Hong Kong SFC Cybersecurity Review 2023/2024: Most Common Cyber-Attack is Phishing (Posing as Trustworthy Institutions or Individuals), Failed to Install or Update Anti-Malware Solution on Trading Systems to Protect Against Phishing Attacks, Some Do Not Have Processes to Manage EOL Software (End of Life), Some Do Not Have Adequate Controls on Remote Access, Cloud Services, 3rd-Party Service Provider Management, 8 Cybersecurity Incidents Including Hacking of Client Accounts & Business Disruptions Between 2021 to 2024 Reported by Licensed Corporations
8th February 2025 | Hong Kong
The Hong Kong Securities and Futures Commission (SFC) has released the Cybersecurity Review 2023/2024, with the 1) Most common cyber-attack is Phishing (Posing as trustworthy institutions or individuals), 2) Failed to install or update anti-malware solution on trading systems to protect against phishing attacks, 3) Some do not have processes to manage EOL software (End of life), 4) Some do not have adequate controls on remote access, cloud services, 3rd-party service provider management, and 5) 8 cybersecurity incidents including hacking of client accounts & business disruptions between 2021 to 2024 reported by licensed corporations. Hong Kong SFC (6/2/25): “The Securities and Futures Commission (SFC) noted material cybersecurity incidents in recent years involving cyberattacks against licensed corporations (LC) had resulted in significant business disruptions or hacking of client accounts. Issued today, the SFC’s Report on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations (Report) noted eight incidents of material cybersecurity breach reported to the SFC between 2021 and 2024. In some incidents, fraudsters conducted unauthorised trades in clients’ accounts after gaining control of them by infiltrating the LCs’ networks through network security loopholes. The use of end-of-life software and weak algorithm for encrypting client data are some of the common weaknesses identified in these incidents (Note 1). Such vulnerabilities indicate the LCs’ insufficient senior management oversight and inadequate controls on cybersecurity measures. In addition, to address the emerging cybersecurity risks, the SFC has set out in the Report standard of conduct expected of LCs in relation to phishing detection and prevention, end-of-life software management, remote access, third-party IT service providers management and cloud security. The SFC, together with the Hong Kong Police Force, will host cybersecurity webinars in February to further share the findings of the thematic review and the common cybersecurity threats in Hong Kong (Note 2). The SFC will also conduct another comprehensive review on the existing cybersecurity requirements and expected standards in 2025, in order to develop an industry-wide cybersecurity framework and guide LCs on better managing cybersecurity risks.”
“ Hong Kong SFC Cybersecurity Review 2023/2024: Most Common Cyber-Attack is Phishing (Posing as Trustworthy Institutions or Individuals), Failed to Install or Update Anti-Malware Solution on Trading Systems to Protect Against Phishing Attacks, Some Do Not Have Processes to Manage EOL Software (End of Life), Some Do Not Have Adequate Controls on Remote Access, Cloud Services, 3rd-Party Service Provider Management, 8 Cybersecurity Incidents Including Hacking of Client Accounts & Business Disruptions Between 2021 to 2024 Reported by Licensed Corporations “
Dr Eric Yip, the SFC’s Executive Director of Intermediaries: “Licensed firms must take all necessary measures to ward off increasingly sophisticated and prevalent cyberattacks in a highly interconnected and digitalised world. Failing to address the growing threat and mitigating the associated risks, licensed firms would not only jeopardise their own security, but also that of their clients and even our financial system as a whole. To this end, senior management must also recognise the critical importance of safeguarding the cybersecurity of their firms, without leaving these responsibilities to only their IT department.”
Notes:
- End-of-life software refers to software which has reached the end of its useful life. The software provider has stopped supporting it and no updated security patches and fixes are available.
- Please refer to the Circular to licensed corporations, SFC-licensed virtual asset service providers and associated entities – Cybersecurity webinar for details.
Hong Kong SFC Cybersecurity Review 2023/2024: Most Common Cyber-Attack is Phishing (Posing as Trustworthy Institutions or Individuals), Failed to Install or Update Anti-Malware Solution on Trading Systems to Protect Against Phishing Attacks, Some Do Not Have Processes to Manage EOL Software (End of Life), Some Do Not Have Adequate Controls on Remote Access, Cloud Services, 3rd-Party Service Provider Management, 8 Cybersecurity Incidents Including Hacking of Client Accounts & Business Disruptions Between 2021 to 2024 Reported by Licensed Corporations
Sign Up / Register
Caproasia Users
- Manage $20 million to $3 billion of assets
- Invest $3 million to $300 million
- Advise institutions, billionaires, UHNWs & HNWs
Caproasia Platforms | 11,000 Investors & Advisors
- Caproasia.com
- Caproasia Access
- Caproasia Events
- The Financial Centre | Find Services
- Membership
- Family Office Circle
- Professional Investor Circle
- Investor Relations Network
Monthly Roundtable & Networking
Family Office Programs
The 2025 Investment Day
- March - Hong Kong
- March - Singapore
- July - Hong Kong
- July - Singapore
- Sept- Hong Kong
- Sept - Singapore
- Oct- Hong Kong
- Nov - Singapore
- Visit: The Investment Day | Register: Click here
Caproasia Summits
- The Institutional Investor Summit
- The Investment / Alternatives Summit
- The Private Wealth Summit
- The Family Office Summit
- The CEO & Entrepreneur Summit
- The Capital Markets Summit
- The ESG / Sustainable Investment Summit
