Hong Kong Regulator Warns Financial Firms of Rising AI-Driven Cybersecurity Threats

The Securities and Futures Commission (SFC) has called on licensed financial firms to strengthen their cybersecurity defenses against a new generation of cyber threats powered by rapidly advancing artificial intelligence (AI) technologies, warning that frontier AI models could significantly increase the scale, sophistication and frequency of cyberattacks targeting the financial sector.

In a circular issued today, the regulator highlighted the growing risks posed by AI-enabled cybercrime amid an increasingly complex threat landscape. The warning comes as cyberattack incidents continue to rise both globally and within Hong Kong, where authorities recorded a double-digit increase in cybersecurity incidents over the past year.

According to the SFC, recent breakthroughs in frontier AI models have transformed the capabilities available to malicious actors, enabling them to identify vulnerabilities more quickly, automate attack processes and conduct highly coordinated operations across multiple interconnected systems. These developments are creating new challenges for financial institutions tasked with safeguarding sensitive information, maintaining operational resilience and protecting client assets.

The regulator noted that AI-powered tools are lowering the technical barriers traditionally associated with cybercrime. As a result, threat actors can more easily carry out sophisticated phishing campaigns, social engineering attacks, deepfake impersonation schemes and reconnaissance activities. Such capabilities increase the likelihood of successful cyber intrusions and make attacks more difficult to detect and contain.

“The evolution of AI technologies is fundamentally changing the cybersecurity landscape,” the SFC stated, emphasizing that financial institutions must adapt their risk management frameworks to address emerging threats before they materialize into significant operational disruptions.

The warning is particularly directed at internet brokers and virtual asset trading platforms, which the regulator identified as being especially exposed to cyber risks due to the digital nature of their operations and their handling of sensitive client information and assets. The SFC urged these firms to implement robust and up-to-date cybersecurity controls designed to prevent unauthorized access to systems, protect confidential customer data and reduce the risk of asset misappropriation.

As part of its guidance, the SFC outlined several key areas where licensed firms should review and strengthen their cybersecurity frameworks. These include improving patch and vulnerability management processes to address security weaknesses promptly, enhancing threat detection and monitoring capabilities to identify suspicious activity in real time, and ensuring that incident response and recovery plans remain effective against evolving attack techniques.

The regulator stressed that cybersecurity should not be viewed solely as a technology issue but as a critical governance and risk management responsibility requiring active oversight from senior leadership.

Dr. Eric Yip, the SFC’s Executive Director of Intermediaries, described cybersecurity risk as one of the most significant challenges confronting the financial industry today and reaffirmed that cyber resilience remains a major supervisory priority for the regulator.

“Cybersecurity risk is one of the major challenges facing the financial industry and remains a top supervisory focus of the SFC in its oversight of licensed firms,” Dr. Yip said. “As frontier AI models become more powerful and accessible, AI-enabled cyber threats are set to accelerate and complicate the tasks to detect and contain them. Senior management of licensed firms should shoulder primary responsibilities in gatekeeping firms’ cyber resilience and the security of client assets.”

Industry observers note that the warning reflects a broader global trend among financial regulators, many of whom are increasingly focused on the intersection of AI and cybersecurity. While AI technologies offer substantial benefits in areas such as fraud detection, compliance monitoring and operational efficiency, regulators are simultaneously becoming concerned about the same technologies being leveraged by cybercriminals to execute more effective attacks.

The SFC indicated that its efforts to address the issue will extend beyond regulatory guidance. The commission plans to engage closely with market participants, technology providers and regulatory counterparts in Hong Kong and overseas to better understand emerging risks and promote industry-wide resilience.

Among the initiatives announced are educational webinars designed to raise awareness of AI-related cyber threats, thematic reviews to evaluate firms’ preparedness and resilience, and ongoing supervisory assessments aimed at identifying weaknesses in cybersecurity controls. The regulator also signaled its willingness to take appropriate supervisory action where deficiencies are identified.

The circular underscores the increasing urgency for financial institutions to modernize their cybersecurity strategies as technological innovation continues to reshape both opportunities and threats within the financial sector. With AI rapidly becoming more powerful, accessible and widely adopted, regulators are warning that firms must remain vigilant and proactive in defending against a threat environment that is evolving at unprecedented speed.

As financial institutions continue to embrace digital transformation and AI-driven innovation, the SFC’s message is clear: cybersecurity resilience must evolve just as quickly as the technologies that are reshaping the future of finance.