On February 6, 2025, the SFC reported eight significant cybersecurity incidents involving licensed corporations ("LCs") from 2021 to 2024, highlighting the importance of senior management oversight and adequate controls. The SFC also outlined expected standards for LCs to address emerging cybersecurity risks and announced plans for future reviews.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
Summary of Circular to Virtual Asset Trading Platforms (VATPs) on Licensing Process and Revamped Second-phase Assessment
The latest SFC circular outlines an updated licensing process for virtual asset trading platforms (“VATPs”) including the new Second-phase Assessment procedures
SFC Regulation of Virtual Asset Trading Platforms: The Emerging Hong Kong Framework
SFC proposes new regulation of virtual assets through licensing of operators of cryptocurrency and other digital asset trading platforms
SPOTLIGHT ON
FAMILY OFFICES
On February 6, 2025, the Securities and Futures Commission ("SFC") reported eight substantial cybersecurity incidents involving licensed corporations ("LCs") over the period 2021 to 2024. These incidents resulted in significant business disruptions, unauthorized trading in client accounts, and data breaches due to vulnerabilities in network security, outdated software, and weak encryption methods.
The report underscored the inadequate oversight by senior management and the insufficient control over cybersecurity measures among the LCs. To mitigate emerging cybersecurity threats, the SFC outlined mandatory standards for LCs, including requirements for phishing detection, end-of-life software management, remote access security, third-party IT service provider oversight, and cloud security.
The SFC emphasized that senior executives must acknowledge the paramount importance of safeguarding their firms' cybersecurity and that this responsibility cannot be solely entrusted to the IT department.
Furthermore, the SFC, in collaboration with the Hong Kong Police Force, will host cybersecurity webinars in February 2025 to discuss the findings of a thematic review and address common cybersecurity threats in Hong Kong.
In addition, the SFC intends to conduct another comprehensive review of existing cybersecurity requirements and standards in 2025 to develop an industry-wide cybersecurity framework. This framework will provide guidance to LCs on more effectively managing cybersecurity risks.
View the full article:Source