By By Zhang Yong, Shen Xing
Published: 2008-06-17

Cover story, issue 371 June 9 2008
Translated by Liu Peng, Zuo Maohong
Original article:

Site-wide blackouts, network intrusions, viruses, and other security breaches... it's been a busy several weeks for many Chinese fund companies who have had to demonstrate their resilience to these and other digital threats.

After a hacking incident this past March halted trading for one firm, , the China Security Regulatory Commission (CSRC) launched an assessment of the industry's IT defenses.

After completing the exercises and inspections, which began in April, the Commission has identified at least ten firms that have sub-par security.

A Surprise Attack
Investigators discovered that many firms had unstable, vulnerable networks, said a source involved. He gave the example of two companies in Beijing, which were easily hacked into due to their simple administrator's passwords.

Watchdogs were apparently dissatisfied. In a speech by a CSRC official on May 30, fund companies were criticized as having failed to attach the necessary importance to network security. The official also claimed that guidelines on information security management would be studied and issued by the Commission later.

In fact, the maneuver was just a part of the Commission's inspection work, which was started in late April by local securities regulatory bodies, according to a source from the CSRC. Data backup and separation of intranet and the external net were the main focus, he said. Local watchdogs would launch a second round of spot inspections later, the source added.

One fund company in Shenzhen had recently been busy preparing for the spot inspection. "There have been regular inspections before, but much less strict than this time," said a technical staffer of the company.

Upgraded Hacker Attacks
According to an official who wishes to remain anonymous, the inspection was triggered by a hacker attack to the trading system of a securities company in Beijing in early March. Though it didn't lead to significant losses, it aroused great concern from the CSRC.

The EO has learned that the attack disabled the trading system for at least half an hour. Transactions were thus interrupted and clients were forced to make trades by phone. Reportedly, some investors had appealed to the government, and the police had investigated the matter.

Actually, this wasn't the first case of its kind. According to the chief of the technical department of a CITIC Security Shanghai branch, securities firms had encountered network security problems early in 2004, mainly in online transactions. The application of non-spot trade also brought potential risks, he added.

On May 15 2007, a virus named "Trojan/PSW.Soufan" invaded many investors' computers and revised their stock trading data.

In this case, said the above-mentioned source, it would usually be the investor who assumed responsibility. Before an online trade was made, the security trader would sign a contract with the client, warning of such potential risks and declaring no responsibility for them.

So far, the CSRC has not received any reports about serious internet invasion cases, a source close to the Commission told the EO. However, considering potential social impacts such cases could have and the sensitive period China is in, the CSRC ultimately decided to strengthen the information security system among fund companies and securities traders.

Wang Yu, Zhao Juan and Chen Zhe also contributed to this report.