Hong Kong: COVID-19 Related Circulars Or Guidance (Non-Exhaustive) Published By Financial Services Regulators Of Hong Kong (Last Updated: 1 February 2021)

Securities and Futures Commission (SFC) Circulars/Guidelines

TITLE

SUMMARY

DATE

LINK

REMARKS

The SFC published a circular informing licensed corporations (LCs) that the SFC will defer the introduction of initial margin (IM) requirements for non-centrally cleared over-the-counter (OTC) derivative transactions by one year to provide operational relief in light of the COVID-19 outbreak. The IM requirements for LCs which are contracting parties to non-centrally cleared OTC derivative transactions entered into with a covered entity were originally to be phased in starting from 1 September 2020.

In light of the Basel Committee on Banking Supervision and the International Organization of Securities Commissions' announcement of the one-year extension of the deadlines for completing the final implementation phases of the IM requirements for non-centrally cleared OTC derivatives, the SFC has accordingly extended the phase-in schedule for the IM requirements by one year, summarized as follows:

• From 1 September 2021 to 31 August 2022, the exchange of IM by an LC is required in a one-year period where both the LC and the covered entity have an average aggregate notional amount (AANA) of non-centrally cleared OTC derivatives exceeding HK$375 billion on a group basis.
• On a permanent basis starting from 1 September 2022 and for each subsequent 12-month period, the exchange of IM by an LC is required in a one-year period where both the LC and the covered entity have an AANA of non-centrally cleared OTC derivatives exceeding HK$60 billion on a group basis.

For avoidance of doubt, the variation margin requirements will still become effective on 1 September 2020. 

The SFC published a circular reminding licensed corporations (LCs) to assess their operational capabilities and implement appropriate measures to manage cybersecurity risks associated with remote office arrangements, in light of the increased use of such arrangements as a result of the COVID-19 outbreak. The SFC set out some examples of controls and procedures LCs may take in relation to various aspects of remote office arrangements:

Remote access to internal network and systems - LCs should consider the below measures (amongst others) to mitigate cybersecurity risks:

• Implement robust virtual private network (VPN) solutions, which provide strong encryption and two or more layers of protection, to protect the integrity of data transmitted between remote users' devices and internal systems;
• Monitor, evaluate and implement security patches or hotfixes released by VPN software providers on a timely basis;
• Require the use of strong passwords and implement two-factor authentication for remote access logins by employees, agents and service providers, in particular when accessing privileged accounts and sensitive data repositories;
• Avoid granting standing or permanent access to external parties and only allow vendors to access specific systems during pre-determined timeframes;
• Implement different levels of remote access, such as by equipping computers and mobile devices supplied by LCs with greater capabilities than employee-owned devices;
• Implement security controls to prevent unauthorised installation of hardware and software on computers and devices provided to staff; and
• Implement robust network segmentation to segregate system servers and databases, based on criticality, to better protect more critical and sensitive data, such as clients' personal data.

Use of video conferencing platforms – LCs should consider the below measures (amongst others) to mitigate the risk of unauthorized access and leakage of critical or sensitive data

• Assess the security features of videoconferencing platforms before use;
• Allow only authenticated and authorized users to join the videoconference, e.g. by checking their email addresses or making use of "waiting room" features;
• Invite participants via conferencing software or other legitimate channels, e.g. office emails, and refrain from sharing links to conferences via social media posts.
• Use a random meeting ID, rather than a personal meeting ID;
• Enable the password protection feature on the videoconferencing platform;
• Lock the conference meeting once all the participants have joined, as appropriate; and
• Use the latest version of the software with the most up-to-date security patches installed.

The SFC also reminded LCs to put in place other measures for enhancing operational capabilities and monitoring mechanisms for remote office activities, such as:

System capabilities:

• Assess the adequacy of, and enhance, existing information technology infrastructures, software (such as remote computer devices, network bandwidth and software licenses) and hardware (such as notebook computers and mobile devices) for the purpose of supporting remote office arrangements.

Surveillance and incident handling:

• Implement monitoring and surveillance mechanisms to detect unauthorized access to internal networks and systems, such as reviewing the list of unauthorized access attempts and detecting the use of unapproved applications; and
• Develop and maintain an effective incident management and reporting mechanism.

Cybersecurity training and alerts:

• Provide adequate cybersecurity training to all internal system users and issue appropriate reminders and alerts to clients, e.g. advice on precautionary security measures, emerging cybersecurity threats and trends (such as phishing and ransomware) and use of secure Wi-Fi networks for accessing internal networks and videoconferencing platforms, on a regular basis.