The Securities and Futures Commission (SFC) issued a circular on 23 March 2016 (Circular) to all licensed corporations (LCs) following its recent review of cybersecurity within selected larger LCs. The Circular sets out the SFC’s key areas of concern and recommended cybersecurity controls which the LCs are expected to follow. Separately the Chief Executive of the Hong Kong Monetary Authority (HKMA) also recently announced the establishment of the Cyber Security Programme for the banking industry following the establishment of its Fintech Facilitation Office. These recent developments highlight the Hong Kong regulators’ collective focus on cybersecurity.

SFCs key areas of concerns

Whilst the SFC found that most of the LCs under review have prioritised resources for maintaining cybersecurity controls, it identified the following key areas of concern:

  1. Inadequate coverage of cybersecurity risk assessment exercises (eg, cybersecurity risk assessments do not cover the latest cybersecurity threat landscape);
  2. Inadequate cybersecurity risk assessment of service providers (eg, lack of formal procedures or guidelines detailing requirements of conducting cybersecurity risk assessment or on­ site audits on service providers);
  3. Insufficient cybersecurity awareness training (eg, the content of the training is not updated with the latest cybersecurity related issues);
  4. Inadequate cybersecurity incident management arrangements (eg, performing drills or simulation exercises on a global level without involving the local LCs in Hong Kong); and
  5. Inadequate data protection programs (eg, failing to address the latest cybersecurity threat landscape).

Further details on the above areas of concern are set out in the Appendix to the Circular. LCs should take heed of these areas when reviewing their cybersecurity risks and implementing enhanced controls that are designed to counter such risks.

SFC’s suggested cybersecurity controls

Based on the key areas of concern identified and with reference to the sound and effective cybersecurity controls adopted by some larger sized LCs, the SFC sets out a detailed list of “suggested cybersecurity controls” which LCs should carefully consider. We have summarised below the most important “suggested cybersecurity controls” grouped under the following eight categories. For further details, please refer to the Appendix to the Circular.

Click here to view table.

The SFC expects LCs to take appropriate measures (including seeking advice from external contracted vendors if they do not possess such expertise and/or resources in­house) to critically review and assess the effectiveness of their cybersecurity controls.

HKMA’s Cyber Security Programme

The Chief Executive of the HKMA announced in a public speech (in Chinese only) the establishment of its new Fintech Facilitation Office (FFO) on 21 March 2016. An English article by the HKMA based on the speech is available here. Given that one of the functions of the FFO is to promote research in Fintech solutions (with cybersecurity being of one of their two key topics for research), the HKMA is developing a Cyber Security Programme for the banking industry which shall include:

  1. developing an assessment framework and model in respect of banks’ ability to address cybersecurity risks;
  2. developing a training and certification programme for professional recognition of cybersecurity practitioners;
  3. co­operating with the banking industry to establish a new platform for sharing of cybersecurity intelligence.

Details about the work progress of the FFO (which is expected to include the Cyber Security Programme) will be provided at the Cyber Security Framework Symposium in Hong Kong in mid­May.


Cybersecurity has been increasingly viewed by Hong Kong regulators as a matter of priority, in light of the ongoing occurrence of cybersecurity incidents across the financial services industry. Given the SFC’s specific focus on LCs’ “cybersecurity preparedness”, it is important for LCs to properly review their existing cybersecurity framework and controls to ensure that they have adopted the cybersecurity controls or practices recommended/required by the regulators.

In managing cybersecurity risks, senior management are reminded to take the specific steps outlined above (eg, cybersecurity topics should be regularly deliberated or reviewed at senior management meetings) and make sure that their actions are properly documented. Other recent requirements/expectations of senior management in this area set out by the Hong Kong regulators are summarised in our previous bulletins of 2 December 2014 and 5 November 2015.