Hong Kong’s Securities and Futures Commission (SFC) on Tuesday instructed licensed firms to strengthen cybersecurity safeguards as attackers increasingly employ artificial intelligence to conduct more advanced and targeted campaigns.
In a circular distributed to market participants, the regulator emphasized that internet brokers and virtual asset-trading platforms should be especially vigilant. The SFC said firms must adopt up-to-date measures designed to block unauthorized access to client information and to prevent the theft of assets.
The commission cited figures from the Hong Kong Computer Emergency Response Team Coordination Centre showing that cyberattack incidents climbed 27% to 15,877 in 2025 from 12,536 in 2024. The regulator noted that AI shortens the time attackers need to discover and exploit vulnerabilities, enables larger-scale operations, and lowers the barrier for phishing and social engineering techniques.
To address those evolving threats, the SFC identified several technical and operational areas where licensed firms should improve their cyber posture. The circular highlighted:
- patching and vulnerability management;
- detection and monitoring capabilities; and
- incident response and recovery processes.
Eric Yip, the SFC’s executive director of intermediaries, said senior management at licensed firms must take main responsibility for cyber resilience and protecting client assets. The regulator framed leadership accountability as central to strengthening defenses and ensuring rapid recovery when incidents occur.
The SFC also noted that similar cautions have been issued by other authorities in recent weeks. It referenced warnings from Australia’s financial watchdog in late April and from Japan’s banking authority in mid-May concerning growing risks linked to Anthropic’s new AI model, Mythos.
The regulator’s guidance focuses squarely on technical controls and governance while underscoring the trend of rising incidents and the accelerating role of AI in cyber operations. Firms operating trading and custody services were identified as the primary audience for the circular’s recommendations.
Implications for market participants
The SFC’s advisory is directed at licensed intermediaries that hold or process client assets and data. The combination of rising incident counts and AI-driven attack techniques makes the regulator’s recommended controls—patch management, monitoring, and incident readiness—more urgent for firms where client trust and asset security are core to operations.