The Securities and Futures Commission (SFC) today issued a circular calling upon licensed firms to strengthen their cybersecurity measures against emerging threats enabled by frontier artificial intelligence (AI) models (Note 1).
The AI-enabled cyber threats came to the fore as cyberattacks continued to evolve locally and globally. Notably, Hong Kong recorded a double-digit increase in overall cyberattack incidents last year (Note 2). Against this backdrop, the SFC warns in the circular that fast-advancing frontier AI models have the potential to enable more frequent, targeted and sophisticated cyberattacks, which could result in significant operational disruptions and risks for licensed firms, their staff and clients.
The SFC also noted that recent advancements in AI have made it easier for malicious actors to identify and exploit system vulnerabilities at a faster pace, coordinate attacks across multiple interconnected systems and orchestrate large-scale attacks. At the same time, the proliferation of AI-enabled tools lowers the barriers for them to engage in phishing, social engineering, deepfake impersonation and reconnaissance. Consequently, licensed firms are exposed to heightened cybersecurity risks.
In today’s circular, the SFC urges licensed firms, especially internet brokers and virtual asset trading platforms, to implement robust and up-to-date measures to protect their systems, prevent confidential client information from unauthorised access or disclosure, and safeguard client assets against misappropriation.
In addition, the SFC sets out areas for licensed firms to review and enhance their cybersecurity frameworks to ensure they remain up-to-date and effective. These areas include patching and vulnerability management, detection and monitoring measures, as well as incident response and recovery.
“Cybersecurity risk is one of the major challenges facing the financial industry and remains a top supervisory focus of the SFC in its oversight of licensed firms,” said Dr Eric Yip, the SFC’s Executive Director of Intermediaries. “As frontier AI models become more powerful and accessible, AI-enabled cyber threats are set to accelerate and complicate the tasks to detect and contain them. Senior management of licensed firms should shoulder primary responsibilities in gatekeeping firms’ cyber resilience and the security of client assets.”
The SFC will continue to engage with the industry, technology service providers and local and overseas regulators on this issue. As part of its ongoing efforts, the SFC will organise webinars to raise industry awareness, conduct thematic reviews to assess licensed firms’ preparedness and resilience in responding to cybersecurity incidents and attacks, and take appropriate supervisory action in response to these evolving risks.
Notes:
- “Licensed firms” collectively refer to licensed corporations, SFC-licensed virtual asset service providers and their associated entities.
- Cyberattack incidents increased 27% to 15,877 in 2025 from 12,536 in 2024 according to data from the Hong Kong Computer Emergency Response Team Coordination Centre.
