Hong Kong’s Securities and Futures Commission (SFC) SFC Thematic Review Report has flagged significant cybersecurity risks among licensed corporations (LCs).
In the report on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations released on 6 February 2025, the SFC identified eight material cybersecurity breaches. The said breaches happened between 2021 and 2024.
In certain cases, fraudsters exploited security vulnerabilities in the LCs’ networks to infiltrate and gain control of clients’ accounts, carrying out unauthorised trades without their consent.
The breaches were linked to vulnerabilities such as the use of outdated software and weak encryption algorithms for client data. The report also highlighted insufficient senior management oversight and inadequate cybersecurity controls as key contributing factors.
The SFC outlined expected standards for LCs to combat emerging threats, including phishing prevention, end-of-life software management, remote access protocols, and cloud security.
Dr Eric Yip, Executive Director of Intermediaries at the SFC, said,
“Licensed firms must take all necessary measures to ward off increasingly sophisticated and prevalent cyberattacks in a highly interconnected and digitalised world. Failing to address the growing threat and mitigating the associated risks, licensed firms would not only jeopardise their own security, but also that of their clients and even our financial system as a whole.”
He urged senior management to take cybersecurity seriously, beyond simply delegating responsibilities to IT departments.
The SFC will collaborate with the Hong Kong Police Force to host cybersecurity webinars this month. Two webinars will take place on 17 February 2025 and 19 February 2025, respectively, and will be conducted online via Zoom.
The SFC also plans to review its existing cybersecurity framework later in 2025. The updated framework aims to help LCs better manage cybersecurity risks and strengthen industry-wide resilience.
Source of image: edited from Freepik
