Hong Kong Securities and Futures Commission flags eight material cybersecurity breaches at licensed firms and sets expected standards in thematic review report

The Hong Kong Securities and Futures Commission (SFC) has published its Report on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations, highlighting recent material cybersecurity incidents at licensed corporations (LCs) that led to significant business disruptions and the hacking of client accounts, and setting out the standard of conduct it expects firms to meet in key risk areas. The report notes eight material cybersecurity breaches reported to the SFC between 2021 and 2024. In some cases, fraudsters gained control of client accounts after infiltrating LCs’ networks through security loopholes and then conducted unauthorised trades. Common weaknesses included the use of end-of-life software and weak encryption algorithms for client data, which the SFC links to insufficient senior management oversight and inadequate cybersecurity controls. To address emerging risks, the report sets expectations for phishing detection and prevention, end-of-life software management, remote access, management of third-party IT service providers and cloud security. The SFC and the Hong Kong Police Force will host cybersecurity webinars in February to share findings and common threats. The SFC also plans a comprehensive review of existing cybersecurity requirements and expected standards in 2025 to develop an industry-wide cybersecurity framework for LCs.