The largest securities company in Shenzhen China Merchants Securities Co.Ltd(600999) has two consecutive trading system failures, which has attracted great attention both inside and outside the industry. In the past year, many information system security incidents have occurred in securities companies and fund companies. It is understood that the regulatory authorities recently issued a circular on institutional supervision, which specially notified the cases of relevant information system security incidents.
In the notification, the regulator analyzed the reasons for many information system security incidents in securities fund institutions from the aspects of the company’s internal control management, system architecture mastery, operation and maintenance personnel, mobile app development and management, etc. At the same time, the supervision defines five requirements to continuously ensure the safe and stable operation of the information system.
The industry said that in order to avoid relevant hidden dangers, securities fund operating institutions should establish a perfect monitoring system, avoid human operation risks to the greatest extent, focus on improving emergency response capacity and maintaining the safety and stability of the trading system.
information system security incidents occur frequently
Recently, some investors reported on the Internet that China Merchants Securities Co.Ltd(600999) pc and app systems could not log in, resulting in the failure of normal trading.
Coincidentally, on the same day, Huaxi Securities Co.Ltd(002926) trading system also failed during early trading, resulting in failure of trading. Although the relevant situation had been solved before the closing of the morning trading, many investors frankly said that they had caused economic losses due to the shutdown of the trading system.
This is not the China Merchants Securities Co.Ltd(600999) first time the system is abnormal, and the last problem occurred on March 14 this year, just two months after today.
Previously, the China Merchants Securities Co.Ltd(600999) trading system had system failures such as “the transaction page cannot be closed and cannot be withdrawn” on March 14. According to investors, the failure time was as long as 30 minutes.
China Merchants Securities Co.Ltd(600999) responded that “all trading orders in the centralized trading system have been transmitted to the exchange system in real time, but due to the delay in the processing of transaction return, some customers did not receive the transaction return information in time at the client, and the cancellation transaction was affected.”
Downtime twice in two months is extremely rare for China Merchants Securities Co.Ltd(600999) such a 100 billion level head securities firm. In this regard, on April 2, Shenzhen Securities Regulatory Bureau announced that China Merchants Securities Co.Ltd(600999) had some problems in the network security incident on March 14, such as imperfect change management, untimely and inadequate emergency disposal, so it decided to take corrective measures.
Shenzhen Securities Regulatory Bureau stressed that the above rectification work should be completed within three months and submit the rectification report to Shenzhen Securities Regulatory Bureau. However, what was not expected at that time was that the three-month rectification period had not yet arrived, and the China Merchants Securities Co.Ltd(600999) system was abnormal again.
In addition, the trading system of Guosen Securities Co.Ltd(002736) also failed on March 15. At that time, some investors reported that the market of Guosen Securities Co.Ltd(002736) trading software could not be refreshed, and it was impossible to watch and trade.
It is worth mentioning that similar information system failures and security incidents do not only occur in securities companies. On February 4, February 14 and February 28, 2022, three fund management companies successively encountered network security incidents that made the official website inaccessible due to infection with viruses or crawlers.
Jianzhi information system security event
supervision reveals five reasons
The reporter learned that in view of the frequent trading system failure events, the securities fund institution supervision department specially reported the relevant information system security event cases in the new issue of institutional supervision notice, which can be used for reference by the whole industry.
The circular pointed out that recently, information system security incidents occurred in many securities fund operating institutions, especially similar incidents occurred continuously in China Merchants Securities Co.Ltd(600999) a short time, which affected the normal trading of investors and had a negative impact on the reputation of the industry. The regulatory authorities will carry out investigation according to law and seriously deal with relevant institutions and responsible personnel.
For the main types of events and the problems reflected, the regulatory authorities made a specific analysis from five aspects. First, the compliance internal control management of individual companies is not in place, and there are weak links in the process of system upgrading.
Taking China Merchants Securities Co.Ltd(600999) as an example, the circular pointed out that on March 14 and May 16, 2022, China Merchants Securities Co.Ltd(600999) during the weekend system upgrade, the test scenarios, especially the stress test, were insufficient, resulting in two consecutive information system security incidents in the trading system. It reflects that the compliance and internal control system of the institutions concerned is not perfect or not implemented in place.
Second, the main responsibility consciousness is not strong, the performance is not strong, and the system architecture of the software provided by external suppliers is not clear, accurate and complete.
For example, the Shanghai stock exchange offer procedure of capital securities failed on May 18 last year. After investigation, the cause of the accident was that the software service provider engineer had a logical error in the upgrade package when upgrading the asset management system deployed on the same server, reflecting that the relevant institutions did not effectively implement the requirements of relevant measures.
Third, the operation of operation and maintenance personnel is not standardized enough, and an effective authority management and review mechanism has not been established. After combing, there were 6 information system security incidents caused by non-standard operation of operation and maintenance personnel. It reflects that there are omissions in the process design, supervision and inspection of operation and maintenance work.
Fourth, there are shortcomings in the development and management of mobile app, which has become an information system security incident prone field. On April 25, 2022, the National Computer Virus Emergency Response Center reported that 13 mobile apps of securities companies had privacy violations and were suspected of collecting personal privacy information beyond the scope. It reflects that while carrying out digital transformation and increasing investment in mobile app development, some industry institutions failed to do the corresponding safety management work at the same time.
Fifth, there are loopholes in security management, and the network protection ability to deal with external network attacks or crawler access still needs to be improved.
For example, according to the supervision, three fund companies successively experienced network security incidents last year, reflecting the insufficient network security protection ability of the institutions concerned, and failed to establish a comprehensive and effective security protection system in terms of access control, intrusion monitoring and protection, virus protection, network security and so on.
supervision lists five requirements
continuously strengthen information technology management and supervision
In the notification, the regulatory authorities also set out the requirements. The circular pointed out that 2022 is the year of the victory of the 20th CPC National Congress and the key year for comprehensively deepening the reform of the capital market. Please refer to the above problems, draw inferences from one instance, carefully conduct self-examination and rectification, safeguard the legitimate rights and interests of investors, and continue to ensure the safe and stable operation of the information system.
First, attach great importance to and strengthen management to effectively improve the system operation and maintenance support capacity. First, the main responsibility of compaction. We will improve the information technology management system and the punishment and accountability mechanism, urge the company’s “top leaders”, chief information officers and personnel in key technical positions to tighten the string of information system security at all times, earnestly perform their duties and responsibilities, and pay close attention to the safe operation of the organization.
Second, strengthen safety management. Third, increase technical support. Combined with the current situation of epidemic prevention and control, increase investment in information technology, improve the professional ability of technicians, maintain the stability of core technicians, and make emergency duty arrangements.
Second, strengthen internal control and compliance management, and steadily promote system upgrading and transformation. First, clarify the division of internal responsibilities. Second, formulate a special implementation plan, fully verify the process design, function setting, parameter configuration and other related contents, and prudently carry out the upgrading of important information systems involving core business links such as transactions. Third, improve the system
Test work and strengthen stress test.
Third, regularly carry out system robustness evaluation to eliminate potential risks in time. First, comprehensively and accurately identify various technical risks in the process of digital transformation, and ensure that compliance and risk management cover all links of information technology application.
Second, establish and improve the information system security monitoring mechanism. Third, regularly carry out special audit on information technology management, deeply investigate the problems of information system architecture and potential technical risks, and rectify them in time.
Fourth, strictly implement customer information protection requirements and earnestly safeguard the legitimate rights and interests of investors. The first is to improve technical security measures, the second is to strengthen information system management, and the third is to implement the requirements of relevant laws and regulations and strengthen the management of mobile app.
Fifthly, strengthen capacity management and disaster recovery capacity construction, and improve emergency handling capacity. First, implement the requirements of system capacity management and backup capacity construction, and regularly carry out stress tests on important information systems in combination with the company’s development strategy, business scale and other factors to ensure that their capacity meets the needs of business development. The second is to formulate and continuously improve the emergency plan, and the third is to enrich the emergency disposal scenarios.
In the next stage, the institutional department will continue to strengthen the supervision and inspection of compliance internal control and information technology management of securities fund operating institutions in accordance with the principle of “penetrating supervision and full chain accountability”, implement “double punishment” for problematic institutions and responsible personnel, and strictly deal with them in classified evaluation.
system construction to ensure the security of information system
In fact, the securities fund industry has already entered the stage of information construction and business synchronous development, and the normal operation of institutions has long been inseparable from the support of data assets, including customer information, transaction data and all kinds of important data.
Since 2017, the securities industry has invested more than 110 billion yuan in information technology, but the digital transformation of the securities industry has a long way to go.
The person in charge of relevant business of Hengtai Securities believes that the route and playing method of digital transformation at this stage are relatively clear, but in the process of transformation, problems related to the existing corporate culture, technology platform, organizational structure and input-output will be encountered more or less.
From top to bottom, we need to maintain strategic concentration to ensure the implementation of the digital strategy; From the bottom to the top, we should choose the implementation path in line with the enterprise’s own endowment, do what we do first and then do what we do, do more and do less, rather than blindly imitating the industry, so as to walk out of a successful road of digital transformation.
The relevant person in charge of Shanghai Securities Financial Technology headquarters believes that digital transformation is not simply building systems, platforms and landing data, but involves all-round changes in the company’s philosophy, culture, organization, business format, management and process. We should fully combine our own resource endowment, focus on customers, improve the quality and efficiency of securities financial services, and reduce enterprise operating costs and risks, Actively explore and open up the internal ecological chain and integrate into the external ecosystem to digitally reshape business processes and business models. To achieve the above objectives, we still face four difficulties: the difficulty of matching the transformation objectives of the system and mechanism, the relative lack of resource investment, the lack of data governance level and data quality, and the shortage of compound talents.
On June 152nd, 2018, China Securities Regulatory Commission issued the information technology management measures for securities companies, which is of great significance to the information technology management of the securities industry.
The management measures emphasize the necessity of data governance, have clear requirements for the management responsibilities of data security, and indicate that the organization needs to improve the network system, protect the security of business data and customer information, and prevent data leakage.
The CSRC’s information technology management measures for securities fund operating institutions also clearly put forward that “securities fund operating institutions shall improve security measures such as network isolation, user authentication, access control, data encryption, data backup, data destruction, log recording, virus prevention and illegal intrusion detection, so as to protect the security of operating data and customer information and prevent information leakage and damage.”
As for the data security of fund companies, the industry said that with the increasing dependence of the financial industry on communication technology and computer applications, the fund departments have attracted increasing attention in how to ensure the stable and efficient operation of information systems.
In recent years, data security in fund enterprises has gradually been put in the first place, including the scope of use, circulation, replication and tampering of data.
