HKMA Cyber Resilience Testing for Banks: Simulated Attacks and Defence Capability Assessment

The Hong Kong Monetary Authority (HKMA) has tightened its stance on cyber resilience for the banking sector. The 2024 “Cybersecurity Fortification Initiative” (CFI) 2.0, effective from 1 January 2025, mandates that all authorised institutions (AIs) must conduct, at minimum, one annual simulated attack exercise against their critical systems. This is not a best-practice recommendation. It is a supervisory requirement under the HKMA’s Supervisory Policy Manual (SPM) module “SA-2: Cybersecurity”. AIs that fail to demonstrate adequate defence capabilities face specific regulatory actions, including heightened supervisory oversight, capital add-ons, or restrictions on outsourcing new technology services. The 2025-2026 regulatory cycle is the first full assessment period under CFI 2.0, and the HKMA has indicated it will conduct thematic examinations on the quality, not just the completion, of these tests.

The Regulatory Framework for Cyber Resilience Testing

The HKMA’s authority to mandate cyber resilience testing derives from the Banking Ordinance (Cap. 155). Section 59(2) empowers the Monetary Authority to issue guidelines and directives on risk management, including operational and cyber risks. The SPM module “SA-2: Cybersecurity”, updated in October 2024, provides the specific testing requirements.

Step 1: Identify the applicable testing regime. The HKMA classifies AIs into three tiers based on systemic importance and digital asset exposure. Tier 1 AIs—those with HK$30 billion or more in total assets or that offer virtual asset services—must conduct at least one full-scope simulated attack exercise annually. Tier 2 AIs (assets between HK$10 billion and HK$30 billion) must conduct one exercise every two years. Tier 3 AIs (assets below HK$10 billion) must conduct a desktop-based exercise every two years.

Step 2: Understand the three mandatory test types. The CFI 2.0 framework specifies three distinct exercises:

• Tabletop Exercise (TTX): A discussion-based session testing incident response procedures and decision-making under a simulated cyber-attack scenario. This is mandatory for all tiers.
• Adversarial Attack Simulation (AAS): A controlled, manual attack simulation by an independent third party against the AI’s production or near-production environment. This is mandatory for Tier 1 and Tier 2 AIs.
• Penetration Testing: Automated and manual testing of specific systems, applications, and network perimeters. This is required for all tiers, with the scope defined by the AI’s risk assessment.

Step 3: Document the test results. The HKMA requires a formal report for each test, including the attack scenario, findings, and a remediation plan with specific timelines. The report must be submitted to the HKMA’s Banking Supervision Department within 30 business days of the exercise’s completion.

Conducting a Simulated Attack Exercise: The AAS Protocol

The Adversarial Attack Simulation (AAS) is the most intensive test under CFI 2.0. The HKMA has adopted a standard based on the MITRE ATT&CK framework, but with Hong Kong-specific threat profiles.

The test scope must cover the AI’s critical functions. The HKMA defines these as any system whose failure or compromise would materially impact the AI’s financial soundness, operational stability, or ability to meet regulatory obligations. This includes core banking platforms, payment and settlement systems, the e-Banking portal (for retail and corporate customers), and the internal data centre or cloud infrastructure.

The test must be conducted by an independent third party. The HKMA explicitly prohibits AIs from using their internal cybersecurity team to conduct the AAS. The independent party must hold a recognised certification (e.g., CREST, OSCP, or GIAC) and must not have provided the AI with any other cybersecurity services within the 12 months preceding the test. This rule is designed to prevent conflicts of interest and ensure an objective assessment.

The test scenario is pre-approved by the HKMA. The AI must submit a test plan to the HKMA at least 60 business days before the exercise. The plan must describe the attack scenario, the systems in scope, the rules of engagement (including what actions are prohibited, such as causing data loss or disrupting production services), and the expected duration. The HKMA will review and approve the plan within 30 business days. The HKMA may request modifications to the scenario to align with current threat intelligence.

Defence Capability Assessment: Beyond the Test

Completing the test is only the first step. The HKMA’s 2025 circular “TM-G-1: Management of Cyber Resilience” requires AIs to demonstrate a continuous defence capability assessment. This is a separate, ongoing process from the annual or biennial test.

The AI must maintain a “cyber defence maturity score.” The HKMA provides a standard scoring matrix based on five domains: Identify, Protect, Detect, Respond, and Recover (aligned with the NIST Cybersecurity Framework, but adapted for Hong Kong). Each domain is scored from 1 (Initial) to 5 (Optimised). AIs must achieve a minimum score of 3 (Defined) in all domains by 31 December 2026. Tier 1 AIs must achieve a score of 4 (Managed) in the Detect and Respond domains.

The score is validated through an annual self-assessment and a triennial independent audit. The AI must submit its self-assessment to the HKMA each year. Every third year, an external auditor (registered with the Hong Kong Institute of Certified Public Accountants and holding a cybersecurity qualification) must perform an independent audit of the AI’s cyber defence maturity score. The audit report must be submitted within 90 days of the fiscal year-end.

The HKMA may conduct a “deficiency notice” process. If the HKMA determines that an AI’s defence capability is inadequate—based on the test results, the maturity score, or a thematic examination—it will issue a formal deficiency notice. The AI has 60 business days to submit a remediation plan. Failure to meet the plan’s milestones can result in the HKMA imposing a capital surcharge under Section 68 of the Banking Ordinance (Cap. 155). As of 2024, the HKMA has issued deficiency notices to three Tier 1 AIs for cyber resilience shortfalls, though the specific institutions were not named in public circulars.

The Role of Third-Party Service Providers and Cloud

The HKMA’s CFI 2.0 framework explicitly addresses the cyber resilience of third-party service providers, including cloud service providers (CSPs). This is a critical point for AIs that outsource significant technology functions.

The AI is responsible for the cyber resilience of its entire supply chain. The HKMA’s SPM module “SA-2” states that the AI must ensure that any third-party provider handling its data or critical functions is subject to the same testing and defence capability requirements. This means the AI must contractually require the provider to conduct its own AAS or penetration testing, and the AI must have the right to audit those results.

Cloud-specific testing requirements apply. For AIs using public cloud infrastructure (e.g., AWS, Azure, GCP), the HKMA requires a “shared responsibility model” for testing. The CSP is responsible for the security of the cloud infrastructure; the AI is responsible for the security of its data and applications running on that cloud. The AI must conduct a separate AAS against its cloud-deployed systems, including configuration reviews and identity and access management (IAM) testing. The HKMA has issued a specific circular, “CCOP-1: Cloud Computing,” which provides detailed guidance on this point.

The test must include the AI’s incident response coordination with the provider. The tabletop exercise (TTX) must include a scenario where the AI and its primary CSP must jointly respond to a cyber-attack. The HKMA expects the AI to have a pre-agreed communication protocol and a joint incident response plan with the provider. The TTX must validate this plan.

Actionable Takeaways

1. Schedule your 2025 AAS immediately. The HKMA requires a 60-business-day pre-approval period for the test plan, meaning a test in late 2025 requires a plan submission by mid-2025.
2. Hire an independent tester now. The 12-month cooling-off period for other services means you cannot use a vendor that provided any cybersecurity service to your AI in 2024 for the 2025 AAS.
3. Audit your third-party contracts. Ensure all cloud and IT outsourcing agreements contain a clause requiring the provider to submit to the same CFI 2.0 testing regime and grant the AI audit rights.
4. Calculate your cyber defence maturity score. Use the HKMA’s scoring matrix to identify gaps in the Detect and Respond domains, which require a higher score for Tier 1 AIs by 31 December 2026.
5. Document every test result and remediation step. The HKMA’s deficiency notice process is triggered by inadequate documentation, not just poor test performance.

This does not constitute legal advice. Consult a solicitor for your specific case.