Core Viewpoint - The China Securities Association (CSA) is conducting a survey on the implementation of information technology in securities firms, following the expiration of a three-year plan aimed at enhancing network and information security in the industry [1][2]. Group 1: Survey and Implementation - The survey involves over 70 specific tasks, including whether the average annual IT investment by securities firms is at least 10% of their average annual net profit or 7% of their average annual revenue [2]. - The CSA's "Three-Year Enhancement Plan for Network and Information Security (2023-2025)" aims to improve the security and stability of securities firms' information systems, addressing issues such as insufficient IT investment and outdated system architecture [2][3]. - The plan outlines six key areas for improvement, including governance capabilities, investment mechanisms, system architecture, testing management, operational support, and security defense systems [3]. Group 2: Evaluation of Effectiveness - The CSA has sent a letter to securities firms to assess the implementation of the enhancement plan, focusing on various dimensions such as governance, investment, architecture, security, emergency response, and compliance [4]. - The evaluation categorizes 71 tasks into "mandatory tasks" and "encouragement tasks," with over 70% being mandatory requirements that firms must complete [4]. Group 3: Investment and Talent Development - Securities firms are encouraged to ensure that their average IT investment from 2023 to 2025 is at least 10% of their average net profit or 7% of their average revenue, with a focus on adequate funding for network and information security [5][6]. - Firms are also urged to enhance their technology talent pool, aiming to increase the proportion of IT professionals to 7% of total employees, with at least 3% being information security specialists [6]. Group 4: App Security Certification - The CSA is inquiring about the number of main client-facing apps and how many have passed industry security certification, emphasizing the importance of app security and compliance with national standards [7].

在科技治理层面，问卷对券商顶层设计提出了明确要求，包括完善科技战略发展规划、健全科技治理架 构等9项任务全部列为"硬性"工作任务。这意味着券商的科技治理需上升至公司战略高度，实现科技与 业务的深度融合与协同发展。 随着《证券公司网络和信息安全三年提升计划(2023-2025)》(以下简称《安全提升计划》)实施收官，针 对证券行业网络和信息安全的"全面体检"正式启动。 2月4日，《证券日报》记者从多家券商处获悉，根据监管部门关于做好总结评估工作的要求，中国证券 业协会已向各家券商下发总结评估问卷，拟开展"证券公司网络和信息安全三年提升计划(2023-2025)总 结评估调研"工作(以下简称"调研")。这意味着，过去三年行业在科技安全领域的投入与建设成果，将迎 来一次基于71项具体指标的"大考"。 细化为71项具体任务 据了解，此次调研聚焦《安全提升计划》的六大核心领域，包括持续提升科技治理水平、建立科学合理 的科技投入机制、增强信息系统架构规划掌控能力、强化系统研发测试管理能力、夯实系统运行保障能 力、健全信息安全防护体系，并将其细化为71项具体任务。 值得关注的是，这71项任务被明确划分为"工作任务"与"鼓励 ...

21世纪经济报道 记者 崔文静 中证协近日面向证券公司下发《证券公司网络和信息安全三年提升计划（ 2023-2025 ）》（以下简称 《计划》），要求各证券公司于2026年2月15日前通过数据报送系统提交调研问卷。 本次调研聚焦刚性指标完成度，并通过量化数据和典型案例提炼可推广经验。 问卷设置了六大评估领域，包括科技治理水平、科学合理的科技投入机制、信息系统架构规划掌控能 力、系统研发测试管理能力、系统运行保障能力、信息安全防护体系。每一领域下设2—8个不等的重点 任务，要求券商逐项自查。 例如，在判定"是否完成"评估项时，必须以全部达标为标准；对未完成事项需简明分析原因并限100字 内说明影响；对已完成工作则要求以量化数据体现提升效果。 值得注意的是，问卷特别设置"关键成效案例"板块，要求券商梳理1—2个实践案例，集中展现安全能力 提升的关键指标。 评估工作的开端，直指证券公司科技治理的顶层设计与执行效能。 问卷首先聚焦于科技战略的规划与动态演进，关注券商是否已将网络和信息安全深度融入公司整体的信 息科技战略发展规划，并形成了清晰的实施路径。 健全的治理架构是战略落地的保障。评估内容深入检视券商是否建立了权 ...

Core Insights - The digital transformation of futures companies has accelerated significantly in recent years, but this has also increased risks related to network and information security [1] - Balancing business development with compliance and security has become a critical challenge for futures companies [1] Regulatory Compliance and Risk Management - As of August this year, there have been 8 cases of penalties related to network and information security issues involving external software and information access by futures companies [2] - Common violations include lack of compliance assessments for external systems, inadequate preservation of compliance materials, and insufficient due diligence on clients [2] - Futures companies are integrating external access management into their compliance risk control systems, establishing comprehensive management mechanisms for access testing and transaction monitoring [5] External Access Models - Futures companies provide three main models for external access: 1. Common trading terminal software where clients do not need additional testing after initial access testing by the company 2. For mid-low frequency quantitative clients, who have simpler strategies, they can connect through self-developed programs or third-party platforms 3. High-frequency clients deploy their strategies in exchange-hosted data centers due to high latency requirements [3] Security Measures - To ensure system stability and data security with external access, futures companies employ four main strategies: 1. Technical security measures, including advanced encryption algorithms and strict identity authentication 2. Compliance measures, ensuring adherence to regulatory requirements during API access for algorithmic trading 3. Establishing transaction risk monitoring systems to detect anomalies in real-time 4. Ensuring fund security through strict account management and fund warning mechanisms [4] Challenges and Recommendations - The futures industry faces challenges in IT investment costs and competitive pressures for customer acquisition [6] - Regulatory requirements for network and information security are becoming more stringent, necessitating a balance between business growth and risk management [7] - It is recommended that futures companies form cross-departmental decision-making teams to evaluate business proposals from various perspectives and ensure effective communication [8] Enhancing Compliance Capabilities - Futures companies should improve their systems and processes based on relevant laws, including the Cybersecurity Law and Data Security Law, to cover all aspects of network information security [9] - Regular training and simulations for employees on the latest security regulations and common cyber-attack methods are essential [9] - Investment in advanced security technologies, including firewalls and intrusion detection systems, should be prioritized [9] Industry Collaboration - Futures companies should maintain close communication with regulatory bodies to stay updated on the latest regulations and compliance requirements [10] - Participation in industry associations and training activities can enhance the overall network and information security management capabilities [10]

Core Viewpoint - The rapid digital transformation of futures companies has led to increased risks in network and information security, necessitating a balance between business development and compliance safety [1]. Group 1: Compliance and Risk Management - As of August 2023, there have been 8 cases of penalties related to network and information security issues involving external software and information access by futures companies [2]. - Key violations include lack of compliance assessments for external systems, inadequate preservation of compliance materials, and insufficient due diligence for client access [2]. - Futures companies are integrating external access management into their compliance risk control systems, establishing comprehensive management mechanisms for access testing and transaction monitoring [5]. Group 2: External Access Models - Futures companies provide three main external access models: common trading terminal software, self-developed or third-party platforms for low-frequency clients, and high-frequency trading setups requiring low latency [3]. - Different trading desks are offered to meet market demands based on the access model used by clients [3]. Group 3: Security Measures - To ensure system stability and data security with external access, futures companies employ four main strategies: technical security measures, compliance protocols, transaction risk monitoring systems, and stringent fund security management [4]. - Companies conduct thorough evaluations of third-party technology suppliers, requiring documentation such as business licenses and product quality certifications [4]. Group 4: Challenges and Recommendations - The high IT investment costs and competitive pressures for customer acquisition pose challenges for futures companies in enhancing network and information security [6]. - Regulatory measures are becoming more detailed, with new regulations like the "Trial Measures for Programmatic Trading Management in the Futures Market" being introduced [6]. - A cross-departmental decision-making team is recommended to balance business needs and risk isolation, ensuring effective communication and collaboration among departments [7]. Group 5: Enhancing Compliance Capabilities - Futures companies should improve their systems and processes based on relevant laws, including the Cybersecurity Law and Data Security Law, to cover all aspects of network information security [9]. - Regular training and simulations of network attack scenarios are suggested to enhance compliance awareness and skills among employees [9]. - Investment in advanced security technologies and the establishment of a robust emergency response mechanism are crucial for improving security management [9]. Group 6: Industry Collaboration - Futures companies are encouraged to maintain close communication with regulatory bodies to stay updated on the latest regulations and compliance requirements [10]. - Participation in industry associations and training activities is vital for understanding industry trends and enhancing network and information security management [10].

Summary of Key Points from the Conference Call Industry Focus - The conference primarily focuses on the **financial technology** sector, specifically addressing **network security** and **data protection** within the financial industry. Core Insights and Arguments 1. **Importance of Network Security**: The speaker emphasizes that network security is not solely the responsibility of the technical department but is a critical concern for every practitioner and investor in the financial sector [1][2][3]. 2. **Weak Passwords**: The discussion highlights the dangers of weak passwords, defined as easily guessable or automated tool-crackable passwords, which can be compared to leaving a house key under the doormat [2][5]. 3. **Common Password Patterns**: The speaker outlines common password patterns that are frequently exploited by attackers, including simple sequences, repeated characters, and personal information combinations [3][4][5]. 4. **Password Management Techniques**: Recommendations for creating strong passwords include using passphrases, incorporating a mix of character types, and avoiding common patterns and personal information [10][11][12][13]. 5. **Password Security Statistics**: The top passwords from 2020 and 2024 are discussed, showing a concerning trend of repeated use of weak passwords among users [9]. 6. **Password Attacks**: Various attack methods are described, including password spraying, dictionary attacks, and brute force attacks, which exploit the commonality of weak passwords [7][8][17]. 7. **Consequences of Weak Passwords**: The potential catastrophic consequences of using weak passwords, especially for system administrators, are highlighted, including data breaches and significant financial losses [6][17]. 8. **Phishing Attacks**: The conference also covers phishing tactics, including email and SMS phishing, which exploit human psychology to deceive users into revealing sensitive information [21][22][23][24]. 9. **User Awareness and Education**: The importance of user education in recognizing phishing attempts and maintaining good password hygiene is stressed, with practical tips provided [19][20][26][27][28]. Other Important but Overlooked Content 1. **Default Password Risks**: The dangers of using default passwords on devices are discussed, emphasizing that many users fail to change these settings, creating vulnerabilities [18]. 2. **Multi-Factor Authentication**: The necessity of implementing multi-factor authentication as an additional security layer is mentioned, particularly in corporate environments [15][20]. 3. **Password Management Tools**: While password managers are suggested for securely storing and generating complex passwords, caution is advised regarding their security [14]. 4. **Regular Updates and Vigilance**: The need for regular software updates and maintaining vigilance against suspicious communications is highlighted as essential for enhancing overall security [27][28]. This summary encapsulates the critical points discussed during the conference, focusing on the financial technology industry's challenges and strategies related to network security and password management.