Hong Kong SFC AI Cyberattack Circular 2026 | TLY

AI Regulation Tracker  /  Guidance

Hong Kong's SFC Orders Licensed Firms to Harden Cybersecurity Against AI-Enabled Attacks

Regulatory summary: The Securities and Futures Commission issued a circular on 2 June 2026 telling licensed corporations, virtual asset service providers and associated entities to review and strengthen their cybersecurity frameworks against frontier-AI threats, and it holds senior management and the Manager-in-Charge of IT primarily responsible.

Primary source

Hong Kong's SFC Orders Licensed Firms to Harden Cybersecurity Against AI-Enabled Attacks regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • The SFC moved cybersecurity expectations to explicitly cover frontier-AI-enabled attack techniques. It tells firms to reassess frameworks against threats that were previously theoretical: AI systems that autonomously discover zero-day vulnerabilities, chain multiple lower-risk flaws, orchestrate attacks across interconnected systems, and generate convincing phishing, social-engineering and deepfake impersonation at low cost and high speed. The circular ties these threats to concrete control domains and to named lines of accountability.
  • Chief information security officers, Managers-in-Charge of IT, and senior management at SFC-licensed brokers, asset managers, depositaries and virtual asset platforms; compliance and risk officers responsible for internal controls; and technology vendors and outsourced service providers whose systems sit inside a licensed firm's attack surface.
  • Status: Issued and in effect.
  • Convene senior management and the Manager-in-Charge of IT to run a gap review against the circular's appendix, prioritize patching, detection and incident-response upgrades for AI-enabled threats, and record the review and any framework changes for supervisory inspection.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09Hong KongThe SFC moved cybersecurity expectations to explicitly cover frontier-AI-enabled attack techniques. It tells firms to reassess frameworks against threats that were previously theoretical: AI systems that autonomously discover zero-day vulnerabilities, chain multiple lower-risk flaws, orchestrate attacks across interconnected systems, and generate convincing phishing, social-engineering and deepfake impersonation at low cost and high speed. The circular ties these threats to concrete control domains and to named lines of accountability.Chief information security officers, Managers-in-Charge of IT, and senior management at SFC-licensed brokers, asset managers, depositaries and virtual asset platforms; compliance and risk officers responsible for internal controls; and technology vendors and outsourced service providers whose systems sit inside a licensed firm's attack surface.Issued and in effect. The circular was published on 2 June 2026 and firms are expected to act on it now. It is a standing supervisory expectation rather than a consultation or a proposal.

Frequently Asked Questions

Is the SFC AI cybersecurity circular legally binding?

It is a supervisory circular, in effect from 2 June 2026. It does not create new primary legislation, but it sets the SFC's expectations under existing conduct and internal-control requirements, and licensed firms are expected to comply. Inadequate cybersecurity can lead to supervisory and disciplinary consequences.

Who does the circular apply to?

Licensed corporations, SFC-licensed virtual asset trading platforms and their associated entities. Firms in electronic trading (especially large retail brokers), Type 13 depositaries, and virtual asset trading platforms are expected to implement all of the appendix controls.

What AI-enabled threats does it name?

Frontier AI models that autonomously find zero-day vulnerabilities and chain lower-rated flaws into high-impact attacks, attacks orchestrated across interconnected systems, and low-cost AI tools that power phishing, social engineering and deepfake impersonation.

Who is responsible inside a licensed firm?

Senior management holds ultimate responsibility for cybersecurity risk, and the Manager-in-Charge of Information Technology is responsible for ensuring adequate review and approval of changes to the firm's cybersecurity framework.

What is the immediate action?

Run a documented framework review against the circular's appendix, covering patch and vulnerability management, detection and monitoring, and incident response for AI-enabled threats, with change approval through the Manager-in-Charge of IT and senior management sign-off.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.