News update: No phishing here – The SFC raises cybersecurity expectations for internet brokers and virtual asset trading platforms

Jul 16 2026

The Securities and Futures Commission (SFC) has issued a circular on 9 July 2026 setting out enhanced expectations for internet brokers and SFC-licensed virtual asset service providers (VASPs) in relation to client account protection, phishing-resistant authentication and surveillance of suspicious account activities [link]. In this update, Pádraig Walsh from our Cybersecurity practice looks at the SFC’s latest expectations and the practical implications for licensed firms operating internet trading or virtual asset platforms.

Background

Phishing remains a significant cybersecurity risk in Hong Kong. The SFC noted that phishing continued to be the most common type of reported cybersecurity incident in Hong Kong, and that in 2025 fraudsters carried out large-scale SMS phishing campaigns targeting clients of internet brokers and VASPs. The attacks involved malicious links impersonating brokers and purported requests from regulators or government bodies, with clients being induced to enter login credentials and one-time passwords (OTPs) on fake websites.

The SFC’s concern is clear. If authentication credentials can be intercepted, threat actors can gain access to compromised client accounts and conduct unauthorised transactions. The new circular is directed at authentication standards. It also sets out a broader control framework covering prevention, detection, response and client education.

Robust authentication: from OTPs to phishing-resistant controls

The central message of the circular is that internet brokers and VASPs should adopt strong and phishing-resistant authentication solutions for client login and device binding, rather than merely OTPs. The appendix to the circular provides detailed examples of authentication methods that the SFC regards as acceptable and sets out the standards expected for their implementation.

Passkeys

Passkeys are password-less credentials based on public-key cryptography. The authentication credential remains on the client’s device, hardware security key or passkey manager. Only a corresponding public key used by the firm can verify authentication requests. This significantly reduces the risk of account takeover arising from stolen passwords or intercepted authentication codes.

Importantly, the SFC also sets out implementation expectations. Firms should ensure passkey solutions are appropriately certified, make passkey registration subject to strong identity verification procedures, and maintain controls governing the recovery, replacement and revocation of passkeys where devices or passkey managers are lost or compromised.

Device binding

Device binding creates a secure association between a client’s account and a registered device so that login requests can be verified as originating from an authorised device. Device binding can become vulnerable when it is established using weak methods such as passwords and OTPs.

The appendix to the circular provides examples of acceptable approaches. These include using an existing passkey to authenticate a new device, biometric verification against facial data collected during onboarding, and in-person identity verification at the firm’s offices.

Monitoring, client notifications and incident response

The circular makes clear that authentication controls alone are not sufficient. Internet brokers and VASPs should promptly notify clients of successful logins and other high-risk account activities. These include logins from new devices, new device binding and the creation or revocation of passkeys. They are also strongly encouraged to require client confirmation before further transactions are permitted following certain material changes or unusual account activities.

Firms should implement effective monitoring and surveillance measures to identify suspicious login activity and abnormal trading activities. These measures include predefined thresholds and red flags based on a client’s profile, trading behaviour, account activity, device usage and login patterns. The SFC gives examples such as transactions inconsistent with previous trading patterns, unusually large numbers of transactions in illiquid or small-cap stocks, and unusual transactions shortly after a password reset, change in contact details or new device binding.

If a hacking incident occurs, firms should have procedures to halt unauthorised activities, safeguard client assets, notify affected clients and prevent further compromise. Firms must conduct root cause analysis, maintain detailed incident reports and implement remedial measures.

Hacking incidents should also be reported to the SFC immediately. The SFC makes it clear that a hacking incident reaches the notification standard of a material failure, error or defect in the operation or functioning of systems or equipment under the SFC Licenced Persons Code of Conduct and the VATP Guidelines.

Implementation timeline

The SFC expects firms to review and enhance client notification, monitoring, surveillance, response and reporting procedures immediately. Robust authentication solutions should be implemented as soon as practicable and no later than 8 July 2027. Large internet brokers are expected to implement these solutions immediately.

During the implementation period, firms should incorporate robust authentication methods into their internet trading systems, ensure adequate testing before deployment, roll out the methods to all clients as soon as practicable, and communicate the changes with appropriate guidance and support.

Management responsibility

The circular is also a regulatory reminder to senior management. The SFC states that senior management are ultimately responsible for overseeing implementation of the enhancements and ensuring client accounts are properly protected. This applies in particular to the Manager-in-Charge of Overall Management and Oversight and the Manager-in-Charge of Information Technology.

The SFC also warns that if an internet broker or VASP fails to implement adequate measures to prevent, detect and stop large-scale unauthorised transactions conducted through hacked client accounts, the SFC will hold the relevant firm accountable for losses suffered by clients.

Key takeaways

Phishing attacks are on the rise. According to the latest statistics from HKCERT, a total of 15,877 cybersecurity incidents were reported in 2025, marking a new record high. Among them, phishing attacks remained the most prominent threat, accounting for nearly 60% of total cases. The rise of generative AI has made phishing messages increasingly realistic and harder to detect. This further increases the associated risks. The virtual world is a scary place.

The circular is a timely reminder that cybersecurity controls are now a front-line regulatory issue for internet brokers and virtual asset platforms. Firms should not treat authentication upgrades as a purely technical project. The SFC expects an integrated framework covering phishing-resistant login controls, device-binding governance, transaction surveillance, client alerts, incident response and ongoing client education.

Pádraig Walsh and Christie Yau

If you want to know more about the content of this article, please contact:

Pádraig Walsh
Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was published on 16 July 2026.

Tags:

Legal Updates TMT

Featured Articles

Insights
News update: No phishing here – The SFC raises cybersecurity expectations for internet brokers and virtual asset trading platforms
Insights
Shaping Arbitration in 2026: a Mid-year Review of Four Significant Hong Kong Court Decisions
Insights
Case Update – FCMC 4687/2023 – Legal Costs Provision, Financial Disclosure, and Adverse Inference in Hong Kong Family Law
Insights
No second bite of the cherry? Court of Appeal to rule on whether Cap. 597 precludes common law enforcement of qualifying Mainland judgments
Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Insights
News update: Finfluencers on the SFC regulatory radar