On June 02, 2026, the SFC urged licensed firms to enhance cybersecurity against AI-enabled threats following a 27% rise in cyberattacks in Hong Kong.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
SFC Regulation of Virtual Asset Trading Platforms: The Emerging Hong Kong Framework
SFC proposes new regulation of virtual assets through licensing of operators of cryptocurrency and other digital asset trading platforms
Market Misconduct Tribunal: A Guide to Penalties and Other Consequences for Misuse of Insider Information
Market Misconduct Tribunal proceedings for mishandling of insider information can result in fines and disgorgement orders
SPOTLIGHT ON
FAMILY OFFICES
Regulatory Update on AI-Enhanced Cybersecurity Threats
On June 02, 2026, the Securities and Futures Commission ("SFC") issued a circular calling upon licensed firms to strengthen cybersecurity measures against emerging threats enabled by frontier artificial intelligence ("AI") models. With cyberattacks evolving locally and globally, Hong Kong recorded a double-digit increase in overall cyberattack incidents last year. The SFC warns that fast-advancing frontier AI models have the potential to enable more frequent, targeted and sophisticated cyberattacks, which could result in significant operational disruptions and risks for licensed firms, their staff and clients.
Risk Landscape and Compliance Obligations
The SFC noted that recent advancements in AI have made it easier for malicious actors to identify and exploit system vulnerabilities at a faster pace, coordinate attacks across multiple interconnected systems and orchestrate large-scale attacks. At the same time, the proliferation of AI-enabled tools lowers the barriers for them to engage in phishing, social engineering, deepfake impersonation and reconnaissance. Consequently, licensed firms are exposed to heightened cybersecurity risks. In today’s circular, the SFC urges licensed firms, especially internet brokers and virtual asset trading platforms, to implement robust and up-to-date measures to protect their systems, prevent confidential client information from unauthorised access or disclosure, and safeguard client assets against misappropriation.
Framework Enhancement and Management Responsibility
In addition, the SFC sets out areas for licensed firms to review and enhance their cybersecurity frameworks to ensure they remain up-to-date and effective. These areas include patching and vulnerability management, detection and monitoring measures, as well as incident response and recovery. 'Cybersecurity risk is one of the major challenges facing the financial industry and remains a top supervisory focus of the SFC in its oversight of licensed firms,' said Dr Eric Yip, the SFC’s Executive Director of Intermediaries. 'As frontier AI models become more powerful and accessible, AI-enabled cyber threats are set to accelerate and complicate the tasks to detect and contain them. Senior management of licensed firms should shoulder primary responsibilities in gatekeeping firms’ cyber resilience and the security of client assets.'
Supervisory Engagement and Future Actions
The SFC will continue to engage with the industry, technology service providers and local and overseas regulators on this issue. As part of its ongoing efforts, the SFC will organise webinars to raise industry awareness, conduct thematic reviews to assess licensed firms’ preparedness and resilience in responding to cybersecurity incidents and attacks, and take appropriate supervisory action in response to these evolving risks.
Definitions and Statistical Context
Regarding definitions, 'Licensed firms' collectively refer to licensed corporations, SFC-licensed virtual asset service providers and their associated entities. According to data from the Hong Kong Computer Emergency Response Team Coordination Centre, cyberattack incidents increased 27% to 15,877 in 2025 from 12,536 in 2024.
View the full article:Source
