Hong Kong to tighten cyber security rules after broker hacks

(Reuters) — Hong Kong plans to toughen information security rules after a series of embarrassing hacks at the city's brokers, the securities regulator said on Thursday.

The draft rules would likely include requirements for two-step authentication for account log-in and for brokers to notify clients when a transaction had been made, a Hong Kong Securities and Futures Commission spokesman said.

The SFC would publish a consultation on the draft rules during the second quarter.

The rule changes would be made to the SFC Code of Conduct, meaning they would not need to be passed into legislation.

Hong Kong police have struggled to deal with digital pump-and-dump schemes targeting brokerages — a little-known type of computer-generated fraud that surged in the Chinese territory last year.

Although the money involved has so far been small — only about $20 million worth of shares — there were 81 such incidents reported in 2016, more than triple the number in 2015, according to police.

In the scheme, criminals invest in thinly traded penny stocks and then manipulate their share prices by ordering trades from hacked brokerage accounts. They earn profits by selling before the fraudulent trades are reported.

Hong Kong has been a favored place for such attacks because of the number of thinly traded penny stocks in the territory and because its securities industry has fallen behind other financial centers in defending against cyber fraud, Reuters reported in February.

At least seven brokers and eight banks have been targeted in Hong Kong, including HSBC Holdings P.L.C. and Bank of China International Securities, Reuters reported, citing sources.

One investigator said there had been a new spurt of such attacks in 2017, and that banks and brokers were unable to identify the culprits.

Authorities believe that hackers accessed brokerage accounts using stolen or guessed passwords, according to investigators.