On 27 October 2017, the Securities and Futures Commission (SFC) in Hong Kong issued a circular and Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (Guidelines), which require all licensed or registered persons engaged in internet trading to implement 20 baseline requirements to enhance their cybersecurity resilience and reduce and mitigate hacking risks. The Guidelines were issued following the SFC’s publication of their conclusions on the related consultation on the same day. Continue reading
On 7 July 2017, the consultation by the Securities and Futures Commission (SFC) on proposals to reduce and mitigate hacking risks associated with internet trading closed. The consultation follows on from the SFC’s thematic review of the resilience to hacking risks of brokers engaged in internet trading (internet brokers) in late 2016. The SFC aims to publish its consultation conclusions by September or October 2017. Internet brokers will then be allowed 6 months to implement the new requirements.
China's Cyber Security Law (CSL) came into force on 1 June 2017. To read the summary of the key systems required to be implemented and their current status prepared by our teams in China and Sydney, click here. The bulletin also includes information about draft Measures for the Security Assessment of Export of Personal Information and Important Data, and draft Guidelines for data export security assessment.
Herbert Smith Freehills recently held its annual disputes client conference exploring some key legal and compliance risks facing major corporates. Following opening remarks by Mark Shillito, head of dispute resolution for the UK and US, there were presentations on cyber security, Brexit, insurance, class actions, decision analysis, privilege and internal investigations.
A summary of the conference from our Litigation team is below – if reading the full version of this post, you can jump down to read more detail on any of the sessions by clicking on the relevant heading.
The Cyberspace Administration of China (CAC) has published its Measures for the Security Assessment for Personal Information and Important Data Exported Abroad (Draft for Comments) (Draft Measures) on 11 April 2017. The Draft Measures, if enacted, will become the first regulation to impose general data localisation obligations in China.
On 29 December 2016, President Obama signed an Executive Order entitled "Taking Additional Steps To Address The National Emergency With Respect To Significant Malicious Cyber-Enabled Activities". In an official statement, President Obama said that the Executive Order was issued "in response to the Russian government's aggressive harassment of U.S. officials and cyber operations aimed at the U.S. Election".
China's new Cyber-Security Law was recently issued, with the government downplaying suggestions that the new law would be used to drive foreign technology and products out of the Chinese market. The new Law provides a tighter definition of critical information infrastructure, making it less likely that the operations of foreign-invested enterprises in China will be caught by strict implementation of the new law. However, the localization of information technology remains prominent in the government's agenda. The new Law will take effect 1 June 2017. To read more from our team in China, click here.
On 13 October 2016, the Securities and Futures Commission (SFC) announced it had issued a circular launching a cybersecurity review with a focus on assessing the cybersecurity preparedness, compliance and resilience of brokers’ internet and mobile trading systems (Review). The Review has been prompted by an increasing number of reports to the SFC from securities brokers that the security of some customers’ internet/mobile trading accounts has been compromised and unauthorised securities trading transactions were conducted through these accounts. The 13 October circular sets out the components of the Review and, in light of the latest incidents, also states that firms should, as a matter of priority, critically review and enhance their controls to combat cyberattacks.
The Hong Kong Monetary Authority (HKMA) has today issued a circular requiring Hong Kong-regulated institutions to implement the HKMA's "Cybersecurity Fortification Initiative" (the Initiative), which consists of three distinct pillars: (1) risk assessment, (2) training and (3) intelligence sharing.
The Initiative has an obvious, direct impact on institutions that are Hong Kong-regulated, as it is now a supervisory requirement for those banks to implement the Initiative. UK institutions that do not operate in Hong Kong will nevertheless wish to give careful consideration to the Initiative, which provides a valuable insight into the increasingly joined-up approach of financial regulators around the world to the issue of cybersecurity.
The authoritative voice on UK cyber security
The UK government has recently confirmed that its National Cyber Security Centre ("NCSC") will begin operations in October 2016. This newest body to be established as part of the UK's continuing fight against Cybercrime will be headquartered in London and is to be "the authoritative voice on information security in the UK".