Hong Kong: Securities and Futures Commission published report on cybersecurity review of licensed corporations

On 6 February 2025, the Securities and Futures Commission (SFC) concluded its 2023/24 thematic cybersecurity review of licensed corporations (LC) in Hong Kong. The review assessed compliance with existing cybersecurity requirements, focusing on emerging risks such as phishing attacks, end-of-life (EOL) software, and third-party provider management. The SFC surveyed 50 LCs of various sizes and business types, conducted on-site inspections of seven internet brokers, and held discussions with six LCs with global operations. The review identified several areas where LCs need to improve their cybersecurity measures, including issues related to two-factor authentication (2FA), security configurations of system servers and firewalls, implementation of security patches, encryption of sensitive data, and user access to critical system admin accounts. The review highlighted that many cybersecurity incidents reported to the SFC involved the use of EOL operating systems and unpatched virtual private network (VPN) solutions. Some incidents also involved ransomware attacks instigated through phishing.