Hong Kong Regulator Warns Firms to Brace for AI-Driven Cyber Threats

In an era where technology is advancing at breakneck speed, the Securities and Futures Commission (SFC) of Hong Kong has issued a stark warning to licensed financial firms. The SFC urged these entities to enhance their cybersecurity measures in light of a rising tide of advanced, AI-driven cyber threats. This move underscores the growing concern over how artificial intelligence can be harnessed for malicious purposes, posing significant risks to both financial institutions and their clients.

The SFC's warning comes at a critical juncture as cyberattacks have surged by 27% in 2025, from 12,536 incidents in 2024 to 15,877, according to data from the Hong Kong Computer Emergency Response Team Coordination Centre. The regulator specifically highlighted internet brokers and virtual asset-trading platforms as high-risk targets that need immediate attention.

Eric Yip, the SFC's executive director of intermediaries, emphasized the critical role of senior management in ensuring cyber resilience. "Senior leadership must take primary responsibility for protecting client assets and maintaining robust cybersecurity defenses," Yip stated. This call to action reflects a broader trend where global regulators are increasingly sounding the alarm over AI-enabled threats.

The Evolving Threat Landscape

The SFC's circular outlines several areas where firms can bolster their cybersecurity measures. These include patching and vulnerability management, detection and monitoring, and incident response and recovery. The regulator noted that AI is not only enabling malicious actors to identify and exploit vulnerabilities more quickly but also lowering the barriers to sophisticated attacks like phishing and social engineering.

For example, AI-powered tools can automate the process of generating convincing phishing emails or impersonating trusted contacts, making it easier for cybercriminals to deceive employees and gain unauthorized access to sensitive information. This automation has significantly increased the scale and effectiveness of such attacks, necessitating a more proactive approach from financial institutions.

The SFC's warning is part of a global trend where regulatory bodies are stepping up their efforts to address AI-driven cybersecurity risks. In late April, Australia's watchdog called for stronger AI risk controls in financial firms, while Japan's banking authority set up a forum to counter Mythos-powered cyber threats in mid-May. These coordinated actions highlight the international consensus on the need for enhanced cybersecurity measures.

Why It Matters

The implications of these emerging threats extend beyond the immediate financial losses and reputational damage that can result from a successful cyberattack. The use of AI in cyber operations can lead to long-term consequences, such as eroding public trust in financial institutions and undermining the stability of global financial markets.

The rapid evolution of AI technologies means that the threat landscape is constantly changing. Financial firms must remain vigilant and adapt their cybersecurity strategies to stay ahead of these evolving risks. By taking proactive steps now, they can protect their clients' assets and maintain the integrity of the financial system.

In a broader context, the SFC's warning serves as a reminder that the benefits of AI must be balanced with robust safeguards to prevent its misuse. As Mark Warner, a U.S. Senator, noted in a recent post, "I've heard from a lot of folks who are scared about the changes AI is bringing." This sentiment underscores the need for thoughtful regulation and oversight to ensure that AI's potential is harnessed for good while minimizing its risks.

As global regulators continue to grapple with these challenges, the actions taken by the SFC in Hong Kong provide a valuable case study. By urging financial firms to strengthen their cybersecurity defenses, the regulator is taking a crucial step towards safeguarding the financial sector from the growing threat of AI-driven cyberattacks.