当前,证券行业数字化转型正加速推进,并不断推动业务与技术的融合。不过,随着网络和信息安全管理日趋复杂,信息安全事件的频发,使得行业网络和信息安全管理能力面临更大挑战。
对此,为加强网络与信息系统安全稳定运行保障体系和能力建设,提高资本市场网络和信息安全水平,推动数字赋能行业高质量发展等,中国证券业协会近日起草并向券商下发了《证券公司网络和信息安全三年提升计划(2023-2025)》(征求意见稿)(以下简称《安全提升计划》),并以附件的形式将重点事项进行任务分解,合计33项重点工作。
一、对券商六大方面明确提出提升方向和要求
《安全提升计划》主要任务聚焦证券公司网络和信息安全能力领域普遍存在的基础性和深层次问题,从科技治理能力、科技投入机制、信息系统架构规划设计、研发测试效能与质量、系统运行保障能力和网络信息安全防护体系等六个方面明确提出提升方向和要求。
科技治理能力方面,券商需要在2023年年底前据公司的整体战略规划,制定全方位的网络和信息科技战略发展规划,并完善信息系统的开发、测试、运维及信息安全等技术管理领域的管理体系。
科技投入机制方面,主要包括加大科技资金投入,加强科技人才队伍建设等两方面。近年来,券商对信息科技重视程度不断增强,行业信息技术投入逐年增长,2017年至2021年期间行业持续加大信息技术领域的投入为行业数字化转型和高质量发展奠定坚实基础,在信息技术领域累计投入近1200亿元。
具体来看,《安全提升计划》鼓励有条件的公司2023年至2025年三个年度信息科技平均投入金额不少于上述三个年度平均净利润的8%或平均营业收入的6%。以最新披露数据为例,2021年证券行业信息技术投入金额为338.2亿元,同比增长28.7%,占上一年度营业收入的7.7%;其中有10家券商的投入均超10亿元,信息技术投入占营业收入比例超6%的券商有20家,而不少中小券商也将金融科技视为核心竞争力之一,华林证券、华鑫证券的投入占比均已超20%;不过中信证券、中信建投等部分头部券商的投入占比均在6%以下。
申万宏源预计,“未来假设全部券商达到6%收入要求标准,则按照过去三年平均收入计算,增量信息技术投资金额约22亿元。 ”
与此同时,人才更是证券行业数字化转型的关键所在。《安全提升计划》要求券商信息科技专业人员不低于公司员工总数的6%,网络和信息安全专业人员不低于信息科技专业人员的3%且不应少于4人。并且各券商要优化技术从业人员结构,聚焦专业素质能力提升,做好金融科技专业领域核心人才挖掘、培养,完善从业人员梯队结构,做好青年技术员工等储备。同时,健全从业人员培养体系、完善市场化激励约束机制。
二、信息安全是重中之重,信息技术能力建设尤为重要
当前,券商对数字化转型的重要性及紧迫性已达成共识。根据中证协调查反馈显示,共77家证券公司将数字化转型列为公司发展战略,数字化转型的“主战场”逐步由零售经纪业务扩展到机构业务、资产管理、投资银行、自营投资、中后台等多个领域,数字化转型覆盖多业务领域的证券公司有69家,占比高达89.61%。证券行业数字化转型已进入全面加速阶段,广度和深度不断加大。
中信建投非银金融团队认为,“金融机构数字化转型已不局限于‘信息化+互联网’赋能升级,而是建立‘全面化+跨行业’融合机制,作为配置市场资源、提供风险定价的重要角色,券商的信息技术能力在此数字化浪潮中显得尤为重要。”
不过,券商在转型过程中也逐渐暴露出一系列阶段性问题,信息安全事件更是时有发生,对资本市场的安全平稳运行造成较大冲击。数据显示,在2017至2021年信息技术风险相关的监管处罚中,有26.09%的证券公司是因为信息技术系统建设不完善,部分业务环节、风控环节未纳入系统监管流程,从而受到监管处罚;其余73.91%的证券公司主要是因为信息技术应用过程中相应的管理机制不健全、管理流程缺失等内部合规管理不足造成。
2022年,某大型券商因系统交易问题登上微博热搜,此后,监管火速对该券商采取责令改正的整改措施,并指出该券商在网络安全事件中,存在变更管理不完善,应急处置不及时、不到位等问题。而在2021年,另有某券商更是发生集中交易系统部分中断,影响交易时间合计约20分钟,达到较大信息安全事件标准。
至此,《安全提升计划》要求券商在2023年底前建立全面覆盖业务、应用、底层基础架构和基础设施的信息系统运行监测体系,并持续完善,不断提升运行监控的覆盖度,应建设统一的告警平台;并建立与持续完善软件质量管理制度以及测试指引、制定信息系统备份管理策略、建立完善的漏洞管理制度、建立个人信息保护制度体系等。
翻译:
At present, the digital transformation of the securities industry is accelerating, and constantly promoting the integration of business and technology. However, with the increasing complexity of network and information security management, information security events occur frequently, making the industry network and information security management ability face greater challenges.
In this regard, in order to strengthen the security system and capacity building for the safe and stable operation of networks and information systems, improve the level of network and information security in the capital market, and promote the high-quality development of the digital enabling industry, The Securities Association of China has recently drafted and issued to securities brokerages the three-year Network and information Security Improvement Plan (2023-2025) (draft for comments)(hereinafter referred to as the “Security Improvement Plan”), and in the form of attachments will be the key issues for task breakdown, a total of 33 key work.
First, the six aspects of securities firms clearly put forward the direction and requirements for promotion
The main task of the Security Improvement Plan focuses on the basic and deep-seated problems commonly existing in the field of securities companies’ network and information security ability, and clearly puts forward the improvement direction and requirements from six aspects, including science and technology governance ability, science and technology investment mechanism, information system architecture planning and design, research and development test efficiency and quality, system operation guarantee ability and network information security protection system.
In terms of science and technology governance ability, securities firms need to formulate a comprehensive network and information technology strategic development plan before the end of 2023 according to the company’s overall strategic planning, and improve the information system development, testing, operation and maintenance and information security and other technical management field management system.
The investment mechanism of science and technology mainly includes increasing the investment of science and technology capital and strengthening the construction of science and technology personnel. In recent years, securities firms have been attaching more and more importance to information technology, and the investment in information technology in the industry has been increasing year by year. From 2017 to 2021, the industry has continued to increase the investment in the field of information technology, laying a solid foundation for the digital transformation and high-quality development of the industry, with a total investment of nearly 120 billion yuan in the field of information technology.
Specifically, the Safety Improvement Plan encourages qualified companies to invest an average of no less than 8% of the average net profit or 6% of the average operating revenue in the three years from 2023 to 2025. Taking the latest disclosed data as an example, the investment amount of information technology in the securities industry in 2021 was 33.82 billion yuan, a year-on-year growth of 28.7%, accounting for 7.7% of the operating income of the previous year; Among them, 10 brokerages have invested more than 1 billion yuan, and 20 brokerages have invested more than 6% of their operating income in information technology, and many small and medium-sized brokerages also regard fintech as one of their core competitiveness. Hualin Securities and Huaxin Securities have invested more than 20%. However, Citic Securities, Citic Construction Investment and other leading brokerages accounted for less than 6% of the investment.
Shen Wan Hongyuan predicted, “Assuming that all brokerages reach the required 6% income standard in the future, in accordance with the average income of the past three years, the incremental information technology investment amount of about 2.2 billion yuan.”
At the same time, talent is the key to the digital transformation of the securities industry. The Security Improvement Plan requires that the number of information technology professionals in brokerages should be no less than 6% of the company’s total staff, and that the number of network and information security professionals should be no less than 3% of information technology professionals and no less than 4 people. In addition, brokerages should optimize the structure of technical practitioners, focus on the improvement of professional quality and ability, do a good job in the mining and training of core talents in the field of financial technology, improve the structure of practitioners, and do a good job in the reserve of young technical employees. At the same time, we will improve the training system for employees and the market-based incentive and restraint mechanism.
Second, information security is a top priority, and IT capacity building is particularly important
At present, brokerages have reached a consensus on the importance and urgency of digital transformation. According to the survey feedback of China Securities Association, a total of 77 securities companies listed digital transformation as their corporate development strategy, and the “main battlefield” of digital transformation gradually expanded from retail brokerage business to institutional business, asset management, investment banking, proprietary investment, middle and back office and other fields. There were 69 securities companies with digital transformation covering multiple business fields, accounting for 89.61%. The digital transformation of securities industry has entered the stage of comprehensive acceleration, with increasing breadth and depth.
The non-bank financial team of CITIC Construction & Investment believes that “the digital transformation of financial institutions is no longer limited to the enabling upgrade of ‘informatization + Internet’, but the establishment of a ‘comprehensive + cross-industry’ integration mechanism. As an important role in allocating market resources and providing risk pricing, securities firms’ information technology capabilities are particularly important in this digital wave.”
However, securities firms have gradually exposed a series of periodic problems in the process of transformation, and information security incidents occur from time to time, causing a great impact on the safe and stable operation of the capital market. According to the data, 26.09% of securities companies received regulatory penalties related to information technology risks from 2017 to 2021 because the construction of information technology system was not perfect, and some business links and risk control links were not included in the system regulatory process, thus receiving regulatory penalties; The remaining 73.91% of securities companies are mainly caused by the lack of internal compliance management such as imperfect management mechanism and management process in the application of information technology.
In 2022, a large securities firm became a hot search on Weibo due to systemic trading problems. After that, the regulator quickly took corrective measures against the securities firm, and pointed out that there were problems such as imperfect change management and untimely and inadequate emergency treatment in the cyber security incident. In 2021, there was a partial interruption of the centralized trading system of another securities firm, which affected the trading time for about 20 minutes in total, reaching the standard of a large information security event.
At this point, the “Safety Improvement Plan” requires securities firms to establish an information system operation monitoring system that comprehensively covers business, application, underlying infrastructure and infrastructure by the end of 2023, and continue to improve it, constantly improve the coverage of operation monitoring, and build a unified alarm platform. And establish and continuously improve the software quality management system and testing guidelines, formulate information system backup management strategy, establish a sound vulnerability management system, establish personal information protection system, etc.
本文由数字化转型网(www.szhzxw.cn)转载而成,来源:证券日报;记者:周尚伃;编辑/翻译:数字化转型网默然。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
