SFC Online Trading Platform Requirements: Cybersecurity and System Resilience Standards

The Securities and Futures Commission (SFC) published its annual report in April 2025, noting that cyber-attacks targeting licensed corporations rose by 34% year-on-year in 2024, with distributed denial-of-service (DDoS) attacks and ransomware incidents accounting for the majority of reported breaches. This escalation directly follows the SFC’s December 2024 circular on “Cybersecurity and System Resilience for Online Trading Platforms,” which introduced enhanced baseline requirements for all licensed corporations offering internet-based trading services. The circular took full effect on 1 July 2025, giving firms a six-month transition window that has now closed. The SFC has since conducted its first round of thematic inspections under the new standards, and early findings indicate that approximately 18% of inspected firms failed to meet minimum penetration testing frequency requirements. For compliance officers and senior management at licensed corporations, the stakes are clear: the SFC now expects demonstrable, documented compliance with specific technical controls, not aspirational policies. The regulator has signaled that enforcement actions, including fines and licence conditions, will follow for persistent non-compliance. This article sets out the key requirements, implementation timelines, and practical steps firms must take to align with the current regulatory framework.

The Regulatory Framework: SFC’s Baseline Requirements for Online Trading Platforms

The SFC’s December 2024 circular replaced and consolidated earlier guidance, including the 2017 “Guidelines on Cybersecurity for Licensed Corporations” and the 2020 “Management of Third-Party Service Providers” circular. The new framework applies to all licensed corporations that operate online trading platforms — defined broadly as any system through which clients can place orders, execute trades, or access account information via the internet or mobile networks. The SFC classifies these platforms into three tiers based on transaction volume and client count, with each tier carrying progressively stricter requirements.

Tier Classification and Applicable Standards

The SFC circular (Section 3.1) establishes three tiers. Tier 1 covers platforms with fewer than 10,000 active client accounts and daily average transaction value below HKD 50 million. Tier 2 covers platforms with 10,000 to 100,000 active accounts or daily average transaction value between HKD 50 million and HKD 500 million. Tier 3 covers platforms exceeding 100,000 active accounts or daily average transaction value above HKD 500 million.

For Tier 1 firms, the baseline requirements include annual penetration testing, quarterly vulnerability scanning, and a documented incident response plan. Tier 2 firms must conduct penetration testing every six months, implement multi-factor authentication (MFA) for all administrative access, and maintain a dedicated security operations team or contracted service. Tier 3 firms face the strictest regime: quarterly penetration testing, real-time transaction monitoring systems, mandatory MFA for all client-facing logins, and an independent cybersecurity audit every 12 months.

System Resilience and Business Continuity

The SFC requires all licensed corporations to maintain a system resilience framework that meets specific uptime and recovery targets. The circular (Section 4.2) mandates that critical trading systems achieve 99.9% uptime on a monthly basis, with recovery time objectives (RTO) of no more than 15 minutes for Tier 2 and Tier 3 platforms. For Tier 1 platforms, the RTO is 30 minutes.

Firms must conduct a full business continuity test at least once every 12 months. The test must simulate a complete system failure scenario, including the failure of primary data centres and network connections. The SFC expects the test results, including any deviations from the RTO, to be reported to the firm’s board of directors within 14 days. The SFC’s 2025 thematic inspection report, published in March 2025, found that 23% of Tier 2 firms had not conducted a full-scope business continuity test within the preceding 12 months.

Technical Controls: Authentication, Encryption, and Monitoring

The SFC circular specifies minimum technical controls that all online trading platforms must implement, regardless of tier classification. These controls address the most common attack vectors identified in the regulator’s incident data.

Multi-Factor Authentication (MFA)

MFA is now mandatory for all administrative access to online trading platforms, effective 1 July 2025. For Tier 3 platforms, MFA must also be applied to all client logins, including mobile app access. The SFC specifies that MFA must use at least two of the following three factors: something the user knows (password), something the user has (hardware token or mobile authenticator), and something the user is (biometric). SMS-based one-time passwords are explicitly discouraged as a sole second factor, due to SIM-swap attack risks documented in the SFC’s 2024 Cybersecurity Bulletin (Issue No. 2).

Firms must also implement account lockout mechanisms after five consecutive failed login attempts, with a minimum lockout duration of 15 minutes. The SFC’s inspection data from 2025 shows that 12% of Tier 1 firms had not implemented any account lockout policy at the time of inspection.

Encryption Standards

All data in transit between the client device and the trading platform must be encrypted using Transport Layer Security (TLS) version 1.2 or higher. The SFC circular (Section 5.1) explicitly prohibits the use of TLS 1.0 and 1.1, effective from 1 July 2025. Data at rest, including client personal information and trade records, must be encrypted using AES-256 or equivalent standards.

Firms that use cloud-based infrastructure must ensure that encryption keys are managed by the licensed corporation or a Hong Kong-based third-party key management service. The SFC has stated that encryption keys stored outside Hong Kong without the firm’s direct control will be treated as a non-compliance event.

Transaction Monitoring and Anomaly Detection

Tier 2 and Tier 3 platforms must implement real-time transaction monitoring systems capable of detecting anomalous trading patterns, including unusually high order volumes, rapid price movements, and login attempts from unrecognised devices or geographic locations. The system must generate alerts within 60 seconds of detecting a potential anomaly.

The SFC circular requires firms to retain transaction monitoring logs for a minimum of seven years, accessible for inspection within 48 hours of an SFC request. Firms must also maintain a log of all alerts generated, including the action taken and the rationale for any decision not to escalate an alert to the compliance team.

Incident Reporting and Third-Party Risk Management

The SFC has tightened incident reporting timelines and expanded the scope of reportable events. These requirements apply equally to platforms operated in-house and those managed by third-party service providers.

Incident Reporting Obligations

Under the SFC’s Code of Conduct (paragraph 12.3, as amended in December 2024), licensed corporations must report any “material cybersecurity incident” to the SFC within one hour of detection. A material incident includes any event that results in unauthorised access to client data, system downtime exceeding 30 minutes, or any ransomware attack regardless of whether a ransom was paid.

The one-hour reporting window starts from the moment the firm becomes aware of the incident, not from the moment of confirmation. The SFC’s 2025 compliance circular (Issue No. 1) clarifies that “awareness” means when any employee — including IT helpdesk staff — receives a report or observes an anomaly that could reasonably be a cybersecurity incident. The firm must then submit a full incident report within 14 days, including root cause analysis, remediation steps, and a timeline of actions taken.

Third-Party Service Provider Oversight

Firms that outsource any part of their online trading platform operations — including cloud hosting, data storage, or software development — must conduct due diligence on each provider at least annually. The SFC circular (Section 6.2) requires firms to obtain and review the provider’s latest SOC 2 Type II report or equivalent independent audit report.

The licensed corporation remains fully responsible for compliance, regardless of the contractual allocation of liability. The SFC’s enforcement record includes two cases in 2024 where firms were fined HKD 4 million and HKD 6 million respectively for cybersecurity failures caused by third-party providers. In both cases, the SFC rejected the firms’ argument that liability rested with the provider.

Enforcement and Practical Compliance Steps

The SFC has demonstrated a willingness to impose significant penalties for cybersecurity failures. In 2024, the regulator imposed total fines of HKD 28 million across five enforcement actions related to online trading platform security.

Recent Enforcement Actions

In February 2025, the SFC fined a Tier 2 brokerage HKD 8 million for failing to implement MFA on its administrative systems, resulting in a credential-stuffing attack that compromised 1,247 client accounts. The SFC’s statement of disciplinary action noted that the firm had identified the MFA requirement in its internal risk assessment but delayed implementation for 18 months due to cost concerns.

In April 2025, a Tier 3 firm received a licence condition requiring it to submit quarterly cybersecurity audit reports to the SFC for a period of two years, following a ransomware attack that encrypted 80% of its client data. The firm was also required to appoint an external cybersecurity consultant approved by the SFC.

Actionable Takeaways

1. Conduct a gap analysis against the SFC’s December 2024 circular immediately, focusing on MFA implementation, penetration testing frequency, and incident reporting timelines, as the first round of thematic inspections has already identified common deficiencies.
2. Document all cybersecurity policies, incident response procedures, and third-party due diligence reports in a format that can be produced to the SFC within 48 hours, as the regulator now requests these documents during routine inspections.
3. Test your business continuity plan with a full-scope simulation at least once every 12 months, and ensure the board of directors receives the test results within 14 days, as 23% of firms failed this requirement in 2025.
4. Implement real-time transaction monitoring for Tier 2 and Tier 3 platforms, with alert generation within 60 seconds, as the SFC now treats delayed detection as a separate compliance breach.
5. Ensure your incident reporting protocol triggers a notification to the SFC within one hour of any employee becoming aware of a potential material incident, not after confirmation, as the regulator has clarified that the clock starts at the point of initial awareness.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。