In April 2026, Anthropic reported that its Claude Mythos Preview model demonstrated capabilities in identifying and exploiting zero-day vulnerabilities11 in major operating systems and web browsers when directed to do so. Meanwhile, Hong Kong recorded 15,877 cybersecurity incidents in 2025, more than 26% year-on-year increase22. The need for robust cybersecurity protection across infrastructures has never been higher in view of heightened cyberattack risks posed by frontier artificial intelligence (AI) models. Against this backdrop, financial services regulators are increasingly concerned about the compression of cyberattack timelines, made possible by the growing capabilities and sophistication of AI-enabled tools. AI-enabled tools significantly accelerate the speed and increase the scale and efficiency in vulnerability discovery and exploitation, and in launching cyberattacks. On 2 June 2026, the Securities and Futures Commission (SFC) issued a circular (Circular) to licensed corporations, SFC-licensed virtual asset service providers and their associated entities (collectively, “Licensed Firms”). In the Circular, the SFC reminds Licensed Firms to review and enhance their cybersecurity measures to address evolving threats posed by AI-enabled cyberattacks, and provides practical guidance on enhancing resilience and response strategies. Key takeaways Accountability of senior management. The senior management, including the Manager-in-Charge of Information Technology (MIC-IT), of a Licensed Firm is ultimately responsible for managing cybersecurity risks. Frontier AI models increase sophistication and frequency of cyberattacks. Frontier AI models are capable of: detecting zero-day vulnerabilities systematically identifying and chaining up multiple “lower risk-rated” vulnerabilities33 planning and executing complex, multi-step actions autonomously Used together, these AI-enabled tools amplify and multiply the disruptive impact of cyberattacks by: discovering and exploiting software or system vulnerabilities which have escaped the attention of or been neglected by their providers or users orchestrating large scale attacks across multiple interconnected systems significantly reduce the cost and technical resources for threat actors by phishing, social engineering, deepfake impersonation and reconnaissance Cybersecurity safeguards should be robust, up-to-date and implemented promptly. To address the evolving AI-enabled cyber risks, Licensed Firms should assess their preparedness and review whether their existing cybersecurity prevention, detection, response and recovery controls and procedures remain relevant and effective. In particular: as a foundation, a Licensed Firm should maintain an accurate and up-to-date inventory of its technology assets and components, including hardware, software, network infrastructure, databases and cloud services, and identify externally exposed or third-party dependent, business critical assets or components. This facilitates the Licensed Firm to prioritise and direct remediation and protective resources and measures to the highest risk areas promptly and effectively MIC-IT should ensure that changes to the cybersecurity framework of the Licensed Firm are adequately reviewed and approved and that enhancements to its cybersecurity measures are implemented properly and promptly software patching and change management processes should be enhanced to expedite patch and vulnerability management processes to minimise the window of exposure to potential attacks Additional risks associated with use of AI language models. The SFC reminds Licensed Firms that use AI language models in their operations to address the increased and additional cyberattack risks arising from AI-assisted adversarial attacks against AI language models, data leakage and system prompt override. Any Licensed Firm that intends to adopt AI language models in its high-risk use cases is required to comply with the notification requirements under the Securities and Futures (Licensing and Registration) (Information) Rules, Cap. 571S. Five areas for review and enhancement. The SFC identifies the following areas for review and enhancement by Licensed Firms: patching and vulnerability management—a Licensed Firm should: review and enhance its patching and vulnerability management processes take prompt actions to address known vulnerabilities implement adequate policies and procedures for handling urgent and critical fixes outside routine patching cycles, especially those affecting its business critical assets or components allocate sufficient resources to handle potential surges in patching demands access and privilege controls—a Licensed Firm should: design system controls based on a “zero-trust” assumption, i.e. any user, device, privileged account or network component may be compromised implement robust access and privilege controls and minimise attack surfaces detection and monitoring—a Licensed Firm should: strengthen its threat detection and monitoring of anomalies in client trading activities and system activities improve its threat intelligence gathering capability third-party supply chain risk management—a Licensed Firm should ensure proper management of cybersecurity risks associated with third-party service providers, and: implement proper procedures to address AI-enabled threats targeting third-party service providers that support its critical operations and business critical assets or components, strengthen its third-party supply chain risk governance enhance initial and ongoing assessments on third-party service having regard to the latest threat landscape incident response and recovery—a Licensed Firm should: review and enhance its cybersecurity incident handling procedures and contingency plans to effectively handle AI-enabled cyberattacks that may result in unauthorised access to its network and system, leakage of sensitive information, and significant disruption of services establish adequate escalation and reporting mechanisms and consider pre-planned containment and exploit-interruption strategies including the ability to block malicious activities, isolate affected system and restrict access rapidly, to counter the speed of AI-enabled attacks and inadequacy of traditional detection-and-response processes promptly notify the SFC of material cybersecurity incidents and attacks implement backup strategies backing up business records, client and transaction databases and supporting documentation on a regular basis, and implement proper measures to ensure the availability of the backup copies  Action points and takeaways for Licensed Firms The Circular is a timely reminder that Licensed Firms should review and assess the effectiveness of their existing cybersecurity frameworks and controls, and make necessary changes or enhancements to address more frequent, more targeted, speedier cyberattacks with more extensive disruptive impact enabled or assisted by AI tools. Licensed firms should seek advice and assistance from IT security experts as necessary. Tackling the human weakness From our experience in handling cybersecurity incidents, the human element remains a primary risk factor. While AI-enabled tools significantly amplify technical threat capabilities, the fundamentals have not changed. Human behaviour remains one of the most common root causes of cybersecurity breaches. Phishing, social engineering, deepfake impersonation of senior management or trusted counterparties, and insider threats continue to be among the most prevalent initial attack vectors, and AI-enabled tools are making these techniques more convincing and scalable than ever. Licensed Firms should treat the human element as a core and distinct component of their cybersecurity risk programme, implementing regular and targeted staff awareness training, simulated phishing exercises, robust behavioural controls around privileged accounts and clear protocols for verifying requests involving sensitive data or financial transactions. Building a robust cybersecurity programme In building a robust cybersecurity programme, Licensed Firms should also take a holistic view of their attack surface, one that extends well beyond patching and technical vulnerabilities. The attack surface of every organisation is different but key considerations include: The implementation of strong access control frameworks and privileged access management (PAM) to restrict, monitor and audit the use of elevated accounts; Proper network segmentation and micro-segmentation to contain lateral movement in the event of a breach; The ring-fencing of backup environments so they cannot be reached or compromised during an active attack; and Rigorous third-party vendor management to address supply chain risks, including AI-enabled threats targeting critical service providers. As the Circular expressly identifies, robust access and privilege controls, zero-trust network architecture and comprehensive third-party supply chain risk governance are all essential components of a sound cybersecurity framework. Crucially, however, no cybersecurity programme can be truly effective if it is applied as a generic standard—there is no one-size-fits-all. Each Licensed Firm should develop and maintain a programme that is calibrated to its specific operational profile, risk environment, and in particular the human element unique to that organisation: the behaviour, culture, security awareness and risk appetite of the people who operate within it. Practice makes perfect—conducting realistic tabletop exercises and simulated attack scenarios Cybersecurity risk is qualitatively different from other operational risks faced by Licensed Firms and should be treated accordingly. Unlike most categories of business disruption, a serious cyberattack has the potential to cripple an organisation with exceptional speed, simultaneously impairing its ability to operate systems, communicate internally and externally, access its own data and serve clients, while also exposing confidential information and client assets to ongoing harm. The velocity at which a cyber crisis can escalate, and the volume of concurrent workstreams that must be managed in parallel, encompassing technical containment and eradication, digital forensics, parallel regulatory and legal analysis, client and counterparty notifications, ransom negotiation considerations, crisis communications and regulatory reporting can rapidly overwhelm even a well-resourced organisation that has not prepared adequately. Critically, these workstreams compete simultaneously for senior management attention and decision-making capacity, with each hour of delay potentially compounding the harm. Licensed Firms must therefore go beyond having an incident response plan on paper. A plan that has never been tested is of limited value when a real crisis strikes. Firms should regularly rehearse their response capabilities through realistic tabletop exercises and simulated attack scenarios—conducted not only with internal teams, but alongside their external Digital Forensics and Incident Response (DFIR) providers and breach counsel. This practice ensures that roles, escalation pathways, decision-making authority, regulatory notification obligations and timelines, and external communications strategies are thoroughly understood and internalised before a crisis occurs, not discovered for the first time in the midst of one. Conclusion Cybersecurity is a governance and business resilience issue on a firm level, and not merely an IT issue. Senior management of a Licensed Firm is ultimately responsible to the SFC for managing cybersecurity risks. The SFC may issue further guidance, conduct reviews to assess Licensed Firms’ preparedness and resilience in responding to cybersecurity incidents, and take supervisory action where appropriate. Reading materials SFC urges licensed firms to guard against emerging AI-enabled cyber threats