Regulation & Compliance

How Security Ratings Can Help Organizations Adhere to Hong Kong’s Cybersecurity Guidelines

Alex Campanelli | May 25, 2018

The implementation of many strict cybersecurity regulations and requirements (including GDPR, NYDFS, and more) continues to increase on a global scale. 2018 has also brought about the continuation of strict cybersecurity regulations in the Asia Pacific region: most notably in Singapore, Australia, and Hong Kong. This year, one new requirement from 2017, the Securities & Futures Commission’s Guidelines, go into effect.

In October 2017, the Securities & Futures Commission (SFC) of Hong Kong issued a set of twenty baseline cybersecurity measures called the “Guidelines for Reducing & Mitigating Hacking Risks Associated with Internet Trading.”  The SFC is an independent Hong Kong statutory body set up to regulate Hong Kong securities & futures markets. These guidelines seek to prevent, detect, and control the risks posed by cyber attacks. The implementation of these guidelines will be put into effect in a two-phase process. Phase One’s implementation went into effect in April 2018 — this primarily focused on the effectiveness of two-factor authentication. Phase Two will commence in July 2018, and focuses on instating all other guidelines.

These guidelines apply to both individuals and businesses engaged in internet trading that are licensed or registered with the SFC for regulated activities dealing with securities, futures contracts, foreign exchange trading, or asset management. As of this year, the guidelines will become legally binding and “failure to comply with these guidelines may result in punitive action.” 

Financial services institutions in Hong Kong will be directly affected by these regulations, which encompass third party risk. Section 2.10 states, “if a licensed or registered person has any arrangement to outsource any activities associated with its internet trading to a third-party service provider, it should enter into a formal service-level agreement with the service provider which specifies the terms of service and the responsibilities of the provider.” Here, the SFC’s Guidelines clearly define the need for organizations to collaborate with their critical third parties to collectively achieve strong security posture.

As cybersecurity regulations increase throughout the business world, BitSight Security Ratings are an effective solution to help organizations meet the new Cybersecurity Guidelines set forth by the SFC and to prepare them for the comprehensive July 2018 implementation deadline. BitSight Security Ratings for vendor risk management deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security of key business partners.

With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with vendors about their security posture.

As the implementation deadline for these regulations approaches, institutions will need to be prepared to meet these Guidelines from Hong Kong’s SFC. Not only will they have to comply with these regulations, but they will also need ways of monitoring and assessing both their own security posture and that of their third parties. BitSight Security Ratings are the optimal solution for continuous third party cyber risk management.

Get Your Rating

Suggested Posts

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

Far reaching in its applicability, GDPR extends well beyond Europe and affects any...


NERC CIP-013-1: Effective Date, Preparation Strategies, & Impact

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability...


Is Your Risk Management Program Ready for the New European Banking Authority’s Guidelines?

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June...


Subscribe to get security news and updates in your inbox.