The State Securities Commission (SSC) has just issued Official Letter No. 3351/UBCK-CNTT requesting securities companies and fund management companies to strengthen network information security for securities trading activities. This is a follow-up document to Official Letter No. 1837/UBCK-CNTT dated March 25, 2024 of the SSC on warning about the security of online securities trading systems.

Accordingly, to enhance network information security, take measures to respond to urgent situations, ensure security, safety of the transaction system and investor rights, the State Securities Commission has issued 4 requirements.

In particular, securities companies and fund management companies will have to organize information security inspections and assessments for information systems according to the provisions of Articles 11 and 12 of Circular No. 12/2022/TT-BTTTT dated August 12, 2022 of the Ministry of Information and Communications and Decree No. 85/2016/ND-CP of the Government.

Second, the SSC also requested companies to ensure compliance with regulations on information system security at each level and implement protection measures to meet information security requirements according to the contents specified in Article 19 of Decree No. 85/2016/ND-CP; Article 9, Article 10 of Circular No. 12/2022/TT-BTTTT and national standard TCVN 11930:2017.

Securities companies and fund managers will develop plans to respond to security incidents and emergencies in online securities trading systems. Finally, the State Securities Commission requires that they organize propaganda and dissemination to raise awareness of information security for their officers and employees.

Previously, at the end of March 20224, a serious attack on VNDirect's information technology system caused investors who were customers of this securities company to "freeze" trading activities for a week.

Immediately after the cyber attack at a securities company at the end of March, the Information Security Department under the Ministry of Information and Communications requested that securities companies report on the implementation of information security by level and information security according to the 4-layer model.

According to the dispatch sent to the securities company, failure to ensure information system security according to the level is a violation of the law and will be subject to administrative sanctions according to Articles 88 and 89 of Decree No. 15/2020/ND-CP dated February 3, 2020 of the Government regulating sanctions for administrative violations in the fields of post, telecommunications, radio frequencies, information technology and electronic transactions.

This is a reporting obligation under the Investment Law 2020 and Decree 85/2016/ND-CP requiring information systems providing securities services to implement information system security assurance at various levels. The administrative penalties for these violations are currently quite low. However, for companies operating in the field of providing financial services, damage to reputation, prestige and customer trust is a serious problem.