SFC Business Continuity Testing for Financial Institutions: Designing and Evaluating Simulation Exercises

On 21 February 2025, the Securities and Futures Commission (SFC) issued a circular to all licensed corporations on technology resilience requirements, effective from 1 July 2025. This circular explicitly requires licensed corporations to conduct at least one business continuity (BC) simulation exercise annually that tests the firm’s ability to operate from a secondary site under a realistic major disruption scenario. The 2025 circular builds on the SFC’s earlier Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (2023) and the Code of Conduct (Cap. 571, subsidiary legislation). The trigger for this regulatory tightening was the series of system outages at several Hong Kong brokers in late 2024, during which the SFC found that firms had not tested their failover procedures in over 18 months. For any financial institution holding a Type 1 (dealing in securities), Type 2 (dealing in futures contracts), or Type 4 (advising on securities) licence, this is not a recommendation — it is a mandatory compliance requirement. The SFC has stated that it will inspect BC simulation records during routine on-site inspections and that deficiencies in this area may result in licensing conditions or enforcement action. This article provides a practical framework for designing and evaluating BC simulation exercises that meet the SFC’s 2025 standards.

Why Simulation Exercises Differ from Tabletop Drills

The SFC’s 2025 circular draws a clear distinction between a tabletop drill and a simulation exercise. A tabletop drill involves key personnel discussing a hypothetical scenario in a meeting room, without actual system failover or data recovery. The SFC considers this insufficient. A simulation exercise, by contrast, requires the actual activation of the secondary site, the physical or virtual relocation of staff, and the execution of live trading or settlement processes from the backup environment.

Step 1: Define the Scope of the Simulation

The legislation provides that the simulation must cover the firm’s “critical business functions” as defined in its own business impact analysis (BIA). The SFC expects each firm to have a BIA that identifies which functions — such as order routing, trade matching, client asset segregation, and regulatory reporting — cannot tolerate more than a four-hour outage. The simulation must test all functions classified as “critical” or “high” in the BIA.

You should document the scope in a written simulation plan. The plan must list each system to be tested, the specific data sets to be recovered, and the maximum acceptable recovery time objective (RTO) and recovery point objective (RPO) for each. For example, the RTO for client order entry systems should not exceed 30 minutes, and the RPO should be no more than five minutes of data loss.

Step 2: Design the Scenario

The SFC circular requires that the scenario be “realistic and severe.” You should base the scenario on a genuine threat that could affect Hong Kong operations. Common scenarios include a ransomware attack that encrypts the primary trading server, a fire or flood in the data centre that hosts the primary site, or a prolonged internet service provider outage in a specific district such as Tsuen Wan or Kwun Tong.

The scenario must include a time pressure element. The SFC expects the simulation to begin with a notification that the primary site is unavailable, and the incident response team must make the decision to activate the BC plan within a defined window — typically 15 to 30 minutes. The scenario should also include secondary complications, such as the unavailability of two key staff members or a corrupted backup file.

Conducting the Simulation Exercise

Once the scope and scenario are defined, the execution phase begins. The SFC expects the simulation to be observed by an independent assessor — someone who was not involved in designing the exercise and who does not hold a direct operational role in the functions being tested.

Step 3: Activate the BC Plan

The court procedure is that the incident response team receives the simulated notification and must follow the firm’s documented BC plan step by step. The team must initiate the failover to the secondary site, which may be a hot site (fully mirrored and ready to take over immediately), a warm site (systems installed but requiring data restoration), or a cold site (empty space requiring full setup). The SFC’s 2023 Guidelines for Reducing and Mitigating Hacking Risks states that firms handling client assets should maintain at least a warm site with a failover time of under two hours.

During activation, the assessor records the actual time taken to achieve each milestone: notification acknowledgement, decision to activate, initiation of failover, completion of data synchronisation, and resumption of trading or settlement. The firm must compare these actual times against the RTOs and RPOs stated in the BIA.

Step 4: Execute Live Transactions

A simulation exercise is not complete until the firm processes actual or simulated transactions from the secondary site. The SFC expects the firm to submit at least one trade, one settlement instruction, and one client asset movement through the backup environment. If the firm operates a dealing desk or algorithmic trading system, the simulation must include the execution of at least one automated trade.

The Hong Kong Monetary Authority (HKMA), which regulates licensed banks that also hold SFC licences, issued a circular in 2024 requiring all authorised institutions to test cross-border payment and settlement systems in their BC simulations. If your firm performs both SFC-regulated activities and banking activities, you should coordinate the simulation to satisfy both regulators simultaneously.

Evaluating the Simulation Results

The evaluation phase is where the firm identifies gaps and implements corrective actions. The SFC’s 2025 circular requires a written post-exercise report within 30 calendar days of the simulation.

Step 5: Measure Against the BIA

The evaluation must compare actual recovery times against the RTOs and RPOs set in the BIA. If the actual time to restore the order routing system was 45 minutes but the RTO was 30 minutes, this is a compliance gap. The firm must document the root cause — for example, the secondary site’s network bandwidth was insufficient, or the backup tape was corrupted.

The assessor’s report should include a quantitative score for each tested function: “met” (within RTO and RPO), “partially met” (exceeded RTO or RPO by less than 50%), or “failed” (exceeded RTO or RPO by more than 50% or function not restored at all). The SFC expects any “failed” function to be retested within 90 days.

Step 6: Identify Procedural Failures

Beyond technology, the evaluation must assess human factors. Did the incident response team know who to call? Did the communication tree work within the time limit? Were the contact details for the data centre, internet service provider, and key vendors up to date? The SFC’s 2023 Guidelines specifically require that firms maintain a current list of emergency contacts and that this list be tested at least quarterly.

The evaluation report should include a section on “lessons learned” that lists specific procedural improvements. For example, the report might recommend that the BC plan be updated to include a secondary communication channel — such as WhatsApp group or satellite phone — in case the primary email system is unavailable.

Documentation and Regulatory Submission

The SFC does not require firms to submit simulation reports proactively, but the reports must be available for inspection upon request. The firm must retain all BC simulation records for at least seven years, as required by Section 130 of the Securities and Futures Ordinance (Cap. 571).

Step 7: Maintain a Simulation Log

The firm should maintain a central log that records the date, scenario, systems tested, participants, assessor’s name, and overall outcome of each simulation. This log serves as evidence during SFC inspections. The SFC has stated that it will ask for the log covering the most recent three years.

Step 8: Integrate Findings into the Annual BC Plan Review

The SFC’s 2025 circular requires that the firm’s overall BC plan be reviewed and updated at least annually. The findings from each simulation exercise must feed into this annual review. If the simulation revealed that the secondary site’s power supply was insufficient, the firm must either upgrade the power supply or revise the RTO to reflect the actual capability. The updated BC plan must be approved by the firm’s board of directors or its delegated risk committee.

Actionable Takeaways

1. Schedule your first mandatory BC simulation exercise before 1 July 2025, and ensure it tests actual failover to a secondary site, not just a tabletop discussion.
2. Document a written simulation plan that specifies the RTO and RPO for each critical business function as defined in your BIA.
3. Appoint an independent assessor who has no operational role in the functions being tested to observe and report on the simulation.
4. Prepare a post-exercise report within 30 days that quantifies gaps against the BIA and includes a root-cause analysis for any failed functions.
5. Retain all simulation records, including the log, scenario design, and assessor’s report, for at least seven years as required by the Securities and Futures Ordinance.

This does not constitute legal advice. Consult a solicitor for your specific case.