Hong Kong's Securities and Futures Commission has urged licensed firms to strengthen cybersecurity defences against a rise in AI-driven attacks.
The regulator directed its guidance primarily at internet brokers and virtual asset trading platforms, instructing them to adopt current protections against unauthorised access to client data and asset misappropriation. The circular, issued on 2 June 2026, reflects growing concern among financial regulators about the intersection of artificial intelligence and cybersecurity vulnerabilities.
Rising attack volumes and AI-enabled risks
Figures cited by the SFC from the Hong Kong Computer Emergency Response Team Coordination Centre show that cyber incidents rose 27% to 15.877 in 2025, up from 12.536 in 2024. The regulator attributed part of this increase to AI tools that allow malicious actors to identify and exploit system vulnerabilities at greater speed and scale. The circular also noted that AI is reducing the technical barriers to phishing and social engineering attacks, broadening the pool of potential threat actors.
Moreover, the SFC outlined several areas where firms should focus remediation efforts, including patch and vulnerability management, threat detection and monitoring, and incident response and recovery planning. The guidance positions cyber resilience not as a technical function alone, but as a governance responsibility, with senior management expected to take primary accountability for protecting client assets.
This framing aligns with a broader regulatory shift across Asia-Pacific, where supervisory bodies are moving towards holding firm leadership directly responsible for operational and cyber risk outcomes, rather than treating these as purely IT-level concerns.
Regional regulatory context
According to Reuters, Hong Kong's action follows similar warnings from regulators in the region in recent months. Australia's financial watchdog issued comparable guidance in late April 2026, and Japan's banking authority established a dedicated forum to address AI-related cyber threats in mid-May 2026. The convergence of these actions suggests that AI-driven cybersecurity risk has become a coordinated concern for financial regulators across Asia-Pacific, even in the absence of a formal cross-border framework.
For virtual asset trading platforms in particular, the circular adds another layer of compliance expectation to an already complex regulatory environment. These platforms handle both client funds and digital assets, making them a high-value target for the types of large-scale, automated attacks the SFC describes.
