Zhang Yanbei Securities Times 

  China Merchants Securities, the largest securities firm in Shenzhen, suffered two consecutive failures in its trading system, which aroused great concern both inside and outside the industry.

In the past year, there have been many information system security incidents in securities companies and fund companies.

It is understood that a few days ago, the regulatory department issued a "Notification of Institutional Supervision", which specially notified the cases of relevant information system security incidents.

  In the notification, the supervisor analyzed the reasons for the occurrence of multiple information system security incidents in securities and fund institutions from the aspects of company internal control management, system architecture mastery, operation and maintenance personnel, and mobile app development and management.

At the same time, the supervision clarified five requirements to continuously ensure the safe and stable operation of the information system.

  The industry said that in order to avoid related hidden dangers, securities and fund management institutions should establish a sound monitoring system, while avoiding human operation risks to the greatest extent, focusing on improving emergency response capabilities, and maintaining the safety and stability of the trading system.

Information system security incidents occur frequently

  Recently, some investors reported on the Internet that both the PC and App systems of China Merchants Securities could not log in, resulting in the inability to trade normally.

  Coincidentally, on the same day, the Huaxi Securities trading system also malfunctioned during the morning session, making it impossible to trade.

Although the relevant situation has been resolved before the close of the morning market, many investors have bluntly stated that economic losses have been caused by the downtime of the trading system.

  This is not the first time that the system of China Merchants Securities has been abnormal, and the last time there was a problem was on March 14 this year, just two months after today.

  Previously, on March 14, the China Merchants Securities trading system experienced system failures such as "the transaction page cannot be traded and cannot be withdrawn". According to investors' reports, the failure time was as long as 30 minutes.

  In response, China Merchants Securities stated that "all the transaction orders of the centralized trading system have been transmitted to the exchange system in real time, but due to the delay in the processing of transaction returns, some customers did not receive the transaction report information on the client side in time, and the cancellation of orders was affected."

  Two downtimes in two months are extremely rare for a leading brokerage of 100 billion such as China Merchants Securities.

In this regard, on April 2, the Shenzhen Securities Regulatory Bureau issued an announcement stating that China Merchants Securities had problems such as incomplete change management, untimely and inappropriate emergency response in the network security incident on March 14, and therefore decided to order it to take corrective measures. .

  The Shenzhen Securities Regulatory Bureau emphasized that the above-mentioned rectification work should be completed within 3 months, and a rectification report should be submitted to the Shenzhen Securities Regulatory Bureau.

However, what was not expected at the time was that the 3-month rectification period had not yet arrived, and the China Merchants Securities system was abnormal again.

  In addition, the trading system of Guosen Securities also malfunctioned on March 15.

At that time, some investors reported that the Guosen Securities trading software could not refresh the market, and could not watch the market and trade.

  It is worth mentioning that similar information system failures and security incidents do not only occur in securities companies.

On February 4, February 14, and February 28, 2022, three fund management companies successively experienced network security incidents in which the official website was inaccessible due to virus infection or crawler program.

Sword refers to information system security incidents

Regulation reveals five reasons

  The reporter was informed that in response to the frequent failures of the trading system, the Securities and Fund Institutional Supervision Department specially notified the relevant information system security incidents in the new issue of the "Institutional Supervision Bulletin" for the entire industry to learn from.

  The report pointed out that recently, a number of securities and fund management institutions have experienced information system security incidents, especially similar incidents occurred in a short period of time in China Merchants Securities, which affected the normal transactions of investors and negatively affected the reputation of the industry.

The regulatory authorities will carry out investigations in accordance with the law, and deal with relevant institutions and responsible persons seriously.

  Regarding the main types of incidents and the problems reflected, the regulatory authorities made a specific analysis from five aspects.

First, the compliance and internal control management of individual companies is not in place, and there are weak links in the process of system upgrade and transformation.

  Taking China Merchants Securities as an example, the circular pointed out that on March 14 and May 16, 2022, during the weekend system upgrade process of China Merchants Securities, the test scenarios, especially stress tests, were insufficient, resulting in two consecutive information system security incidents in the trading system.

It reflects that the compliance and internal control system of the relevant institution is not perfect or the implementation is not in place.

  Second, the main body's awareness of responsibility is not strong, the performance is weak, and the system architecture of the software provided by external suppliers is not clearly, accurately and completely grasped.

  For example, the Shanghai Stock Exchange quotation program of Beijing Capital Securities failed on May 18 last year. After investigation, the cause of the accident was that when the software service provider engineer upgraded the asset management system deployed on the same server, there was a logical error in the upgrade package. The agency has not effectively implemented the requirements of the relevant measures.

  Third, the operation and maintenance personnel are not standardized enough to establish an effective authority management and review mechanism.

After sorting out, 6 information system security incidents were caused by the irregular operation of operation and maintenance personnel.

It reflects that there are omissions in the process design, supervision and inspection of the operation and maintenance work of the parties concerned.

  Fourth, there are shortcomings in the development and management of mobile APPs, which has become an area prone to information system security incidents.

On April 25, 2022, the National Computer Virus Emergency Response Center notified that 13 mobile apps of securities companies had privacy violations and were suspected of collecting personal privacy information beyond the scope.

It reflects that some industry institutions have not been able to do a good job of corresponding safety management work at the same time as they carry out digital transformation and increase investment in mobile APP development.

  Fifth, there are loopholes in security management, and network protection capabilities such as external network attacks or crawler program access still need to be improved.

  For example, the supervision said that last year, three fund companies had successive network security incidents, reflecting the insufficient network security protection capabilities of the institutions involved, and the failure to establish comprehensive and effective security in terms of access control, intrusion monitoring and protection, virus protection, and network security. protection system.

Supervision lists five requirements

Continue to increase the supervision of information technology management

  In the notification, the regulatory authorities also set out the requirements.

The report pointed out that 2022 is the year of the victory of the 20th National Congress of the Communist Party of China, and it is also a key year for the comprehensive deepening of the reform of the capital market.

All securities and fund management institutions are requested to refer to the above-mentioned problems, draw inferences from one case to another, conduct self-examination and rectification, safeguard the legitimate rights and interests of investors, and continuously ensure the safe and stable operation of the information system.

  First, attach great importance to and strengthen management to effectively improve system operation and maintenance support capabilities.

The first is to consolidate the main responsibility.

Improve the information technology management system and punishment accountability mechanism, urge the company's "top leaders", chief information officers and personnel in key technical positions to always tighten the string of information system security, earnestly perform their duties, and do a good job in the safe operation of the organization.

  The second is to strengthen safety management.

The third is to increase technical support.

Combined with the current situation of epidemic prevention and control, increase investment in information technology, improve the professional capabilities of technical personnel, maintain the stability of core technical personnel, and make emergency duty arrangements.

  Second, strengthen internal control and compliance management, and steadily promote system upgrades.

The first is to clarify the division of internal responsibilities.

The second is to formulate a special implementation plan, fully verify the process design, function setting, parameter configuration and other related content, and prudently carry out the upgrade of important information systems involving core business links such as transactions.

The third is to improve system testing and strengthen stress testing.

  Third, regularly conduct system robustness assessments to eliminate hidden risks in a timely manner.

First, comprehensively and accurately identify various technical risks in the process of digital transformation, and ensure that compliance and risk management cover all aspects of information technology application.

  The second is to establish and improve the information system security monitoring mechanism.

The third is to regularly carry out special audits on information technology management, in-depth investigation of information system architecture problems and hidden technical risks, and timely rectification.

  Fourth, strictly implement customer information protection requirements and earnestly safeguard the legitimate rights and interests of investors.

The first is to improve technical security measures, the second is to strengthen information system management, and the third is to implement relevant laws and regulations and strengthen mobile APP management.

  Fifth, strengthen capacity management and disaster recovery capacity building, and improve emergency response capabilities.

First, implement the system capacity management and backup capacity building requirements, and regularly conduct stress tests on important information systems based on factors such as the company's development strategy and business scale to ensure that its capacity meets the needs of business development.

The second is to formulate and continuously improve emergency plans, and the third is to enrich emergency response scenarios.

  In the next stage, the Institutions Department will continue to strengthen the supervision and inspection of the compliance, internal control and information technology management of securities and fund operating institutions in accordance with the principle of "penetrating supervision and full-chain accountability". Institutions and responsible personnel implement "double punishment" and deal with them strictly in the classification evaluation.

System construction to ensure the security of information system

  In fact, the securities and fund industry has already entered the stage of informatization construction and business development, and the normal operation of institutions has long been inseparable from the support of data assets, including customer information, transaction data, and various important data.

  Since 2017, the securities industry has invested more than 110 billion yuan in information technology, but the digital transformation of the securities industry has a long way to go.

  The person in charge of the relevant business of Hengtai Securities believes that the route and style of digital transformation at this stage are relatively clear, but in the process of transformation, more or less encounters with the existing corporate culture, technology platform, organizational structure and input-output related issues.

  From top to bottom, it is necessary to maintain strategic focus to ensure the implementation of the digital strategy; while from bottom to top, it is necessary to choose an execution path that is in line with the company's own endowments. Only by imitating peers and working quickly can we find a successful digital transformation path.

  The relevant person in charge of the Shanghai Securities Financial Technology Headquarters believes that digital transformation is not simply to build systems, build platforms, and implement data, but involves all-round changes in company philosophy, culture, organization, business format, management, and processes. It should be fully integrated with its own Resource endowment, focus on customers to improve the quality and efficiency of securities and financial services, reduce corporate operating costs and risks, actively explore to open up the internal ecological chain and integrate into the external ecological circle, and digitally reshape business processes and business models.

However, in order to achieve the above goals, there are still four difficulties that the system and mechanism cannot match the transformation goals, the relative lack of resource investment, the lack of data governance level and data quality, and the shortage of compound talents.

  Promulgated by the China Securities Regulatory Commission at the end of 2018, on June 1, 2019, the China Securities Regulatory Commission began to implement Order No. 152 of the China Securities Regulatory Commission, "Measures for the Information Technology Management of Securities Fund Operating Institutions", as the basis for industry information technology supervision. Information technology service organizations, etc. are of great significance.

  The management measures emphasize the necessity of data governance, have clear requirements for the management responsibilities of data security, and indicate that institutions need to improve the network system to protect the security of business data and customer information, and prevent data leakage.

  The China Securities Regulatory Commission also clearly states that “Securities and fund management institutions shall improve network isolation, user authentication, access control, data encryption, data backup, data destruction, log recording, virus prevention and illegal intrusion detection, etc. Security measures to protect the security of business data and customer information, and prevent information leakage and damage."

  As far as the data security of fund companies is concerned, the industry said that with the increasing dependence of the financial industry on communication technology and computer applications, fund companies are increasingly concerned about how to ensure the stable and efficient operation of information systems.

  In recent years, data security in fund enterprises has gradually been put in the first place, including the scope of use, circulation, copying and tampering of data.

  Source: China Fund News