HK SFC issues guidance on cybersecurity controls


The Securities and Futures Commission (SFC), Hong Kong’s securities regulator, recently released comprehensive guidance on suggested cybersecurity controls within licensed corporations (LCs). Although it only applies to LCs regulated by the SFC, it represents the most comprehensive guidance issued by a Hong Kong authority on cybersecurity, and provides useful insight on how organisations can effectively guard against cybersecurity threats.

Padlocks-2The Circular to all Licensed Corporations on Cybersecurity, issued on 23 March 2016, followed a review by the SFC of the effectiveness of cybersecurity controls within certain larger-sized LCs in Hong Kong.

While the SFC review revealed most LCs had proactive cybersecurity control frameworks in place, deficiencies in five key areas were identified.

Inadequate coverage of cybersecurity risk assessment exercises. The review found that standard cybersecurity risk assessments (such as control gap analysis and benchmarking) were often conducted on internet-facing systems and infrastructure – rather than systems and networks residing in internal environments or other non-internet-facing systems – which could still be enticing targets for cyber attacks. Further, tests were only conducted against basic types of cyber attacks, and were not frequently updated to cover the latest threats.

Inadequate cybersecurity risk assessment of service providers. LCs were found to heavily rely on the attestations of service providers rather than scrutinizing the scope, approach or results of their risk assessments. They did not take a proactive approach to integrate the systems and control environments supported by service providers into the LCs’ cybersecurity risk management frameworks. Formal procedures and guidelines detailing the requirements of conducting risk assessments or on-site audits were missing.

Insufficient cybersecurity awareness training. The cybersecurity awareness training provided to employees was not updated in accordance with the latest cybersecurity related issues.

Inadequate cybersecurity incident management arrangements. Cybersecurity incident response plans and drills were inadequate to address the latest cybersecurity threats. Some serious yet common cyber attack scenarios were not covered in cybersecurity incident response plans, and Hong Kong was often not included in global drills and simulation exercises.

Inadequate data protection programs. Data protection programs were inadequate to address the latest cybersecurity threats. For example, some LCs did not identify data flows, tailor processes and technologies to avoid data leakage or implement appropriate responses based on the sensitivity of data.


Business Law Digest is compiled with the assistance of BAKER & MCKENZIE. Readers should not act on this information without seeking professional legal advice. You can contact Baker & McKenzie by e-mailing Danian Zhang at, or for general enquiries contact Anand Ramaswamy at