Electronic Trading and Cybersecurity in Hong Kong
On March 23, 2016, the Securities and Futures Commission (SFC) produced a cybersecurity circular as a result of regulatory inspections of large licensed corporations focusing on their adherence to the Electronic Trading Code of Conduct (the “Code”) that came out on January 1, 2014.
In the intervening period since the announcement of the Code, incidents which have a material impact on the market continue to take place. Notably, the regulator can hold to account any market participant be it bank or broker, hedge fund or asset manager, for a market impact incident. Any subsequent discovery of non-compliance with the Code would just add fuel to the fire.
Registered SFC entities engaged in electronic trading are mandated in the Code, if they have not already done so, to conduct regular reviews of their electronic trading controls to ensure compliance with their own policies and regulatory developments. Moreover, they are required to remedy any deficiencies identified.
It is clear that both electronic trading and cybersecurity are receiving much regulatory attention and are viewed by the regulator and industry alike as high risk and priority areas.
Duff & Phelps has conducted a number of reviews on behalf of clients to assess their arrangements for adherence to the Code. Through these reviews we have examined and tested a variety of circuit breakers and identified common failings in areas where firms do not meet the requirements of the Code. We can offer practical insight into the measures and controls that are expected to maintain an orderly market and protect against reputational risk.
The below are the key areas from the Code where we have noted common failings and can add value through identifying areas of concern that may require further action in terms of evidence, testing and/or remediation:
- Management and supervision: we can review the governance arrangements with a view to assessing the level of ownership and accountability throughout the lifecycle of the electronic system based on our knowledge of regulatory expectations
- System adequacy: we can apply our understanding of the systems resilience expectations or the regulatory and assess firms’ arrangements for avoiding market impact
- Direct market access (DMA): we can provide tailored advice with respect to the pre and post trade monitoring and control expectations of the regulator
- Risk management: we can review the measures in place and challenge the adequacy and appropriateness of their design versus their usage
- Algorithmic trading: our experts can assess the intended market impact versus the actual market impact of the algos, and comment on the alignment of the two as well as the appropriateness of the intended impact
- Record keeping, audit logs and incident reports: we can assist with checking that appropriate arrangements are in place in line with the regulatory requirements for maintaining sufficient records
In addition to the above, Duff & Phelps has a proven risk-based methodology in assisting clients in meeting regulatory expectations with respect to their cybersecurity arrangements. We can conduct a full cybersecurity review delivering a report that includes a risk assessment, implementation oversight of risk mitigation actions, information security and compliance policies, and a cybersecurity response and recovery plan.