Hong Kong to tighten cyber security rules after broker hacks

Michelle Price

HONG KONG, April 20 (Reuters) - Hong Kong plans to toughen

information security rules after a series of embarrassing hacks

at the city's brokers, the securities regulator said on

Thursday.

The draft rules would likely include requirements for

two-step authentication for account log-in and for brokers to

notify clients when a transaction had been made, a Hong Kong

Securities and Futures Commission (SFC) spokesman said.

The SFC would publish a consultation on the draft rules

during the second quarter.

The rule changes would be made to the SFC Code of Conduct,

meaning they would not need to be passed into legislation.

Hong Kong police have struggled to deal with digital

pump-and-dump schemes targeting brokerages - a little-known type

of computer-generated fraud that surged in the Chinese territory

last year.

Although the money involved has so far been small - only

about $20 million worth of shares - there were 81 such incidents

reported in 2016, more than triple the number in 2015, according

to police.

In the scheme, criminals invest in thinly traded penny

stocks and then manipulate their share prices by ordering trades

from hacked brokerage accounts. They earn profits by selling

before the fraudulent trades are reported.

Hong Kong has been a favoured place for such attacks because

of the number of thinly-traded penny stocks in the territory and

because its securities industry has fallen behind other

financial centres in defending against cyber fraud, Reuters

reported in February. (http://www.reuters.com/article/us-cyber-brokerages-hongkong-idUSKBN15U09I)

At least seven brokers and eight banks have been targeted in

Hong Kong, including HSBC Holdings Plc and Bank of

China International Securities, Reuters reported citing sources.

One investigator said there had been a new spurt of such

attacks in 2017 and banks and brokers were unable to identify

the culprits.

Authorities believe that hackers accessed brokerage accounts

using stolen or guessed passwords, according to investigators.

(Reporting by Michelle Price; Editing by Stephen Coates)