Hong Kong's financial regulator has issued an urgent call for enhanced cybersecurity measures as artificial intelligence-powered cyberattacks become increasingly sophisticated and harder to defend against. On June 2, 2026, the Securities and Futures Commission (SFC) issued a circular urging licensed corporations, virtual asset service providers, and associated entities to review and strengthen their cybersecurity frameworks to address emerging AI-enabled threats.

The timing reflects a troubling trend. Cybersecurity incidents in Hong Kong's financial sector have surged 27 percent year-over-year, driven largely by frontier AI models that can autonomously identify previously unknown software vulnerabilities and chain together multiple lower-risk flaws into high-impact attacks. Unlike traditional cyberattacks that require significant technical expertise, AI-powered tools have dramatically lowered the barrier to entry for malicious actors, making phishing, social engineering, and deepfake impersonation attacks far more accessible and convincing.

How Are AI Models Making Cyberattacks More Dangerous?

The SFC highlighted two critical ways frontier AI models are amplifying cybersecurity risks for financial institutions. First, AI systems can discover "zero-day vulnerabilities," which are previously unknown security flaws that vendors have not yet patched. These models can also identify and chain together multiple lower-risk vulnerabilities in ways that create devastating exploits. Second, the availability of low-cost AI tools enables threat actors to discover and exploit new vulnerabilities so rapidly that traditional patching processes cannot keep pace.

This speed mismatch creates a dangerous window of exposure. In the past, firms had weeks or months to patch vulnerabilities after they were discovered. Today, AI-assisted threat actors can identify a flaw and exploit it within days or hours, leaving security teams scrambling to respond.

What Specific Controls Are Financial Firms Expected to Implement?

The SFC's circular identifies five key areas where licensed firms must strengthen their defenses. The regulator expects all firms to review and consider these measures based on their size, complexity, and risk profile. However, certain high-risk categories, including large retail brokers, depositaries of SFC-authorized investment schemes, and virtual asset trading platforms, are required to implement all identified controls.

• Patching and Vulnerability Management: Firms must accelerate their ability to identify, test, and deploy security patches before vulnerabilities can be exploited by AI-assisted threat actors.
• Access and Privilege Controls: Limiting who can access critical systems and data reduces the attack surface that AI tools can target through compromised credentials or insider threats.
• Detection and Monitoring Measures: Real-time monitoring systems must be enhanced to identify AI-powered attacks that may operate faster and with greater sophistication than human-executed threats.
• Third-Party Supply Chain Risk Management: Since many firms rely on external vendors and service providers, the SFC emphasizes vetting and monitoring these relationships for cybersecurity vulnerabilities.
• Incident Response and Recovery: Firms must have rapid response protocols and backup systems in place to minimize damage and downtime if an AI-powered attack succeeds.

The SFC also stressed that senior management and the Manager-in-Charge of Information Technology (MIC-IT) at each firm bear ultimate responsibility for implementing these controls and ensuring they remain effective as threats evolve.

Why Are Generative AI Models Creating Additional Risk?

The circular reiterated guidance from November 2024 warning that a firm's own deployment of generative AI language models, whether developed internally or sourced from third-party providers, may amplify existing cybersecurity vulnerabilities. When financial firms adopt AI language models to provide investment recommendations, research, or advice to clients, they introduce new attack vectors that must be managed within their broader cybersecurity and incident response frameworks.

"AI-specific cybersecurity risks should be addressed within firms' broader cybersecurity frameworks and incident response frameworks, in line with the core principles set out in the November 2024 circular," the SFC stated in its guidance.

Hong Kong Securities and Futures Commission, Cybersecurity Circular, June 2026

This dual challenge, where firms must defend against AI-powered external attacks while managing risks from their own AI deployments, has prompted regulators worldwide to issue similar warnings. The U.S. Department of the Treasury, the Financial Conduct Authority in the United Kingdom, Singapore's Monetary Authority, and Australia's Securities and Investments Commission have all issued guidance urging financial institutions to proactively assess and strengthen their AI-related cybersecurity defenses.

For financial institutions operating globally, the challenge is compounded by varying regulatory requirements across jurisdictions. While the underlying cybersecurity principles are similar, some regulators have adopted mandatory AI rules while others rely on principles-based guidance frameworks. This fragmentation means firms must develop cybersecurity policies that meet the highest standards across all markets where they operate.

The SFC has indicated it will continue monitoring developments in this area and may conduct reviews to assess firms' preparedness. As a result, licensed firms, particularly those in high-risk categories, should initiate immediate gap analyses of their existing controls and incident response procedures against the five core areas identified in the circular to identify any material vulnerabilities requiring remediation.