SFC Circular dated 2 Jun 2026 urges licensed firms to enhance cybersecurity against AI-enabled threats, citing a rise in cyber incidents to 15,877 in 2025 from 12,536 in 2024, and outlines measures including patching, access controls, and incident response.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
SFC Regulation of Virtual Asset Trading Platforms: The Emerging Hong Kong Framework
SFC proposes new regulation of virtual assets through licensing of operators of cryptocurrency and other digital asset trading platforms
Market Misconduct Tribunal: A Guide to Penalties and Other Consequences for Misuse of Insider Information
Market Misconduct Tribunal proceedings for mishandling of insider information can result in fines and disgorgement orders
SPOTLIGHT ON
FAMILY OFFICES
On June 02, 2026, the Securities and Futures Commission ("SFC") issued a circular to licensed corporations ("LCs"), SFC-licensed virtual asset service providers ("VATPs") and associated entities (collectively referred to as 'licensed firms') to review and enhance cybersecurity measures. This follows an increase in cybersecurity incidents in Hong Kong, which rose to 15,877 in 2025 from 12,536 in 2024 according to the Hong Kong Computer Emergency Response Team Coordination Centre.
Cybersecurity Risk Landscape and Asset Management
Recent developments in AI capabilities may significantly reduce the expertise, cost, and time needed to identify and exploit vulnerabilities. Licensed firms should take note of the increase in sophistication and frequency of cyberattacks, where frontier AI models can identify security flaws known as 'zero-day vulnerabilities' and systematically identify multiple 'lower risk-rated' vulnerabilities. 'Lower risk-rated' vulnerabilities refer to vulnerabilities which, if exploited, would result in minimal impact on the firm. These models can also operate across multiple interconnected systems and orchestrate large-scale attacks. The time interval between the identification or disclosure of a vulnerability and its exploitation by threat actors is rapidly diminishing. Licensed firms should enhance and expedite their patch and vulnerability management processes to minimise the window of exposure to potential attacks. Licensed firms are expected to maintain an accurate and up-to-date inventory of their technology assets and components, including hardware, software, network infrastructure, databases and cloud services. Firms should identify which assets and services are externally exposed, business critical (referred to as 'business critical components'), or dependent on third party components.
AI Integration and Vulnerability Mitigation
Licensed firms are reminded that the use of AI language models in their operations may amplify existing cyber risks and introduce additional risks. These include risks arising from adversarial attacks against AI language models, data leakage and system prompt override. Firms should ensure that the associated cybersecurity risks are addressed in their cybersecurity framework and incident handling arrangements, taking into account the core principles set out in November 2024 Circular dated 12 November 2024. Licensed firms should review and enhance their patching and vulnerability management processes, taking prompt actions to address known vulnerabilities and implement adequate policies and procedures for handling urgent and critical fixes.
Network Architecture and Access Controls
Licensed firms should design system controls based on the assumption that any user, device, privileged account or network component may be compromised. A network which follows this design principle may be referred to as a 'zero-trust network' under which access is not implicitly trusted based solely on network location or user status. In particular, they should implement robust access and privilege controls and minimise attack surfaces. To reduce the risk that untrusted inputs or unauthorised users may manipulate systems or workflows, licensed firms should: (i) enforce least-privilege access to all business critical components, including limiting connectors and tool permissions to what is necessary for the intended use case and implement adequate measures to safeguard privileged accounts. This refers to accounts with elevated rights allowing them to access a firm’s network, systems, servers and devices and to, among other things, modify system configurations, manage other user accounts and account rights and revise client data; (ii) enhance firewalls and network segmentation. In particular, licensed firms should implement micro network segmentation where feasible to limit lateral movement capabilities across networks and systems; (iii) treat external and untrusted inputs, including content retrieved from apps, emails, documents and webpages, as potentially adversarial and prevent such inputs from directly altering system instructions or triggering privileged actions; and (iv) apply maker-checker controls for high-impact actions.
Threat Monitoring and Incident Response
Licensed firms should strengthen their threat detection and monitoring of anomalies in client trading activities and system activities to ensure they are commensurate with the evolving threat environment. They should also improve their threat intelligence gathering capability. Firms should implement proper procedures to address AI-enabled threats targeting third-party service providers that support their critical operations and business critical components (third-party service providers). Licensed firms should review and enhance their cybersecurity incident handling procedures and contingency plans. Firms should establish adequate escalation and reporting mechanisms and consider pre-planned containment and exploit-interruption strategies. Licensed firms should regularly test their cybersecurity incident handling procedures and contingency plans through tabletop exercises, simulated attacks or other appropriate means to assess the effectiveness of these procedures and plans.
Data Backup and Regulatory Reporting
Licensed firms should back up business records, client and transaction databases, and supporting documentation on a regular basis. LCs engaged in electronic trading and VATPs are required to back up such records and data at least on a daily basis. LCs engaged in electronic trading (see paragraph 18.2(d) of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct)) and VATPs are required to back up such records and data at least on a daily basis. Licensed firms should also promptly notify the SFC of material cybersecurity incidents and attacks as required under the Code of Conduct (Paragraph 12.5(e)) and the VATP Guidelines (Paragraphs 16.7(b) and (c)). The SFC will continue to monitor developments in this area and maintain close dialogue with the industry, key technology service providers and other regulators. The SFC may issue further guidance, conduct reviews to assess licensed firms’ preparedness and resilience in responding to cybersecurity incidents, or take supervisory action where appropriate, in light of the evolving risks.
View the full article:Source
