Introducing JSM
Homegrown.
Global outlook.
Our story is more than 160 years old. It is a story that demonstrates the resilience, spirit and strength the people of Hong Kong are renowned for, as our city grew from the small provincial port in Southern China to become the leading global financial and legal centre that it is today.
When the world has changed so has our firm – always taking the initiative to find the best course through unchartered territory for our clients, the community and our people.
Our story is more than 160 years old. It is a story that demonstrates the resilience, spirit and strength the people of Hong Kong are renowned for, as our city grew from the small provincial port in Southern China to become the leading global financial and legal centre that it is today.
When the world has changed so has our firm – always taking the initiative to find the best course through unchartered territory for our clients, the community and our people.
Insights
Latest publications
We are delighted to present the fourth issue of JSM International Arbitration newsletter, continuing our commitment to delivering timely insights into key developments shaping the arbitration landscape in Hong Kong, Chinese Mainland and beyond.
Covering the period from October to December 2025, this edition spotlights recent judgments from Hong Kong, Chinese Mainland and the UK that underscore evolving judicial attitudes.
In particular, cases headlined here note judgments on granting anti-suit injunction; showing a genuine intention to arbitrate when it comes to dismissing or staying a winding-up petition; applicability of the O.50 r.11-15 stop notice and order regime; the distinction between “contract for fraud” and fraud affecting arbitration process; and the US enforcement of a CIETAC arbitration clause in a cross-border procurement dispute.
In addition to case law analysis, this issue also reflects on industry trends and legislative updates, in particular changes in the Chinese approach towards interim measures under the new PRC Arbitration Laws and Securities and Futures Arbitration Rules adopted by the Beijing Arbitration Commission and Shanghai Arbitration Commission.
Whether you’re a seasoned practitioner or new to the field, we hope this newsletter continues to be your go-to resource for latest arbitration news and perspectives.
Notable Hong Kong cases | Chinese Mainland arbitration updates | Overseas jurisdictions observations
Court of Appeal finds merits relevant in dismissing application for interim anti-suit injunction against Cayman winding-up proceedings pending appeal
Hyalroute Communication Group Limited v Industrial and Commercial Bank of China (Asia) Limited [2025] HKCA 936
21 October 2025
Summary: The plaintiff’s application for an injunction to restrain the defendant from commencing winding-up proceedings in the Cayman Islands in favour of arbitration in Hong Kong was previously dismissed by Recorder William Wong SC in the Hong Kong Court of First Instance (see our legal update on the decision).
The plaintiff appealed and, pending determination of the appeal, made a renewed application for an interim anti-suit injunction (ASI). Amongst others, the court must be satisfied the appeal has a real prospect of success.
In finding the plaintiff had not shown a real prospect of success in the appeal, the Hong Kong Court of Appeal held that the merits of the plaintiff’s defence as to the petitioning debt were a relevant consideration and refused to grant an ASI.
Applying Re Guy Kwok-Hung Lam (2023) 26 HKCFAR 119 and Re Simplicity & Vogue Retailing (HK) Co Ltd [2024] 2 HKLRD 1064, the court affirmed the position under Hong Kong law that (i) an ASI would normally be granted in respect of winding-up proceedings brought in breach of an arbitration agreement in the absence of strong reasons; and (ii) the lack of any bona fide dispute to the petitioning debt may constitute an abuse of process as well as a strong reason not to grant an ASI.
In this case, the plaintiff had advanced an estoppel argument based on purported representations by the defendant regarding termination of the insurance contract in question. This defence was held to be hopeless and frivolous at first instance. Subsequently, the Court of Appeal was not satisfied that the defence was reasonably arguable.
It follows that while the plaintiff’s grounds of appeal relating to the construction of the arbitration agreement – namely whether the scope of the arbitration agreement was limited to disputes that would be finally resolved in a non-contractual forum – was reasonably arguable, even if the Court of First Instance had erred on this construction issue, such an error would not have assisted the plaintiff’s application, unless there was a reasonably arguable appeal in respect of the merits of the plaintiff’s defence.
Takeaway: The case represents the first time the Court of Appeal commented on the relevance of merits of the debtor’s defence when assessing interim ASI applications in aid of Hong Kong arbitration, set against a backdrop of foreign winding-up proceedings. Notwithstanding the lower bar established in Re Guy Lam (as compared with the Privy Council’s jurisprudence) for a stay of winding-up proceedings in favour of arbitration, if there is a lack of any bona fide defence to the debt, this may be seen as an “abuse of process” which remains an important consideration – even in the context of interim ASIs.
Stay tuned for further update on the substantive appeal.
Link to judgment
Hong Kong court provides guidance on the “genuine intention to arbitrate” factor under Re Guy Lam and Re Simplicity
Re Xu Peixin [2025] HKCFI 5846
27 November 2025
Summary: In 2017, Xu Peixin (“Xu”) purportedly guaranteed to Fruitful Worldwide Limited (“FWL”) the due performance by Bliss Chance Global Limited (“BCGL”) of its obligations under an investment agreement (the “Agreement”) between FWL, BCGL and another company (the “Guarantee”). The Guarantee contained an HKIAC arbitration clause.
FWL later alleged non-payment of dividends payable under the Agreement. Having issued a statutory demand against Xu, FWL presented a bankruptcy petition (the “Petition”) in August 2024. This was opposed by Xu, who in the notice of intention to oppose the petition contended that the dispute should be referred to arbitration.
Several months later, Xu issued a letter requesting FWL to agree to submit the matter to arbitration, which led to further correspondence as to which party should issue a notice of arbitration. In the end, Xu commenced arbitral proceedings in June 2025.
Upon Xu’s application to dismiss or stay the Petition, FWL contended that Xu had failed to show a genuine intention to arbitrate – one of the considerations that the ourt may take into account when adopting the multi-factorial approach under Re Guy Kwok-Hung Lam (2023) 26 HKCFAR 119 and Re Simplicity & Vogue Retailing (HK) Co Ltd [2024] 2 HKLRD 1064 in deciding whether to decline to exercise its insolvency jurisdiction and instead hold the parties to their arbitration agreement.
On this issue, the Hong Kong Court of First Instance held that:
Although the most straightforward way for a putative debtor to demonstrate a dispute which should be determined pursuant to an arbitration clause is to serve a notice of arbitration, the same can be done by writing to the claimant, informing him that the debt is disputed and that the dispute should be referred to arbitration.
In most cases, the claimant (in this case FWL) will be the appropriate party to commence arbitration proceedings. If this is the case and the claimant is invited to commence an arbitration, this will generally suffice to demonstrate a genuine intention to arbitrate.
The fact that a debtor does not express an intention to arbitrate until after a petition is presented does not mean that the arbitration clause ceases to be relevant.
Service of a notice in opposition to the petition, which states that the debt is disputed and that the dispute should be arbitrated, will commonly be sufficient to show a genuine intention to arbitrate if coupled with a clear and reasoned proposal that the claimant commence the arbitration process.
The sooner that the debtor makes plain his desire to arbitrate, the more straightforward the matter becomes and, absent the claimant showing either that the grounds for disputing the debt are frivolous or that an insolvency consideration justifies presentation of a petition, the court will dismiss the petition.
Here, even though Xu’s solicitors waited six months after the notice in opposition was served to write to FWL requesting commencement of arbitration, this was not fatal. The court ultimately dismissed the Petition on the basis that the defence of estoppel – namely that Xu had been assured the Guarantee was purely a formality – could not be said to be frivolous.
Takeaway: This case indicates that when it comes to applying for dismissal or stay of winding-up proceedings in favour of arbitration, the burden on the purported debtor to demonstrate a genuine intention to arbitrate may not be an onerous one.
That said, upon being served a statutory demand and prior to being served a petition, it would be prudent to consider writing to the purported creditor to request that they commence arbitration. Otherwise, any subsequent post-petition reliance on the arbitration agreement might be seen as purely tactical and not showing a genuine intention to arbitrate, which is a risk that will increase as the delay persists.
Link to judgment
Hong Kong court confirms jurisdiction to grant stop orders in aid of foreign arbitrations
U.K. Prolific Petroleum Group Company Limited 𝘷 鑫都集团有限公司 [2025] HKCFI 4769
9 October 2025
Summary: The underlying dispute arose out of a memorandum executed among 鑫都集团有限公司 (“Xindu”), U.K. Prolific Petroleum Group Company Limited (“UKPPGC”, a BVI company) and two other parties, with Xindu claiming entitlement to 20% of UKPPGC’s shares and convertible bonds (the “Subject Securities”) in China Energy Development Holdings Limited (the “ListCo”) under the memorandum.
When Xindu issued a stop notice over the Subject Securities under O.50 r.11 of the Rules of the High Court, UKPPGC applied to discharge it, which led to a further application by Xindu for a stop order under O.50 r.15 to restrain ListCo and its share registrar from registering the transfers of the Subject Securities or issuing new certificates.
Shortly after, Xindu commenced arbitration in the Shenzhen Court of International Arbitration (SCIA) seeking, inter alia, a declaration of its entitlement to the Subject Securities.
Hearing these applications, the Hong Kong Court of First Instance considered the novel issue of whether it has jurisdiction to seal stop notices and grant stop orders under O.50 rr.11-15 in aid of foreign arbitrations absent substantive Hong Kong proceedings.
The court held in the affirmative, noting that the rationale of the O.50 r.11-15 regime is to preserve the shares in specie while there is an unresolved dispute as to the entitlement to the shares. Such purpose would be frustrated if restrictions based on where and how the dispute is to be resolved are superimposed.
The court ultimately decided that the circumstances gave rise to serious issues to be tried – justifying exercise of the court’s discretion to grant a stop order.
Nevertheless, in view of new documents adduced by UKPPGC and to align with the quantum claimed in the SCIA arbitration, the court lowered the amount of securities subject to the stop order – and Xindu was granted leave to file an amended stop notice reflecting the downwards adjustment.
Takeaway: This case confirms the potential of O.50 rr.11-15 machinery to be used for obtaining interim measures to support foreign arbitrations of shareholders’ disputes, even if no substantive court proceedings have been commenced in Hong Kong. That said, practitioners should be mindful that the court will carefully examine what exactly is being asked of the arbitration tribunal, such that the scope of any stop order granted must be aligned with the relief sought in arbitration.
Link to judgment
HKIAC announces expansion of expedited procedure and fee updates
17 December 2025
Summary: The Hong Kong International Arbitration Centre (HKIAC) announced updates on the scope of its expedited procedure and fee schedules under its Administered Arbitration Rules on 17 December 2025. These changes apply to all cases filed with HKIAC on or after 1 January 2026 under such Rules.
Key updates include:
Expanding the scope of expedited procedure by doubling the monetary threshold of the maximum amount in dispute from HK$25 million to HK$50 million. Parties may apply to the HKIAC for expedited procedure where the amount in dispute representing the aggregate of any claim and counterclaim (or any set-off defence or cross-claim) does not exceed this figure
Raising the registration fee from HK$8,000 (which remained unchanged for 12 years) to HK$10,000 across all cases regardless of dispute size
Raising the cap on arbitrators’ hourly rates from HK$6,500 to HK$7,500, the first adjustment since 2013. HKIAC also remains one of few global institutions where parties are given a choice between hourly rates and the ad valorem fee model
Takeaway: The increased monetary threshold for the expedited procedure reflects market practice and continuing demand for flexibility and efficiency in arbitration proceedings. The HKIAC continues to provide transparent and flexible fee structures which remain competitive despite the measured increases. Overall, the changes are welcome as the HKIAC continues to deliver world-class arbitration services while maintaining affordability.
Link to HKIAC announcement
Link to revised fee schedule
Industry dynamics – Changes in the Chinese approach towards interim measures under new Chinese Mainland Arbitration Laws which now permit tribunals to grant interim measures
Summary: Comprehensive revision of the PRC Arbitration Law – which passed in September 2025 and comes into force on 1 March 2026 (the “Revised Law”) – introduces a modernised framework for interim measures in arbitration.
Historically, only courts in Chinese Mainland could grant interim relief, which could lead to delays and somehow limit a tribunal’s power to achieve the goal for a speedy and just resolution of disputes by arbitration.
Under the new law, arbitral tribunals seated in Chinese Mainland may also issue interim measures, including asset preservation, evidence preservation and conduct preservation.
This reform aligns Chinese Mainland with international standards such as the UNCITRAL Model Law and significantly enhances procedural efficiency. The amendments also clarify application procedures, enforcement mechanisms, and judicial support for tribunal-ordered measures, reducing reliance on court intervention and strengthening the enforceability of arbitral decisions.
Takeaway: The revised amendments mark a pivotal shift in Chinese Mainland’s arbitration landscape. Parties to PRC-seated arbitrations can expect greater flexibility and responsiveness through tribunal-issued interim measures.
Link to the revised PRC Arbitration Law
US court enforces CIETAC arbitration clause in cross-border procurement dispute over alleged kickbacks
18 December 2025
Summary: The underlying dispute concerns a US company’s (the “Plaintiff”) claims of tortious interference and fraud, as well as contraventions of the Robinson-Patman Act (relating to commercial bribes) against two Chinese manufacturers (the “1st and 2nd Defendants”) for allegedly giving kickbacks to a former employee on the Plaintiff’s procurement team in exchange for business with the Plaintiff.
Following the Plaintiff’s commencement of an action in the United States District Court for the Southern District of New York (the “US Court”), the Defendants put forward a motion to stay the proceedings in favour of arbitration.
The sales contract between the Plaintiff and the 1st Defendant provided that the parties would settle all disputes arising from the execution of or in connection with the contract first through negotiation, failing which the dispute would be referred to the China International Economic and Trade Arbitration Commission (CIETAC) for arbitration in Beijing (“1st Arbitration Clause”).
The contract between the Plaintiff and the 2nd Defendant similarly provided for the referral of all disputes arising from or in connection with the contract to CIETAC for arbitration. However, it also stipulated that the arbitration would be conducted in accordance with the CIETAC Arbitration Rules (the “Rules”) in force at the time of such arbitration (“2nd Arbitration Clause”).
The US Court granted both the 1st and 2nd Defendants’ motions to stay the litigation in favour of arbitration, on the following basis:
The Plaintiff’s allegations of the illegitimate competitive advantage enjoyed by the 1st Defendant and the resultant economic loss suffered by the Plaintiff indicated that their dispute was closely connected with the contract and therefore fell squarely within the ambit of the 1st Arbitration Clause; and
As against the 2nd Defendant, the substance of the Plaintiff’s case did not even have to be considered by the US Court, since the 2nd Arbitration Clause gives effect to the Rules which in turn empower the arbitral tribunal to decide questions of jurisdiction. Incorporation of the Rules was clear evidence of the parties’ intention to delegate the issue of arbitrability to the tribunal.
Takeaway: CIETAC observes that this decision reflects the strong pro-arbitration approach of US courts and offers two key insights for drafting cross-border procurement contracts:
Effect of broadly worded arbitration clauses: Phrases such as “arising from or in connection with” can extend the arbitrability of procurement disputes to statutory and tortious claims arising from the performance of the contract.
Incorporating institutional rules matters: Express incorporation of institutional rules (e.g. the Rules in this case) may operate as a delegation clause, ensuring that questions of arbitrability are generally determined by the arbitral tribunal rather than the court. Well-drafted arbitration clauses remain a critical safeguard against litigation risk.
Link to CIETAC article
Industry dynamics – Beijing Arbitration Commission and Shanghai Arbitration Commission adopt new Securities and Futures Arbitration Rules to elevate financial dispute resolution
29 December 2025
Summary: The Beijing Arbitration Commission (BAC) has adopted the Securities and Futures Arbitration Rules (《证券期货仲裁规则》) which came into force on 1 November 2025. It introduced a specialised yet flexible framework for resolving contractual and property-rights disputes in securities and futures-related transactions.
Following Beijing’s reforms, the Shanghai Arbitration Commission (SAC) has similarly adopted its own set of Securities and Futures Arbitration Rules (《证券期货仲裁规则》) (collectively, the “Two Rules”), set to take effect on 1 March 2026.
Key features of the Two Rules include a specialised arbitrator panel, expedited and electronic procedures, mechanisms for test cases and consolidation of cases, and integration of mediation and settlement options, aligning with global best practices for financial sector arbitration.
Takeaway: The Two Rules signal a major step towards faster, cost-effective arbitration in Chinese Mainland’s financial sector, boosting efficiency and global confidence in cross-border securities and futures disputes.
Link to BAC article
Link to SAC article
Beijing Arbitration Commission establishes branch in Hong Kong – eyes status as international commercial arbitration centre
9 October 2025
Summary: In response to the recent revision of the PRC Arbitration Law, the 19th Session of the Standing Committee of the 16th Beijing Municipal People’s Congress adopted the Regulation on the Construction of the Beijing International Commercial Arbitration Centre (《北京国际商事仲裁中心建设条例》) (the “Regulation”) on 26 September 2025. It took effect on 1 December 2025.
The Regulation addresses the aim to support Beijing’s development as a preferred venue for international commercial arbitration by enhancing institutional autonomy, promoting international cooperation and establishing a centralised platform for dispute resolution services. It also introduces mechanisms to align with global arbitration standards, including support for ad hoc arbitration, digital procedures and cross-border legal collaboration.
In parallel with these developments, the Beijing Arbitration Commission (BAC) officially launched its Hong Kong Centre on 12 November 2025, marking its first overseas branch and a major step in expanding its global footprint.
The Hong Kong Centre will serve as a service and management hub for the BAC’s international arbitration cases, recommend Hong Kong as a preferred seat to global parties, and operate under the revised BAC International Arbitration Rules, which are aligned with the UNCITRAL Model Law on International Commercial Arbitration and the Hong Kong Arbitration Ordinance.
Takeaway: Beijing’s new Regulation marks a significant step in positioning the city as a global commercial arbitration hub, introducing modern mechanisms that foster flexibility, global alignment and digital innovation in dispute resolution. This Regulation is especially timely as the BAC is establishing a branch in Hong Kong, enhance cooperation between two cities both recognised as leading international arbitration centres.
Link to BAC article on the Regulation
Link to BAC article on the Hong Kong Centre
English High Court stresses distinction between “contract for fraud” and fraud affecting arbitration process
K1 & Ors v B [2025] EWHC 2539 (Comm)
7 October 2025
Summary: B (the “Defendant”) had obtained a US$3.2 million award (the “Award”) in an LCIA arbitration against three companies (the “Claimants”) found payable as a success fee for services provided under a letter of engagement (LOE).
The Claimants first filed a challenge against the Award under section 67 of the Arbitration Act 1996 (the “Act”), arguing that the LCIA tribunal lacked jurisdiction because the Claimants were not bound by the LOE and the arbitration agreement.
Pending the hearing of this challenge, the Claimants applied to mount an additional challenge based on serious irregularity under section 68(2)(g) of the Act (i.e., where “the award [is] obtained by fraud” or “the award or the way in which it was procured [is] contrary to public policy”). They contended that the LOE was a “contract for fraud” – a contract for provision of services to obtain, by deception, confidential information from foreign state officials or authorities.
The English Commercial Court dismissed the Claimants’ application to include the additional section 68 challenge – reaffirming that the focus of the section is not on the underlying claim or cause of action, but rather on the parties’ conduct in arbitration and process by which the award was obtained. In this case, the Claimants’ complaint about fraud related to the merits of the Defendant’s contract claim. They had not raised the issue during the arbitration, nor was there any suggestion of interference with the arbitration process. The Claimants therefore could not now resort to section 68 to challenge the Award.
However, the court left open the question of whether the Award should be enforced where enforcement would be contrary to public policy, as the question of enforcement was not for determination in this application.
Takeaway: This case may be of relevance to arbitration practitioners in Hong Kong since section 4(2)(g) of Schedule 2 to the Arbitration Ordinance (Cap. 609) (if opted in under the relevant arbitration agreement) similarly provides that an award may be challenged on the grounds that it is obtained by fraud. Before relying on an alleged fraud either during arbitration or when contesting the resulting award, parties need to recognise the difference between a “contract for fraud” and “fraud affecting the arbitration process”. It is important that they choose the appropriate strategy for their case based on such distinction.
Link to judgment
Newsletters
11 February 2026
Legal updates
11 February 2026
On 10 February 2026, the Hong Kong government announced that the Chief Executive in Council has endorsed the Minimum Wage Commission’s recommendation to increase the statutory minimum wage (SMW) from HK$42.1 per hour to HK$43.1 per hour. This represents an increase of HK$1 per hour, or 2.38%.
In tandem with the upward adjustment to the SMW rate, the monthly threshold for keeping records of hours worked by employees in a wage period will also be increased to HK$17,600 (currently at HK$17,200) per month. In other words, an employer will only be exempted from such record keeping requirement if the wages payable to the employee for the relevant wage period are not less than HK$17,600 per month.
The above proposed amendments are scheduled to be tabled in the Legislative Council on 25 February 2026. Subject to the Legislative Council’s approval, it is expected that the amendments will come into effect on 1 May 2026.
Employers and HR practitioners should keep an eye on the developments in this regard and review their employment arrangements to ensure compliance with the new SMW rate (once it comes into force).
See here for the press release issued by the Hong Kong government.
Legal updates
19 January 2026
In today’s digital era, critical infrastructure – from power and public utilities to transport and communications – has become a frequent target of malevolent hackers, threatening unimaginable chaos to a city like Hong Kong. The frontline is no longer bounded by geographical boundaries.
To defend society’s functioning, economy and public safety against this constant threat of severe disruption, Hong Kong’s new Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap.653) (Ordinance), together with its Code of Practice (CoP) guidelines for gatekeepers at the front line of defence, came into effect on 1 January 2026.
For an overview of the Ordinance and key practical implications, please refer to our previous legal update.
The newly published CoP meanwhile provides practical, actionable guidance for Critical Infrastructure Operators (CI Operators), clarifying their statutory obligations and introducing new standards for the designation, management, and protection of Critical Computer Systems (CCSs).
This legal update provides an overview of the CoP, highlighting some practical implications for CI Operators.
Purpose and nature of the Code of Practice
Published by the Commissioner of Critical Infrastructure (Computer-system Security) (Commissioner) in consultation with designated authorities, the CoP provides CI Operators with practical guidance on how to comply with their obligations under the Ordinance.
While the CoP is not subsidiary legislation – meaning non-compliance itself does not automatically constitute an offence – the Commissioner may issue directions requiring CI Operators to take appropriate action in relation to compliance, with failure to comply an offence under the Ordinance.
Relevantly, the CoP sets out baseline requirements for protecting CCSs, clarifying that it is not intended to target personal data or trade secrets of CI Operators.
It should also be noted that the CoP is not related to any specific sector. CI Operators need to be aware that subsequent sectoral Codes of Practice may be issued by designated authorities, such as the Hong Kong Monetary Authority, and these should be referred to where applicable.
Overview of the CoP
The CoP is organised into sections covering the following areas:
Designation of CCSs and information required for designation (Section 3 – 4 of CoP).
Obligations of CI Operators, namely:
Category 1 obligations to: maintain office in Hong Kong; notify operator changes; and set up and maintain a computer-system security management unit (Section 5 of CoP);
Category 2 obligations to: notify material changes to certain computer systems; submit and implement computer-system security management plan; conduct computer-system security risk assessments; arrange to carry out computer-system security audits; and security measures for operational technology (Section 6 of CoP); and
Category 3 obligations to: participate in computer-system security drills; submit and implement an emergency response plan; and notify authorities of computer-system security incidents within strict time frames (Section 7 of CoP).
Annexures with template forms for notifications and compliance:
Notifying office address
Notifying changes of CI Operators
Notifying appointment of employee supervising CSS Management Unit
Notifying material changes to certain computer systems
Notifying computer-system security incident
Written report for computer-system security incidents
Outline methodology for computer-system security audit required under section 25 of the Ordinance
Sample contract clauses for external service providers
Practical implications for CI Operators
While CI Operators should observe all applicable requirements under the CoP, some key observations and practical implications include:
Expanded and clarified criteria for CCS designation (sections 3.1.3-3.1.4 of CoP): Systems that play a material role in core CI function, storage or processing of sensitive digital data used directly in provision of essential services, or closely linked to other CCSs or CI Operators, are likely to be designated. The CoP specifies it is irrelevant whether a system is isolated from the internet or whether its core function could be switched to manual processing as a standby solution. This is particularly relevant to CI Operators of operational technology (OT) hardware and software. Importantly, the CoP makes clear that CCS security systems such as firewalls, security gateways, and intrusion prevention systems, as well as backup facilities and high-availability systems, are also included within the scope of designation.
Why this matters: This expanded criteria is particularly significant for CI Operators utilising OT for critical functions, as this now falls under the scope of the CoP, which explicitly affirms that industrial control systems — including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC) — are considered “computer systems” under the Ordinance. Historically, industrial control systems relied on “air-gapping” or effective isolation from external networks as a natural security barrier. However, as industries embrace digital transformation, the convergence of OT and IT has become essential for monitoring operations and driving efficiency.
This increased connectivity introduces new vulnerabilities, which the CoP acknowledges by removing internet isolation as a defence against designation.
CI Operators must therefore recognise that legacy “air-gapped” environments or SCADA platforms are now squarely within the regulatory scope if they fulfil the critical functions defined in the Ordinance.
Clarifying requirements of computer-system security management unit (sections 5.3 and 6.2 of CoP): CI Operators are required to set up and maintain a computer-system security management unit under the Ordinance.
Although most organisations already have such a function, the CoP clarifies the necessity for a clear management structure in place for computer-system security, with lines of authority, roles and responsibilities of relevant personnel clearly set out.
The CoP makes clear that such units need not be based in Hong Kong.
The Ordinance also requires employees appointed to supervise the computer-system security management units to have “adequate professional knowledge in relation to computer-system security”. Examples of professional qualifications deemed appropriate include: Certified Information Security Professional (CISP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP). The CoP also provides a template form under Annex C for CI Operators to notify the Commissioner of such appointments.
Why this matters: Beyond the administrative setup, the Computer-System Security Management Plan is of critical significance as it places duty on the Board of Directors (or a delegated sub-committee or senior management). This document is the linchpin for ensuring CI Operators fulfil their statutory obligations under Schedule 3 of the Ordinance. It serves as the operational roadmap for compliance, covering areas frequently identified as high-risk in cybersecurity cases (which is consistent with our experience), including:
Risk Management Approach (Section 6.2.7 of CoP);
Security by Design (Section 6.2.8 of CoP);
Privileged Access Management (Section 6.2.11 of CoP);
Patch Management (Section 6.2.17 of CoP); and
Supply Chain Management (Section 6.2.25 of CoP).
This plan must be endorsed by the Board of Directors (or a delegated sub-committee or senior management). This requirement is substantial as it places responsibility for the CI Operator’s security posture squarely at the feet of the Board, ensuring that cybersecurity is treated not just as an IT issue – but critical governance priority.
Clarifying scope of computer-system security incidents (sections 7.3.2 – 7.3.4 of CoP): Usefully, the CoP clarifies that computer-system security incidents must involve access or acts without lawful authority that have an actual adverse impact on affected CCSs. This does not include incidents arising from pure technical failure, natural disasters, mass power outage, computer-system security threats that are promptly detected and removed or quarantined, or personal data breaches arising from human error.
In addition, the CoP lists computer-system security incidents to include large-scale Distributed Denial of Service (DDoS) attacks causing degradation of an essential services, ransom DDoS attacks, ransomware attacks that causes suspension of an essential service or shows signs of data compromise and unintended external connection to a CCS caused by malware infection or by an adversary exploiting a vulnerability.
Why this matters: It is critical for CI Operators to recognise the thresholds for when notification is to be triggered. A specific threat to launch an attack at a specified time, if likely to cause disruption or data leakage, is considered a “serious computer-system security incident”. This means the obligation to notify could be triggered even before an attack is executed.
This has significant operational implications: Such threats must be notified to the Commissioner within 12 hours of the CI Operator becoming aware of them. CI Operators must therefore ensure their incident response protocols are sensitive enough to detect and escalate credible threats immediately, rather than waiting for the attack to materialise.
Detailed obligation to submit and implement security management plans: CI Operators are required to develop, implement, and maintain comprehensive plans to protect the security of CCSs in accordance with Schedule 3 Part 1 of the Ordinance. Compliance should be ensured by fulfilling requirements stated under section 6.2.5-6.2.27, 6.3 to 6.5 of the CoP.
Key operational requirements include:
Logging and retention: Logs of certain CCS activities such as log-on attempts, privileged access and changes to access rights must be retained for a minimum of six months.
Assessment and audit: The plans must also provide for regular risk assessments and biennial audits, conducted by qualified professionals with appropriate certifications.
Governance and training: The organisational structure, roles and responsibilities of personnel involved in CCS operations must be clearly defined, with ongoing training programmes established to ensure that all staff are aware of their security responsibilities.
Supply chain management: CI Operators should ensure responsibility allocation with its suppliers is clearly defined and agreed in writing. The CoP provides some sample contract clauses for use with external service providers regarding liability for complying with the Ordinance (Annex H of the CoP). These clauses require the service providers / contractors to comply with the Ordinance, all applicable laws, and relevant codes of practice.
Why this matters:
“Living documentation”: Security management plans (and their related policies) should be considered as ‘living documents’. They need to be reviewed frequently and continually updated to reflect constantly evolving cybersecurity risks and even operational changes.
Ripple effect on contractors: Contractors are made responsible for actions of their personnel and subcontractors, and contracts should clearly set out deliverables, service levels, and compliance expectations. Although the Ordinance only applies to designated CI Operators, it will have a ripple effect as there are consequences for third parties doing business with them.
Clarifying participation in computer-system security drills (Section 7.1 of CoP): CI Operators will receive notification from the Commissioner to participate in computer-system drill assessing the validity and effectiveness of their emergency response plan, as well as participating personnel’s knowledge of their roles and responsibilities in security incident response. Drills will be required no more than once every two years. They may be in the form of tabletop exercise, functional exercise, simulated attack or by other means deemed appropriate by the Commissioner. The CoP states that CI Operator personnel required to participate include: management personnel, computer-system security management unit, emergency response team, public relations or corporate communications personnel and other personnel deemed necessary by drill scenario and CI Operator, such as cybersecurity insurer. CI Operators are also encouraged to include their nominated breach counsel in the drill.
Why this matters:
Compliance and institutional readiness: This requirement formalises the testing of incident readiness, shifting it from internal best practice to regulatory obligation. Beyond satisfying the statutory requirement, these drills are essential for building institutional muscle memory. By mandating the involvement of non-technical stakeholders, the CoP reinforces the reality that cyber incident response is not solely an IT function but a critical business continuity issue involving reputation management and high-level decision making.
Strengthening cohesion with external advisors: While the CoP lists cybersecurity insurers as potential participants, CI Operators are strongly encouraged to also include their nominated breach counsel or external legal advisors in these drills. Integrating legal counsel into the exercise is vital for practising how to establish and maintain legal professional privilege, manage liability exposure in real-time, and advise on legal issues arising from a breach. These are critical reflexes that must be honed in a simulated environment before a real crisis occurs to ensure the team is aligned on legal risks.
Incident response and business continuity planning are also emphasised (Section 7.2 of CoP): The CoP places significant emphasis on preparedness, mandating that CI Operators maintain robust emergency response plans. These plans must set out clear protocols for responding to computer-system security incidents, specifically covering three key areas:
Incident management: Procedures for detecting, analysing and containing incidents.
Business continuity: Strategies to maintain essential functions during a disruption.
Disaster recovery: Protocols for restoring data and systems to normal operation.
Crucially, these plans should be endorsed by senior management. As with security management plans, they should also be reviewed regularly – particularly following material changes to CCSs – and in any case at least once every two years.
Why this matters:
Tailored response is critical: There is no “one-size-fits-all” solution. Every emergency response plan must be carefully bespoke, dedicated specifically to ab organisation’s unique operational realities and risks. These plans also need to be tested through practising. From experience, incidents seldom unfold how the playbook expects. An unpractised plan is just a document; a practised plan is capability.
Ready-to-Go communications: A critical component is the communications plan, mandated by the CoP for communicating with internal and external stakeholders. To ensure speed and accuracy during a crisis, this should include pre-approved, “ready-to-go” internal and external communication templates.
Addressing the “Unwritten” gaps: While the CoP provides a baseline, prudent operators should go further. For example, the CoP does not explicitly mandate an out-of-band communications network, but having an alternative channel is vital if your primary infrastructure (such as the Active Directory) is compromised. Similarly, organisations should proactively develop their own internal ransom policy to guide decision making under pressure.
Key takeaways
The CoP introduces detailed operational standards that impact the governance, risk management and contractual arrangements of CI Operators. Beyond mere checklist compliance, the “practical implications” discussed here highlight several critical shifts in responsibility and strategy including:
Board-level accountability: Cybersecurity is no longer solely an IT issue. The requirement for Board endorsement of the Computer-System Security Management Plan places responsibility for the CI’s security posture directly on senior leadership.
Proactive threat reporting: The threshold for notification has lowered significantly. Credible threats must be reported within 12 hours, meaning operators must constantly monitor and escalate risks immediately, rather than waiting for an attack to materialise.
Institutional readiness: Security drills are now a regulatory obligation, not just a best practice. These exercises should build “institutional muscle memory” and include non-technical stakeholders, including external breach/legal counsel to manage privilege and liability.
Supply chain ripple effects: Security management plans must be treated as “living documents”, necessitating frequent updates that will inevitably impact third-party contractors through stricter contractual deliverables and liability clauses.
Given the complexity and potential legal exposure, CI Operators are strongly encouraged to consult with relevant professionals to ensure they comply with the Ordinance and CoP.
Early engagement with legal and technical advisors will help organisations navigate the new regulatory landscape, mitigate risks, and build resilience in the face of evolving cyber threats.
It is expected there will also be sectoral codes published subsequently, so compliance will not always be limited to the CoP.
JSM is well-placed to assist clients in their compliance journey with the Ordinance and CoP, leveraging our deep practical experience helping critical infrastructures navigate cybersecurity incidents and their legal exposure. We have a strong track record in conducting extensive incident response plan reviews and executive tabletop incident response workshops.
Legal updates
13 January 2026
1. Background
Virtual assets (VA) related activities are subject to regulatory regime under the Securities and Futures Ordinance, Cap. 571 Laws of Hong Kong (SFO) and/or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, Cap. 615 Laws of Hong Kong (AMLO).
The SFO regime applies to activities relating to VA that falls in the definition of “securities” or “futures contracts” under the SFO (Securities VA). The AMLO regime applies to VA not caught by those definitions (Non-securities VA).
The SFO regime is more comprehensive, covering dealing, advisory, asset management and custody activities relating to Securities VA. At present, the AMLO regime only covers operating VA exchange but not the other activities relating to Non-securities VA.
The Financial Services and the Treasury Bureau (FSTB) and the Securities and Futures Commission (SFC) jointly launched public consultations in June 2025 on proposed changes to the AMLO for establishing a licensing regime for dealing and custodian services relating to Non-securities VA.
Consultation conclusions were published on 24 December 2025, along with the launch of further public consultation on proposed changes to the AMLO for establishing the licensing regime for advisory and management services relating to Non-securities VA.11 The target is to introduce a bill to the Legislative Council in 2026.
2. Key takeaways
Alignment of AMLO regime and SFO regime
The expanded licensing regime for Non-securities VA will align with the licensing regime for Securities VA. Both regimes adopt an activity-based approach. This demonstrates the regulatory philosophy and policy of “same activity, same risks, same regulation” principle. Under the SFO, Type 122 licence is required for dealing, Type 433 licence is required for advisory, Type 944 licence is required for portfolio management, and Type 1355 licence is required for custodian services relating to Securities VA. Corresponding licence types are now expected to be established under the AMLO for Non-securities VA.
No transition or deeming arrangements
The FSTB and SFC do not plan to provide transition or deeming arrangements to existing Non-securities VA service providers. This is intended to offer optimal investor protection and avoid creating confusion over licensing status. Accordingly, the licensing regime will take full effect on commencement date(s) to be designated in due course. To alleviate practical difficulties arising from a “hard” commencement date, the Government and the SFC will take into account the time that market participants need to adjust their business models in deciding the appropriate commencement date(s). Existing service providers are strongly encouraged to initiate pre-application processes and early engagement with the SFC or (where the service provider is an authorized institution under the Banking Ordinance, Cap. 155 Laws of Hong Kong) the HKMA.
Expedited licensing and registration process for existing regulated entities
For entities licensed by the SFC under the present regulatory regime for VA-related activities and already engaged in the relevant licensed activities, the SFC will introduce an expedited licensing and registration process for them under the expanded AMLO regime.
Advancing market access and regulatory clarity
Under Pillar A (Access) of its ASPIRe roadmap66, the SFC aims to integrate Hong Kong with global liquidity to foster the continued growth of Hong Kong’s digital asset ecosystem and advance Hong Kong as a global hub for innovation. The enhanced VA regulatory framework offers comprehensive, integrated regulation across the full VA value chain and regulatory clarity.
3. High-level summary of proposed licensing requirements and criteria
(i) VA dealing
What amounts to dealing in Non-securities VA?
The proposed scope aligns with Type 1 licence for dealing in Securities VA under the SFO regime and covers any person, by way of business:
Making or offering to make an agreement with another person, or
Inducing or attempting to induce another person
to enter into or offer to enter into an agreement, with a view to acquiring, disposing of, subscribing for or underwriting Non-securities VAs.
Activities within scope may include payment service providers offering to buy or sell Non-securities VA to facilitate transactions, margin trading in Non-securities VA, Non-securities VA staking, Non-securities VA borrowing and lending, and possibly peer-to-peer transactions, or provision of decentralised or technological services if the activities fall within the scope of the licensing requirements having regard to their nature and substance.
Exemptions
Exemptions being considered by the FSTB and SFC include: transactions conducted through SFC-regulated VA dealers, transactions conducted as principal, intra-group transactions, use of Non-securities VA by purchasers of goods/services as payment for goods/services and stablecoin activities conducted by HKMA-licensed stablecoin issuers, as well as activities relating to Non-securities VA generated as rewards for ledger maintenance, or minted through SFC-regulated intermediaries.
(ii) VA custodian
What amounts to custody services for Non-securities VA?
The proposed scope aligns with the relevant scope of Type 13 licence for providing depositary services for relevant collective investment schemes under the SFO regime and covers:
Custodians which, by way of business, safekeep private keys or similar instruments enabling the transfer of Non-securities VA
Entities within scope may include associated entities of SFC-licensed VATPs, entities holding Type 13 licence under the SFO, and entities holding Type 9 licence under the SFO – if they provide VA custodian services by way of safekeeping the private keys (or similar instruments).
Exemptions
Exemptions being considered by the FSTB and SFC include top-layer trustees or fund managers delegating Non-securities VA custody to third-party custodians and HKMA-licensed stablecoin issuers only providing custody of stablecoins issued by them to clients.
Pending publication of the legislative bill setting out details of amendments to the AMLO, below is a high-level summary of some potential eligibility requirements and minimum criteria for obtaining licences for conducting Non-securities VA activities under the expanded AMLO regime.
VA dealing
VA custodian
Corporation
An applicant must either be:
(i) a locally incorporated company with a permanent place of business in Hong Kong, or (ii) a company incorporated elsewhere but registered in Hong Kong under the Companies Ordinance, Cap. 622 Laws of Hong Kong
Same as dealer
Financial resources
Except for banks which are subject to HKMA’s capital requirements, a dealer should have adequate financial resources for operating its Non-securities VA business. These include baseline financial resources of a minimum paid-up share capital of HK$5 million and a minimum required liquid capital of up to HK$3 million (depending on business model). The SFC will also retain flexibility to impose additional financial resources requirements where necessary (e.g. excess liquid capital equivalent to at least 12 months of its actual operating expenses)
Except for banks which are subject to HKMA’s capital requirements, a custodian should have adequate financial resources for operating its Non-securities VA business. These include baseline financial resources of a minimum paid-up share capital of HK$10 million and a minimum required liquid capital up to HK$3 million (depending on the business model). The SFC will also retain flexibility to impose additional financial resources requirements where necessary (e.g. additional requirements calibrated with reference to scale of business)
Fit and proper tests
The applicant, its substantial shareholders, ultimate owners, directors and personnel carrying out the dealing functions are required to satisfy the fit and proper tests prescribed by the SFC
Same as dealer
Responsible officers
At least two responsible officers approved by the SFC or two executive officers approved by the HKMA (as the case may be) to be generally responsible for ensuring compliance with anti-money laundering/counter-financing of terrorism requirements and other regulatory requirements, and be held personally accountable in case of non-compliance
Same as dealer
Knowledge, experience and risk management
A dealer is required to have proper corporate governance structure with suitable personnel having necessary knowledge and experience to discharge their responsibilities effectively, and to put in place appropriate risk management policies and procedures for managing money laundering/terrorist financing and other risks
Same as dealer
Conduct of business
A dealer is required to act honestly, fairly, with due skill, care and diligence, in the best interests of its clients and integrity of the market, as well as comply with all statutory and regulatory requirements applicable to the conduct of its business activities
Same as dealer
Financial reporting and disclosure
A dealer should observe prescribed auditing and disclosure requirements and submit audited accounts
Same as dealer
Record keeping
A dealer is required to maintain proper records in relation to its business activities, with the SFC/HKMA having right of access as part of the regulator’s ongoing supervision
Same as dealer
Investor protection
A dealer should put in place measures to ensure investor protection and suitability of its services and products, such as client VA knowledge assessment, client risk assessment and risk profiling, and prevent and disclose actual or potential conflicts of interest
The SFC is still formulating regulatory requirements for mitigating the risks associated with VA custodian services. The SFC will build upon the regulations established for VATPs and use the VATP Guidelines77 (particularly Chapter X on Custody of Client Assets) as baseline reference. The SFC will also actively engage the industry as part of its early engagement process in setting regulatory requirements
Use of SFC-regulated custodians
In the early stage, the SFC will require a dealer to custody client Non-securities VA with SFC-regulated VA custodian service providers to ensure proper asset segregation and reduce insolvency, fraud and cyberattack risks
N/A
Information and notification
A dealer will be required to submit a wide range of information (for example, details in respect of wallet addresses used in the course of business, scope and nature of business, types of services offered to clients)
Same as dealer
4. Further consultations on Non-securities VA advisory and management
Further consultation by the FSTB and SFC on establishing the licensing regime for advisory and management services relating to Non-securities VA is scheduled to end on 23 January 2026.
(i) VA advisory
What amounts to advising on Non-securities VA?
The proposed scope aligns with Type 4 licence for advising on Securities VA under the SFO regime and covers:
Giving advice on whether, which, the time at which, or the terms or conditions on which Non-securities VA should be acquired or disposed of, or issuing analyses or reports to facilitate such decisions
Other proposals
Financial resources: Minimum paid-up share capital of HK$5 million; and minimum required liquid capital of HK$100,000 (for not holding client assets) or HK$3 million (in any other case)
Exemptions: Similar exemptions to Type 4 licence under the SFO regime. These may include solely advising wholly-owned group companies, acts wholly incidental to licensed VA dealing or VA fund management, advice of solicitors/counsels/CPAs wholly incidental to their professional practice, acts wholly incidental to registered trust companies’ discharge of duties, etc.
(ii) VA management
What amounts to managing Non-securities VA?
The proposed scope aligns with Type 9 licence for portfolio management of Securities VA under the SFO regime and covers:
Providing a service of managing a portfolio of Non-securities VA for another person
Other proposals
Financial resources: Minimum paid-up share capital of HK$5 million; and minimum required liquid capital of HK$100,000 (not holding client assets) or HK$3 million (in any other case)
Custody requirements: The SFC is considering whether VA management service providers should safekeep the Non-securities VA of private funds they manage only with SFC-regulated VA custodians, or whether they should have the flexibility to appoint any custodian
Exemption: The SFC is considering whether to exempt self-custody by private fund/venture capital fund managers of Non-securities VA up to a limited threshold
5. Further reading
FSTB and SFC conclude consultations on virtual asset dealer and custodian regimes, further consult on two new regimes
Further Public Consultation on Legislative Proposal to Regulate Virtual Asset Advisory Service Providers and Virtual Asset Management Service Providers
Public Consultation on Legislative Proposal to Regulate Dealing in Virtual Assets
Consultation Conclusions Legislative Proposal to Regulate Dealing in Virtual Assets and Further Public Consultation Legislative Proposal to Regulate Virtual Asset Advisory Service Providers and Virtual Asset Management Service Providers
Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services
Consultation Conclusions Legislative Proposal to Regulate Virtual Asset Custodian Services
People
Find a lawyer
Learn more about our lawyers and the work they do for clients in Hong Kong, across the region and globally.
View all
Responsible business
Explore
Careers
At Johnson Stokes & Master, we provide a pathway for your professional growth and advancement. With our deep-rooted and extensive history, we invite you to explore current opportunities to join us, thrive in a supportive environment, and make a meaningful impact for our clients.
View more
