and IQ-EQ in Hong Kong, to discuss the SFC's circular on Cyber Security.

‍

References

SFC's recent Cyber Security Circular dated Feb 2025.

Below we have included a high level summary of the SFC’s 2023/24 ThematicCybersecurity Review of Licensed Corporations (LCs):

‍

‍

🔍 Purpose of the Report

• Highlights key findings from a thematic cybersecurity review of selected internet brokers.
• Evaluates compliance with existing Cybersecurity Guidelines and Code of Conduct.
• Addresses recent cybersecurity incidents and sets out expected standards for improvement.

⚠️ Cybersecurity Incidents (2021–2024)

8 major incidents reported, including:

• Ransomware attacks that disrupted critical systems.    
• Vendor network compromise, with no adequate contingency planning.
 
• Security loopholes exploited for unauthorized access to trading systems and     client data.
• End-of-life (EOL) software contributed to vulnerabilities.

‍

📉 Common Deficiencies Identified

Despite improvements since 2020, several weaknesses persist:

• Weak authentication (e.g., inadequate 2FA).
• Poor patch management and outdated systems.
• Unsecured data transmission/storage.
• Excessive admin access rights and lack of audit trails.
• Insufficient monitoring of client account activity.

✅ Key Recommendations

Licensed Corporations must:

1. Strengthen Network Security
   
    
   • Disable unnecessary ports, enforce access controls.
    
   • Conduct annual technical reviews, endorsed by senior management.
 
2. Implement Timely Patch Management
   
    
   • Apply tested patches within 1 month of release.
 
3. Use Strong Data Encryption
   
    
   • Encrypt both data-at-rest and data-in-transit with strong algorithms.
 
4. Tighten User Access Control
   
    
   • Grant access on a need-to-have basis.
    
   • Limit admin access and monitor usage.
 
5. Maintain Audit Logs
   
    
   • Regularly review logs of all critical systems for anomalies.
 
6. Monitor Client Accounts Effectively
   
    
   • Detect unusual changes or access patterns (e.g., shared IPs, bulk edits).

🔄 Emerging Threats &Trends

• Increased use of EOL systems, unpatched VPNs, and phishing-based ransomware.
• More LCs now rely on:
   
  • Third-party IT providers
   
  • Cloud  services (raising new security management challenges)
• Emphasis on phishing detection, remote access controls, and cloud risk governance.

📱 Authentication Best Practices

• Concerns     raised over reliance on SMS OTPs due to malware interception risks.
• Encouragement     to adopt more secure methods like biometrics or software tokens.

🧑‍💼 Senior Management Responsibilities

• Appoint qualified staff/providers and allocate sufficient resources.
• Regularly review policies, approve cybersecurity plans, and oversee remediation.
• Maintain and test contingency plans tailored to cybersecurity threats.

• The circular takes immediate effect; LCs should review and upgrade their cybersecurity frameworks.
• The SFC plans to revamp and expand the cybersecurity framework in 2025 to cover all LCs, not just internet brokers.

Please find a check list for the recent the recent SFC circular here

‍

‍

‍

‍