logo
+1 619 559 3838
Image

BLOG

SFC Highlights Cybersecurity Incidents in Licensed Firms, Emphasizing Risks to Business Continuity and Client Safety

Key Takeaways:

  1. Growing Cybersecurity Threats for Licensed Firms: The Securities and Futures Commission (SFC) has reported a sharp rise in cybersecurity incidents, with eight major breaches occurring between 2021 and 2024. These incidents resulted in unauthorized trades, compromised client accounts, and significant operational disruptions.
  2. Gaps in Cybersecurity Practices: The SFC uncovered critical weaknesses in licensed corporations’ (LCs) cybersecurity frameworks, including reliance on outdated software, inadequate encryption, and insufficient oversight by senior management, leaving firms exposed to cyber threats.
  3. Updated Cybersecurity Standards: To address these challenges, the SFC has introduced new conduct standards for LCs, focusing on areas like phishing prevention, remote access management, and cloud security. The commission emphasizes that cybersecurity is a top-level responsibility, not just an IT issue.
  4. Ongoing Initiatives to Strengthen Cybersecurity: The SFC, in collaboration with the Hong Kong Police Force, is organizing webinars to educate firms and provide actionable insights. A comprehensive review planned for 2025 will further refine cybersecurity requirements and establish a unified industry framework.


Deep Dive
The escalating threat of cybersecurity breaches has become a pressing concern for licensed corporations (LCs) in Hong Kong. The Securities and Futures Commission (SFC) recently released its 2023/24 Thematic Cybersecurity Review, revealing a troubling increase in significant cybersecurity incidents over the past few years. The findings paint a grim picture.

From 2021 to 2024, the SFC documented eight major breaches, each with serious consequences. Unauthorized trades, hacked client accounts, and operational standstills were among the outcomes, highlighting the vulnerabilities in LCs’ cybersecurity defenses. The root cause? Inadequate cybersecurity measures.

The report identified several critical weaknesses, including the use of unsupported software (which no longer receives security updates) and weak encryption protocols. These gaps created opportunities for cybercriminals to exploit. However, the issue extends beyond technology—senior management’s lack of oversight and prioritization of cybersecurity measures played a significant role.

In response to these escalating threats, the SFC has established a set of conduct standards for licensed firms. These guidelines address key areas such as phishing detection, remote access controls, third-party IT vendor management, and cloud security. The goal is to help firms strengthen their defenses against increasingly sophisticated cyberattacks that threaten the financial sector.

“Licensed firms must take all necessary steps to protect themselves from these threats,” stated Dr. Eric Yip, the SFC’s Executive Director of Intermediaries. “Neglecting cybersecurity not only endangers your firm but also jeopardizes client safety and the overall stability of the financial system.”

The SFC’s report outlines clear expectations for firms, from enhancing phishing prevention to managing third-party IT services and securing cloud-based systems. Dr. Yip emphasized that cybersecurity is a leadership responsibility, not just a technical task for IT teams.

“We cannot afford to delay action,” he added. “The digital landscape is becoming increasingly complex, and without proactive measures, the consequences could be devastating.”

To support firms in improving their cybersecurity posture, the SFC, in partnership with the Hong Kong Police Force, is hosting a series of webinars in February. These sessions will delve into common threats faced by Hong Kong firms and provide practical strategies to enhance defenses.

Looking ahead, the SFC plans to conduct a comprehensive review in 2025 to refine cybersecurity requirements and develop a standardized framework for the industry. The aim is to embed cybersecurity risk management as a core operational practice for all licensed firms.

In conclusion, cybersecurity is no longer optional—it is a necessity. As Hong Kong’s financial sector continues to embrace digital transformation, licensed firms must prioritize cybersecurity to safeguard their operations, protect clients, and maintain trust in the financial system. The SFC has provided the roadmap; now it’s up to firms to take action—or face the consequences of inaction.