SFC Flags Cybersecurity Incidents in Licensed Firms, Highlighting Risks to Business Continuity & Client Security

Key Takeaways:

• Rising Cybersecurity Risks for Licensed Firms: The Securities and Futures Commission (SFC) highlighted a significant increase in cybersecurity incidents, with eight major breaches between 2021 and 2024, leading to unauthorized trades, hacked accounts, and operational disruptions.
• Weaknesses in Cybersecurity Measures: The SFC identified vulnerabilities in licensed corporations’ (LCs) cybersecurity practices, such as the use of outdated software, weak encryption, and insufficient oversight by senior management, creating opportunities for cybercriminals.
• New Cybersecurity Standards and Expectations: In response to the rising threats, the SFC has outlined conduct standards for LCs, covering areas like phishing prevention, remote access controls, and cloud security, stressing that cybersecurity is a responsibility for senior management, not just the IT department.
• Ongoing Efforts to Improve Cybersecurity: The SFC, in partnership with the Hong Kong Police Force, is hosting webinars to raise awareness and provide practical guidance for firms. Additionally, a 2025 review will refine cybersecurity requirements and create a more comprehensive industry framework.

Deep Dive

The reality of cybersecurity risks has hit home for many licensed corporations (LCs) in Hong Kong. The Securities and Futures Commission (SFC) recently unveiled findings from its latest 2023/24 Thematic Cybersecurity Review, shedding light on the alarming rise of material cybersecurity incidents in recent years. And the results? Not pretty.

Between 2021 and 2024, eight significant breaches were reported to the SFC—events that caused more than just a few headaches. For some firms, the fallout was severe: unauthorized trades, hacked client accounts, and business operations ground to a halt. The culprit? LCs' cybersecurity measures, or the lack thereof.

The report points to weak links in network security—holes that made it far too easy for fraudsters to slip through. A common thread in these incidents was the use of end-of-life software (yes, the kind that’s no longer supported with security patches). Combine that with weak encryption algorithms, and it’s a recipe for disaster. But it’s not just the technology—it’s a bigger issue of senior management letting these vulnerabilities go unchecked.

In a digital world where attacks grow more sophisticated by the day, the SFC isn’t just raising red flags - it’s demanding action. In response to these mounting cybersecurity threats, the SFC has laid out a set of expected conduct standards for licensed firms, covering areas such as phishing detection, remote access controls, third-party IT service provider management, and cloud security. These standards aim to guide firms in fortifying their defenses against increasingly sophisticated cyberattacks that have become more common in today’s interconnected financial landscape.

“Licensed firms must take all necessary measures to fend off these attacks,” said Dr. Eric Yip, the SFC’s Executive Director of Intermediaries. “Failing to address the growing threat puts not just your firm at risk, but your clients’ security and, ultimately, the integrity of the financial system.”

To help firms step up their game, the SFC laid out clear expectations in its report. From phishing prevention to managing third-party IT providers and cloud security, the commission has outlined a robust framework designed to protect against the increasingly dangerous cyber landscape. It's a wake-up call for senior management, too. Dr. Yip stressed that cybersecurity can’t be a task relegated solely to the IT department. It’s time for leadership to take charge.

“We can’t afford to sit on our hands any longer,” he added. “The digital landscape is only going to become more complicated, and if we don’t act now, the consequences could be far-reaching.”

As part of its ongoing efforts to raise awareness, the SFC is partnering with the Hong Kong Police Force to host a series of cybersecurity webinars this February. These sessions will go beyond the report’s findings, diving deeper into common threats facing firms in Hong Kong and offering practical advice to bolster defenses.

The SFC is gearing up for another review in 2025, aiming to refine existing cybersecurity requirements and create an industry-wide framework for LCs. The goal is to make managing cybersecurity risks not just a best practice, but a central pillar of how firms operate moving forward.

In short, cybersecurity is no longer a “nice-to-have” but a “must-have.” As Hong Kong's financial sector continues to evolve in the digital age, it’s crucial that licensed firms step up to the challenge and make cybersecurity a priority. The SFC has laid out the roadmap, now it’s time for the firms to follow it—or risk being left behind.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.