HONG KONG, April 20 (Reuters) - Hong Kong plans to toughen
information security rules after a series of embarrassing hacks
at the city's brokers, the securities regulator said on
The draft rules would likely include requirements for
two-step authentication for account log-in and for brokers to
notify clients when a transaction had been made, a Hong Kong
Securities and Futures Commission (SFC) spokesman said.
The SFC would publish a consultation on the draft rules
during the second quarter.
The rule changes would be made to the SFC Code of Conduct,
meaning they would not need to be passed into legislation.
Hong Kong police have struggled to deal with digital
pump-and-dump schemes targeting brokerages - a little-known type
of computer-generated fraud that surged in the Chinese territory
Although the money involved has so far been small - only
about $20 million worth of shares - there were 81 such incidents
reported in 2016, more than triple the number in 2015, according
In the scheme, criminals invest in thinly traded penny
stocks and then manipulate their share prices by ordering trades
from hacked brokerage accounts. They earn profits by selling
before the fraudulent trades are reported.
Hong Kong has been a favoured place for such attacks because
of the number of thinly-traded penny stocks in the territory and
because its securities industry has fallen behind other
financial centres in defending against cyber fraud, Reuters
reported in February. (http://www.reuters.com/article/us-cyber-brokerages-hongkong-idUSKBN15U09I)
At least seven brokers and eight banks have been targeted in
Hong Kong, including HSBC Holdings Plc and Bank of
China International Securities, Reuters reported citing sources.
One investigator said there had been a new spurt of such
attacks in 2017 and banks and brokers were unable to identify
Authorities believe that hackers accessed brokerage accounts
using stolen or guessed passwords, according to investigators.
(Reporting by Michelle Price; Editing by Stephen Coates)