News update: No phishing here – The SFC raises cybersecurity expectations for internet brokers and virtual asset trading platforms
The Securities and Futures Commission (SFC) has issued a circular on 9 July 2026 setting out enhanced expectations for internet brokers and SFC-licensed virtual asset service providers (VASPs) in relation to client account protection, phishing-resistant authentication and surveillance of suspicious account activities [link]. In this update, Pádraig Walsh from our Cybersecurity practice looks at the SFC’s latest expectations and the practical implications for licensed firms operating internet trading or virtual asset platforms.
Background
Phishing remains a significant cybersecurity risk in Hong Kong. The SFC noted that phishing continued to be the most common type of reported cybersecurity incident in Hong Kong, and that in 2025 fraudsters carried out large-scale SMS phishing campaigns targeting clients of internet brokers and VASPs. The attacks involved malicious links impersonating brokers and purported requests from regulators or government bodies, with clients being induced to enter login credentials and one-time passwords (OTPs) on fake websites.
The SFC’s concern is clear. If authentication credentials can be intercepted, threat actors can gain access to compromised client accounts and conduct unauthorised transactions. The new circular is directed at authentication standards. It also sets out a broader control framework covering prevention, detection, response and client education.
Robust authentication: from OTPs to phishing-resistant controls
The central message of the circular is that internet brokers and VASPs should adopt strong and phishing-resistant authentication solutions for client login and device binding, rather than merely OTPs. The appendix to the circular provides detailed examples of authentication methods that the SFC regards as acceptable and sets out the standards expected for their implementation.
Passkeys
Passkeys are password-less credentials based on public-key cryptography. The authentication credential remains on the client’s device, hardware security key or passkey manager. Only a corresponding public key used by the firm can verify authentication requests. This significantly reduces the risk of account takeover arising from stolen passwords or intercepted authentication codes.
Importantly, the SFC also sets out implementation expectations. Firms should ensure passkey solutions are appropriately certified, make passkey registration subject to strong identity verification procedures, and maintain controls governing the recovery, replacement and revocation of passkeys where devices or passkey managers are lost or compromised.
Device binding
Device binding creates a secure association between a client’s account and a registered device so that login requests can be verified as originating from an authorised device. Device binding can become vulnerable when it is established using weak methods such as passwords and OTPs.
The appendix to the circular provides examples of acceptable approaches. These include using an existing passkey to authenticate a new device, biometric verification against facial data collected during onboarding, and in-person identity verification at the firm’s offices.
Monitoring, client notifications and incident response
The circular makes clear that authentication controls alone are not sufficient. Internet brokers and VASPs should promptly notify clients of successful logins and other high-risk account activities. These include logins from new devices, new device binding and the creation or revocation of passkeys. They are also strongly encouraged to require client confirmation before further transactions are permitted following certain material changes or unusual account activities.
Firms should implement effective monitoring and surveillance measures to identify suspicious login activity and abnormal trading activities. These measures include predefined thresholds and red flags based on a client’s profile, trading behaviour, account activity, device usage and login patterns. The SFC gives examples such as transactions inconsistent with previous trading patterns, unusually large numbers of transactions in illiquid or small-cap stocks, and unusual transactions shortly after a password reset, change in contact details or new device binding.
If a hacking incident occurs, firms should have procedures to halt unauthorised activities, safeguard client assets, notify affected clients and prevent further compromise. Firms must conduct root cause analysis, maintain detailed incident reports and implement remedial measures.
Hacking incidents should also be reported to the SFC immediately. The SFC makes it clear that a hacking incident reaches the notification standard of a material failure, error or defect in the operation or functioning of systems or equipment under the SFC Licenced Persons Code of Conduct and the VATP Guidelines.
Implementation timeline
The SFC expects firms to review and enhance client notification, monitoring, surveillance, response and reporting procedures immediately. Robust authentication solutions should be implemented as soon as practicable and no later than 8 July 2027. Large internet brokers are expected to implement these solutions immediately.
During the implementation period, firms should incorporate robust authentication methods into their internet trading systems, ensure adequate testing before deployment, roll out the methods to all clients as soon as practicable, and communicate the changes with appropriate guidance and support.
Management responsibility
The circular is also a regulatory reminder to senior management. The SFC states that senior management are ultimately responsible for overseeing implementation of the enhancements and ensuring client accounts are properly protected. This applies in particular to the Manager-in-Charge of Overall Management and Oversight and the Manager-in-Charge of Information Technology.
The SFC also warns that if an internet broker or VASP fails to implement adequate measures to prevent, detect and stop large-scale unauthorised transactions conducted through hacked client accounts, the SFC will hold the relevant firm accountable for losses suffered by clients.
Key takeaways
Phishing attacks are on the rise. According to the latest statistics from HKCERT, a total of 15,877 cybersecurity incidents were reported in 2025, marking a new record high. Among them, phishing attacks remained the most prominent threat, accounting for nearly 60% of total cases. The rise of generative AI has made phishing messages increasingly realistic and harder to detect. This further increases the associated risks. The virtual world is a scary place.
The circular is a timely reminder that cybersecurity controls are now a front-line regulatory issue for internet brokers and virtual asset platforms. Firms should not treat authentication upgrades as a purely technical project. The SFC expects an integrated framework covering phishing-resistant login controls, device-binding governance, transaction surveillance, client alerts, incident response and ongoing client education.
Pádraig Walsh and Christie Yau
If you want to know more about the content of this article, please contact:
Pádraig Walsh
Partner | Email
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was published on 16 July 2026.
