Cyber security

As digital transformation accelerates across the global financial services sector, cybersecurity is evolving from a purely operational concern into a core strategic priority. For banks in Hong Kong and globally, the cyber threat landscape continues to increase in both complexity and intensity, demanding a fundamental rethinking of how cyber risk is governed, managed and mitigated.

The volume, velocity and sophistication of cyberattacks have risen significantly over the past 12 months. Threat actors are deploying advanced techniques, including AI and automation, to exploit vulnerabilities with increasing precision and speed. Financial institutions are seeing more frequent and complex attacks that are harder to detect and mitigate.

At the same time, banks are under pressure to accelerate their digital agendas. From institutional to retail banking, technology investments are being made across the enterprise, often outpacing the capacity of security teams to embed controls. This creates a strategic tension between innovation and security—where banks must find ways to go faster, without compromising their risk posture. To respond to this challenge, Chief Information Security Officers should focus on:

1. Ensuring foundational controls such as identity and access management are enterprise-wide, automated and embedded
2. Strengthening security operations centres with unified threat intelligence platforms and automated response capabilities
3. Enhancing incident response and resilience planning to prepare for sophisticated and targeted cyber events
4. Embedding security into agile and cloud-native development environments

Automation should now be viewed as a foundational enabler—not only to improve efficiency but to keep pace with the speed at which both threats and business requirements are changing. By automating identity governance, patch management, threat detection, and incident response, banks can reduce response times and improve consistency across their security operations.

While keeping pace with global trends in cybercrime, Hong Kong banks should also navigate a number of local pressures that are shaping their cybersecurity and risk priorities. One of the most immediate challenges is managing third-party risk. As the banking sector becomes more reliant on external service providers—including cloud platforms and fintech partners—regulators are increasing their expectations around oversight and accountability. Banks are now required to demonstrate end-to-end visibility across their vendor ecosystems, with clear governance frameworks and contingency plans in place to manage service disruptions and data breaches. The HKMA and other regulatory bodies have issued regular guidance on outsourcing and third-party risk, reinforcing the need for robust due diligence and ongoing monitoring practices.

Another area of growing importance is the evolving digital asset regulatory framework, particularly in relation to stablecoins. In May the Hong Kong government welcomed the passage of the Stablecoins Bill by the Legislative Council, which will provide better protection for the general public and investors. Under the new regime, entities that issue or facilitate the trading of fiatreferenced stablecoins will be subject to licensing and oversight by the HKMA.

For banks, this regulatory clarity opens the door to a broader range of potential roles in the stablecoin value chain, including acting as custodians, settlement agents, distributors, or even issuers. However, these opportunities are accompanied by heightened cyber risks. Stablecoin infrastructure—particularly when deployed on public or permissioned blockchains—introduces new attack surfaces, including smart contract vulnerabilities, wallet security issues, and the risk of unauthorised token issuance or manipulation. The decentralised nature of these platforms further complicates incident response and remediation.

Banks exploring participation in the stablecoin ecosystem should prioritise cybersecurity governance from the outset with the aim of ensuring that customer-facing applications are protected against fraud and misuse. Additionally, banks should be prepared to demonstrate to regulators that their digital asset activities are adequately safeguarded and compliant with anti-money laundering and counter-terrorist financing requirements.

As criminal actors increasingly adopt the same advanced technologies that banks use for detection and prevention, the financial crime threat environment is likely to become even more complex. Banks should prepare by focusing on strategic technology investments, proactive human oversight, and fostering increased collaboration with regulators and the wider financial ecosystem.