18 March 2010
The Chief Executive
All Registered Institutions
Dear Sir/Madam,
I am writing to draw your attention to a circular issued by the SFC on 16 March 2010 ("the SFC Circular"). The SFC Circular sets out certain deficiencies in information technology ("IT") areas identified in the course of the SFC's supervision. The SFC Circular reminds intermediaries of the need to implement adequate controls for guarding against unauthorised alternation of, or intrusion into, the information systems or the data. In addition, the SFC Circular puts forth some recommended control measures for managing IT risks.
A copy of the SFC Circular is enclosed at Annex. Your institution is required to assess the adequacy and effectiveness of its related controls against the requirements set out in the SFC Circular as well as the relevant guidelines1 issued by the Hong Kong Monetary Authority, and where necessary, make appropriate enhancements.
Yours faithfully,
Nelson Man
Executive Director (Banking Supervision)
1Including, among others, Supervisory Policy Manual modules on "General Principles for Technology Risk Management", "Supervision of E-banking", "Business Continuity Planning", and circular on "Customer data protection" (2008)