SFC Cybersecurity Requirements for Hong Kong Fund Managers

If you run an SFC-licensed asset management firm in Hong Kong, you have probably searched for “the SFC cybersecurity rules” and come away frustrated — because there isn’t one tidy rulebook. The SFC’s expectations are spread across the Code of Conduct, the Fund Manager Code of Conduct, the Manager-In-Charge regime, a handful of circulars, and the supervisory signals buried in its thematic-review reports. This guide pulls them together for the people who actually have to implement them: IT leads, COOs, and the Manager-In-Charge of Information Technology.

This is general information for IT and operations leaders, accurate as at May 2026 — not legal or compliance advice. Verify against the SFC’s current codes, guidelines and circulars (linked throughout) and take professional advice before you act.

Does the SFC’s internet-trading cyber guideline apply to you?

The SFC’s most detailed cyber rulebook is the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading — 20 baseline requirements issued in October 2017 (two-factor authentication for client logins effective 27 April 2018; the rest from 27 July 2018).

Here is the part most fund managers miss: these guidelines are scoped to internet trading. They bite on Type 1, 2 and 3 firms that run client-facing trading facilities — and on Type 9 managers only “to the extent that they distribute funds under their management through their internet-based trading facilities.” If your clients don’t log in to place their own orders, the specific 20 requirements largely don’t apply to you.

That said, they remain the best practical checklist the SFC has published, and supervisors treat them as the de-facto baseline: two-factor authentication, monitoring and surveillance, strong encryption, one-month patch cycles, daily offline backups, contingency planning for ransomware and DDoS, written incident-reporting policies, and annual staff training. Even if you’re not strictly bound, it’s a sensible standard to hold yourself to.

The rules that bind every Type 9 manager

Whether or not you run a trading portal, several technology-neutral obligations apply to you in full:

• The Code of Conduct. General Principle 3 requires you to have and effectively employ the resources and procedures needed for the proper performance of your business — the hook for adequate IT and security. General Principle 9 puts primary responsibility on senior management. And paragraph 12.5 requires you to notify the SFC of material breaches and incidents — including, where appropriate, cyber incidents.
• The Fund Manager Code of Conduct (FMCC) — now in its Fifth Edition (October 2024) — sets risk-management, operations and record-keeping standards, and expressly supplements the Code of Conduct and the Internal Control Guidelines. It requires adequate policies and procedures to identify, manage and monitor your risks, and to keep proper records. IT and cyber risk are squarely in scope.

None of this prescribes a firewall brand. It does require you to manage technology and information risk competently, and to be able to prove it.

Someone must own it: the Manager-In-Charge regime

Since 2017 the SFC’s Manager-In-Charge of Core Functions (MIC) regime has required licensed firms to designate named senior individuals over eight core functions — one of which is Information Technology. The IT MIC is the person the SFC holds personally accountable for your technology function, and in practice for your cyber posture. If you have not formally appointed one, or the role is a name on a form rather than someone with real authority and the right expertise, that’s a gap to close first.

Where your data lives: the external data-storage rules

This is the rule most cloud-using managers overlook. The SFC’s circular on the use of external electronic data storage (31 October 2019, ref 19EC59) lets you keep regulatory records with external providers — including public and private cloud — but on conditions:

• You must apply to the SFC for approval of the premises (the data centre) under section 130 of the SFO.
• You must designate at least two Managers-In-Charge resident in Hong Kong who can access all regulatory records held with the provider at any time.
• You must obtain a written undertaking from the provider that it will give the SFC access to those records on request — which matters when the data centre sits outside Hong Kong.

If your records live in Microsoft 365, a fund-administration platform, or any SaaS tool, this applies. And if any of that data relates to Mainland China operations, you have a second layer to navigate — see our guide to the data laws in China and Hong Kong.

Remote working and AI: two circulars you can’t ignore

• Remote-office security (29 April 2020, ref 20EC37). Issued after attackers exploited VPN weaknesses at a licensed firm to make unauthorised fund transfers, it expects robust VPNs with strong encryption, two-factor authentication for remote logins, network segmentation, monitoring for unauthorised internal access, videoconferencing security, and staff awareness.
• Generative AI (12 November 2024, ref 24EC55). This applies to all licensed corporations — expressly including asset managers — that use generative-AI language models in regulated activities. It sets expectations across four areas: senior-management responsibility, AI model risk management, cybersecurity and data risk, and third-party provider risk. Using generative AI to produce investment recommendations or research is treated as prima facie high-risk. If your team has started using AI tools, you need a governance policy before, not after.

What the SFC is actually looking at

Supervisory expectations show up most clearly in the SFC’s own reviews, collected on its cybersecurity topic hub:

• The 2023-24 thematic cybersecurity review of licensed corporations (report published February 2025) catalogued real incidents from 2021–2024 — ransomware disrupting trading and back-office systems, unauthorised account access enabling fraudulent trades, and third-party vendor breaches — and flagged recurring failings: end-of-life software, weak or missing two-factor authentication, delayed patching, excessive access rights, and insufficient senior-management oversight.
• The Report on Operational Resilience and Remote Working Arrangements (October 2021) sets out good practices on business continuity, disaster recovery, scenario testing and remote-working security.

Read together, these tell you what “good” looks like — and they’re the yardstick a supervisor will reach for.

Enforcement: where the real risk sits

The cyber-specific fines cluster on the trading side: in 2022, for example, the SFC fined a futures firm HK$5 million in part for failing to implement two-factor authentication for clients’ internet-trading logins. For a typical Type 9 manager without a client portal, the bigger enforcement exposure is internal-control and risk-management failures under the FMCC — the SFC has reprimanded and fined fund managers millions for inadequate internal controls and oversight. The lesson is the same either way: even where the internet-trading guideline doesn’t strictly apply, you are held to “we manage our IT and information risk competently, and can evidence it.”

A practical checklist for SFC-licensed managers

1. Appoint your IT Manager-In-Charge properly — real authority, real expertise, cyber explicitly in scope.
2. Map your regulatory records and where they sit. Get EDSP undertakings and SFC premises approval for cloud/external storage, and make sure two HK-resident MICs can reach the records at any time.
3. Enforce multi-factor authentication everywhere — email, VPN, remote access and admin accounts. A Microsoft 365 security review is the quickest way to check this against the SFC baseline.
4. Eliminate end-of-life software and patch on a defined cycle.
5. Least-privilege access, reviewed at least annually.
6. Daily, tested, offline backups and a disaster-recovery / business-continuity plan you actually rehearse.
7. A written incident-response and SFC-notification policy (Code of Conduct para 12.5).
8. Diligence your IT and SaaS vendors — outsourcing the work never outsources the obligation.
9. Annual staff cyber-awareness training.
10. An AI-use policy before staff adopt generative-AI tools.

How PTS helps

PTS provides IT support and security for Hong Kong financial services firms — ISO/IEC 27001 certified, vendor-neutral, and used to operating to the standards the SFC and your investors’ operational due diligence expect. We deliver the controls these rules assume: cybersecurity, Microsoft 365 security reviews against the SFC baseline, managed IT services, data governance, backup and business continuity, and the evidence trail to show it. We work alongside your compliance team and legal advisers — they own the regulatory opinion; we make the systems stand up to it. We also support private equity firms and their portfolio companies.

Related reading: Hong Kong’s PDPO privacy law · data governance with Microsoft Purview · IT due diligence in M&A · data laws in China & Hong Kong

Sources

Primary SFC materials: the Code of Conduct; the Fund Manager Code of Conduct; the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading; the Manager-In-Charge regime FAQ; the circulars on external electronic data storage (19EC59), remote-office cybersecurity (20EC37) and generative AI (24EC55); the Report on Operational Resilience and Remote Working Arrangements; and the SFC cybersecurity topic hub.

Again: this is general information, not legal or compliance advice, and reflects our understanding as at May 2026. The SFC updates its codes, guidelines and circulars regularly — confirm the current position and take professional advice before acting.