Securities industry collectively suspends trading: at least 20 securities firms prohibit companies from "raising shrimp" on the internet.

In the securities industry, while some are still following the trend of "raising shrimp" (Open Claw), the entire industry has directly pressed the emergency pause button. Reporters learned that starting today, securities firms have issued internal compliance reminders or notices related to "crayfish," clearly restricting installation, usage, and access. At least 20 securities firms have joined the prevention team. Industry insiders predict that more securities firms will issue related compliance reminders in the next two days. Some IT professionals said, "The reminder was just written this afternoon, and it will probably be posted on the intranet tonight." Prohibiting downloading or requiring reporting is a hard requirement. In terms of coverage, this prevention and control is not an individual institution's action, but an industry-wide, trend-based unified action, directly stemming from the official risk notification of the Cyberspace Administration of China and the Ministry of Industry and Information Technology. Open Claw, as a representative of agent-based AI, adopts a local priority architecture and is granted high-level permissions such as file reading and writing, command execution, and tool takeover. However, there are obvious security design flaws, and it has been clearly identified as a high-risk application by regulators. For the securities industry, customer information, transaction data, and research results are all core sensitive assets, and any terminal vulnerabilities can lead to serious consequences such as data leaks and system breaches. Once the regulatory warning was issued, all securities firms responded immediately, fearing being the last to step on a landmine. Prohibit unauthorized installation, require approval and reporting, and uninstall for rectification Will the "raising shrimp fever" in the securities industry cool overnight? It doesn't seem so. Overall, faced with security risks, securities firms generally adopt a control strategy of "prohibition as the main measure, approval as a supplementary measure, and strict accountability." The vast majority of securities firms explicitly require that employees are strictly prohibited from installing, deploying, and using Open Claw in the company's office network, business network, and all kinds of information systems without permission. The prohibition covers company-issued computers, laptops, servers, and mobile office devices, while also restricting the operation of personal devices running this tool when accessing the company's network, cutting off risk entry points from both the network and terminal perspectives. As of now, two typical control models have emerged in the industry: 1. Strict control type. It requires the immediate suspension of installation and usage, employees who have installed it must uninstall it immediately, and personal computers must undergo self-inspection and cleanup before connecting to the company's network. Violations will be strictly enforced according to the regulations. 2. Process approval type. If it is necessary to use it for research, testing, or business purposes, an application must be submitted through the OA system, undergo tripartite review by department heads, compliance departments, and information technology departments, and also report deployment reasons, responsible persons, device IP and MAC addresses, and public network access conditions. Approved usage scenarios must implement reinforcement measures such as network isolation, mandatory authentication, and minimum privilege control, and those who have deployed it privately must complete the approval process. Several securities firms have clearly stated in their notifications that those who install and use it privately or fail to implement security measures as required, leading to security incidents, will be held accountable according to company regulations. Not all members have issued notices The reporter also noticed that while there is intense prevention and control, there is also a clear differentiation within the industry, with some securities firms not issuing notifications concurrently. This "prohibition of shrimp" has also exposed the gap in the digital construction of securities firms. One type of institution, mainly top securities firms, has already established an external software interception mechanism based on early trust establishment and terminal control systems. These securities firms have whitelists for external software installation on office terminals, preventing the installation of unapproved programs, and they also have real-time monitoring and auto-blocking capabilities, enabling risk prevention without the need for additional notifications. Another type of institution, mainly small securities firms, has not followed the "raising shrimp" trend due to reasons such as IT resource investment and system iteration pace. The penetration rate of employee usage is low, and there are no immediate security risks, so they have not yet issued special notifications. A securities industry insider said, "Our company had little IT investment to begin with, so something like 'crayfish' will just pass by for us." This differentiation also reflects the unevenness in the digital construction of the securities industry. Top institutions and securities firms that emphasize IT investment have completed basic infrastructure such as terminal security, network isolation, and permission control earlier, enabling a more composed response to the risk of new AI tools; some small and medium-sized institutions still rely on traditional methods such as post-event notifications and manual inspections, and their technical control capabilities still need improvement. Industry jointly seeks boundaries of AI tools In the view of an IT professional, the industry's prevention and control triggered by Open Claw is not a denial of AI technology, but a landmark event in which the securities industry seeks balance between technological innovation and compliance security. "After all, for securities firms, even the most attractive 'crayfish' cannot compare to compliance security." Overall, the securities industry maintains an open attitude towards new AI tools, supporting efficiency improvements in areas such as investment research, customer service, and operations, but adhering to the principle of "safety first, compliance access." Faced with rapidly iterating AI products, institutions and practitioners need to develop risk awareness, avoid blindly following trends and unauthorized deployments, and only proceed with trials and research once safety is confirmed and processes are compliant. Taking this incident as an opportunity, the securities industry is starting to further clarify the core rules for using AI tools, such as physically isolating sensitive business systems, strictly prohibiting AI from accessing customer privacy, transaction data, and core research information; strictly implementing the principle of least privilege, not granting system permissions beyond what is necessary for business operations; insisting on manual final review in key business processes, such as investment recommendations, trade execution, and customer service; strengthening human-machine collaboration and full-process risk control, with all operations leaving traces, being traceable, and auditable. This article is reproduced from "Caijing Media"; GMTEight Editor: Li Fu.