Hong Kong’s Securities and Futures Commission (SFC), the city’s chief financial markets regulator, has put licensed brokers and virtual asset platforms on notice over a sharp increase in AI-enabled cybersecurity threats.
According to The Paypers, the SFC’s circular, dated 2 June 2026, was directed primarily at internet brokers and virtual asset trading platforms, calling on them to bolster defences against unauthorised access to client data and the misappropriation of assets.
The regulator cited figures from the Hong Kong Computer Emergency Response Team Coordination Centre showing cyber incidents climbed 27% to 15,877 in 2025, compared with 12,536 the previous year.
The commission identified AI as a key factor behind the surge, warning that malicious actors are increasingly using AI tools to locate and exploit system weaknesses at a pace and scale that outstrips traditional defences. The regulator also flagged that AI is lowering the technical threshold for phishing and social engineering attacks, widening the range of individuals capable of mounting them.
Firms were directed to focus remediation efforts across several areas, including patch and vulnerability management, threat detection and monitoring, and incident response and recovery planning. Crucially, the SFC framed cyber resilience as a governance matter rather than a purely technical one, placing accountability for the protection of client assets squarely with senior management.
The SFC’s circular reflects a broader regulatory shift taking shape across the Asia-Pacific region. Australia’s financial watchdog issued comparable guidance in late April 2026, while Japan’s banking authority launched a dedicated forum to address AI-related cyber threats in mid-May 2026. The clustering of these actions points to AI-driven cybersecurity risk emerging as a shared priority for financial supervisors across the region, even without a formal cross-border framework in place.
Virtual asset trading platforms face a particularly acute compliance burden as a result of the circular. Handling both client funds and digital assets, these platforms represent high-value targets for the kind of large-scale, automated attacks the regulator describes, adding further pressure to an already demanding regulatory environment.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
