Hong Kong to tighten cyber security rules after broker hacks

    Michelle Price

    HONG KONG, April 20 (Reuters) - Hong Kong plans to toughen

    information security rules after a series of embarrassing hacks

    at the city's brokers, the securities regulator said on

    Thursday.

    The draft rules would likely include requirements for

    two-step authentication for account log-in and for brokers to

    notify clients when a transaction had been made, a Hong Kong

    Securities and Futures Commission (SFC) spokesman said.

    The SFC would publish a consultation on the draft rules

    during the second quarter.

    The rule changes would be made to the SFC Code of Conduct,

    meaning they would not need to be passed into legislation.

    Hong Kong police have struggled to deal with digital

    pump-and-dump schemes targeting brokerages - a little-known type

    of computer-generated fraud that surged in the Chinese territory

    last year.

    Although the money involved has so far been small - only

    about $20 million worth of shares - there were 81 such incidents

    reported in 2016, more than triple the number in 2015, according

    to police.

    In the scheme, criminals invest in thinly traded penny

    stocks and then manipulate their share prices by ordering trades

    from hacked brokerage accounts. They earn profits by selling

    before the fraudulent trades are reported.

    Hong Kong has been a favoured place for such attacks because

    of the number of thinly-traded penny stocks in the territory and

    because its securities industry has fallen behind other

    financial centres in defending against cyber fraud, Reuters

    reported in February. (http://www.reuters.com/article/us-cyber-brokerages-hongkong-idUSKBN15U09I)

    At least seven brokers and eight banks have been targeted in

    Hong Kong, including HSBC Holdings Plc and Bank of

    China International Securities, Reuters reported citing sources.

    One investigator said there had been a new spurt of such

    attacks in 2017 and banks and brokers were unable to identify

    the culprits.

    Authorities believe that hackers accessed brokerage accounts

    using stolen or guessed passwords, according to investigators.

    (Reporting by Michelle Price; Editing by Stephen Coates)