Cybersecurity Guidance for Hong Kong Financial Services: SFC Expectations for Cyber Resilience

The Hong Kong Securities and Futures Commission (SFC) has made cybersecurity a stated enforcement priority for 2025-2026. Following a series of high-profile data breaches at licensed corporations in 2023 and 2024, the SFC issued a revised Circular to Licensed Corporations on Cybersecurity on 12 October 2024, which took immediate effect. This circular replaced the previous 2017 guidance and introduces mandatory baseline requirements for all licensed firms, not just those handling client assets. The SFC’s enhanced focus is also reflected in the 2024-2025 annual report, which recorded a 40% increase in cybersecurity-related deficiency findings during routine inspections. For any firm holding a Type 1 (dealing in securities), Type 2 (dealing in futures contracts), Type 4 (advising on securities), Type 5 (advising on futures contracts), Type 7 (automated trading services), Type 8 (securities margin financing), or Type 9 (asset management) licence, compliance with these expectations is now a baseline requirement for maintaining regulatory fitness and properness under the Securities and Futures Ordinance (Cap. 571).

The SFC’s Revised Cybersecurity Framework

The SFC’s October 2024 circular establishes a structured framework built on three core pillars: governance, prevention, and response. Each pillar carries specific mandatory requirements that licensed corporations must implement and document.

Governance: Board and Senior Management Accountability

The SFC now requires the board of directors or an equivalent governing body to assume direct responsibility for cybersecurity. The circular specifies that the board must approve the firm’s cybersecurity policy at least annually. This policy must define roles and responsibilities for the management committee, the Chief Information Officer (or equivalent), and the designated cybersecurity officer.

The legislation provides that senior management must allocate adequate resources for cybersecurity measures. The SFC expects this to be demonstrated through a documented budget that covers software, hardware, personnel, and external testing. Firms with fewer than 10 employees may delegate implementation to a designated compliance officer, but the board retains ultimate accountability.

The circular also requires a formal cybersecurity risk assessment to be conducted at least once every 12 months. This assessment must cover all systems that store, process, or transmit client data or trading information. The assessment results must be presented to the board, and any identified high-risk gaps must be remediated within 90 days.

Prevention: Baseline Technical Controls

The SFC’s 2024 circular mandates specific technical controls that go beyond generic best practice. Licensed corporations must implement multi-factor authentication (MFA) for all remote access to internal systems, including virtual private network (VPN) connections, email, and any cloud-based applications that handle client data. The SFC explicitly states that SMS-based one-time passwords are not considered sufficient for MFA; firms must use app-based authenticators or hardware tokens.

Network segmentation is another mandatory requirement. The circular requires that client-facing systems, such as trading platforms, be separated from internal administrative networks. The SFC’s inspection manual, published in March 2025, provides further detail: firms must maintain a network architecture diagram that identifies all data flows and access points, and this diagram must be reviewed by an independent external assessor every two years.

Data encryption is required for all client data at rest and in transit. The SFC specifies that encryption keys must be stored separately from the encrypted data, and access to keys must be logged and audited. For firms using cloud service providers, the circular requires a contractual clause that grants the SFC or its appointed auditor direct access to the provider’s data centre and security logs.

Incident Response: Mandatory Reporting and Testing

The SFC’s circular introduces a mandatory incident response plan (IRP) that must be tested through a tabletop exercise at least once every 12 months. The IRP must include specific procedures for containing a breach, preserving forensic evidence, notifying affected clients, and reporting to the SFC.

The reporting timeline is strict. Licensed corporations must notify the SFC’s Enforcement Division within one hour of becoming aware of a cybersecurity incident that results in any of the following: unauthorised access to client data, disruption of trading systems for more than 30 minutes, or any ransomware attack that affects system availability. The initial notification can be verbal or by email, but a written incident report must follow within 24 hours.

The SFC also requires a post-incident review to be completed within 30 days. This review must identify the root cause, the effectiveness of the response, and any changes required to prevent recurrence. The review report must be submitted to the board and retained for at least seven years.

Practical Compliance Steps for Licensed Corporations

Meeting the SFC’s expectations requires a systematic approach. The following steps are derived from the circular and from common findings in recent SFC inspections.

Step 1: Conduct a Gap Analysis Against the 2024 Circular

Every licensed corporation should compare its current cybersecurity posture against the mandatory requirements in the October 2024 circular. The SFC’s inspection manual lists the following common deficiencies identified in 2024: absence of a board-approved cybersecurity policy, lack of MFA on administrative accounts, and failure to conduct annual penetration testing. A gap analysis should document each requirement, the current status, and a remediation timeline.

Firms that have not yet conducted a third-party penetration test should prioritise this. The circular requires that an independent external party conduct a penetration test at least once every 24 months. The test must cover all internet-facing systems, internal networks, and any third-party integrations that handle client data. The test report must be provided to the SFC upon request.

Step 2: Formalise the Incident Response Plan

The SFC expects the IRP to be a living document, not a static file. The plan should name specific individuals and their backups for each response role. The tabletop exercise must simulate a realistic scenario, such as a ransomware attack that encrypts a trading database. The exercise should test communication channels, decision-making under time pressure, and coordination with external parties such as the Hong Kong Police Force’s Cyber Security and Technology Crime Bureau (CSTCB).

The IRP must also include a client notification template. The SFC’s circular states that clients must be notified within 72 hours of a breach that involves their personal data, in line with the Personal Data (Privacy) Ordinance (Cap. 486). The notification must include the nature of the breach, the data involved, and steps the client should take.

Step 3: Document Third-Party Vendor Management

The SFC’s 2024 circular explicitly addresses third-party risk. Licensed corporations must maintain an inventory of all third-party vendors that have access to client data or trading systems. For each vendor, the firm must conduct a due diligence assessment covering the vendor’s cybersecurity certifications, incident history, and data handling practices.

The circular requires that contracts with vendors include a right-to-audit clause. This clause must allow the licensed corporation, the SFC, or an appointed auditor to inspect the vendor’s facilities and security controls. The SFC’s 2024 annual report noted that 35% of cybersecurity incidents at licensed firms originated from a third-party vendor, making this a high-risk area.

Enforcement and Consequences of Non-Compliance

The SFC has demonstrated a willingness to take enforcement action against firms that fail to meet cybersecurity standards. The consequences range from regulatory fines to licence suspension.

Regulatory Fines and Public Reprimands

In 2024, the SFC fined a licensed corporation HK$4 million for failing to implement MFA on its trading platform, which resulted in a client account being compromised. The SFC’s statement of disciplinary action cited a breach of the Code of Conduct for Persons Licensed by or Registered with the SFC (paragraph 12.1), which requires licensed persons to maintain adequate internal controls. The SFC also issued a public reprimand against a second firm for failing to conduct annual penetration testing for three consecutive years.

The SFC’s enforcement approach follows a graduated scale. A first-time deficiency may result in a warning letter and a requirement to submit a remediation plan. Repeated or systemic failures attract fines, conditions on the licence, or, in the most serious cases, suspension or revocation of the licence. The SFC’s 2024-2025 annual report states that cybersecurity-related enforcement cases increased by 60% compared to the previous year.

Impact on Licence Applications

The SFC’s Licensing Department now includes cybersecurity readiness as a factor in assessing a firm’s fitness and properness. During the application process for a new licence or a material change in existing licence conditions, the SFC may request a copy of the applicant’s cybersecurity policy, penetration test results, and incident response plan.

The SFC’s Licensing Handbook, updated in January 2025, states that applicants must demonstrate that they have adequate systems and controls to protect client data from the date of licensing. This is particularly relevant for fintech firms and virtual asset trading platforms, where the SFC expects a higher level of technical sophistication. A failure to provide satisfactory cybersecurity documentation can delay or deny a licence application.

The Role of the HKMA for Banking-Related Entities

For firms that are also regulated by the Hong Kong Monetary Authority (HKMA), such as licensed banks with securities dealing arms, the SFC’s circular operates alongside the HKMA’s Cybersecurity Fortification Initiative (CFI), introduced in 2016 and updated in 2023. The CFI requires banks to implement the C-RAF (Cybersecurity Resilience Assessment Framework) and to participate in the Cyber Intelligence Sharing Platform (CISP). The SFC’s circular does not override the CFI; firms subject to both regimes must comply with the higher standard.

Actionable Takeaways

1. Licensed corporations must ensure their board of directors has formally approved a cybersecurity policy that meets the mandatory requirements of the SFC’s October 2024 circular, including annual risk assessments and penetration testing.
2. Multi-factor authentication using app-based authenticators or hardware tokens must be implemented for all remote access to systems handling client data, and SMS-based OTP is no longer considered sufficient.
3. An incident response plan must be tested through a tabletop exercise at least annually, and the SFC must be notified within one hour of any incident involving unauthorised data access, trading system disruption, or ransomware.
4. Third-party vendors with access to client data must be subject to due diligence and a contractual right-to-audit clause, as 35% of cybersecurity incidents in 2024 originated from vendor breaches.
5. Firms applying for a new SFC licence must prepare to demonstrate their cybersecurity readiness, including penetration test results and an incident response plan, as the Licensing Department now considers this a factor in fitness and properness assessments.

This does not constitute legal advice. Consult a solicitor for your specific case.