Cyber threats are becoming more adaptive and scalable 

AI-enabled threats differ from traditional cyber risks in several important ways.

Attackers can use AI tools to rapidly identify vulnerabilities, automate attack execution and coordinate activities across multiple systems. At the same time, generative AI has significantly improved the quality of phishing campaigns and impersonation attempts, making them harder to recognise and more likely to succeed.

As these tools become more widely available, the barrier to launching sophisticated attacks continues to fall. This creates a more dynamic and unpredictable threat landscape, where incidents can escalate quickly and propagate across interconnected platforms. For financial institutions, the impact extends beyond technology systems to include client assets, sensitive data and operational continuity.

For MNEs with manufacturing footprints in the Pearl River Delta or significant sales exposure to Greater China, a Hong Kong CTC serves as a natural liquidity buffer.  It allows treasurers to hedge currency risk, process cross-border payments, and manage working capital in real time — without navigating capital controls.

Strengthening fundamentals in a faster-moving environment

The SFC’s expectations build on established cybersecurity principles but place greater emphasis on timeliness and effectiveness.

Core practices such as patch management, system hardening and access controls remain critical. However, firms need to respond to vulnerabilities more quickly and maintain continuous visibility across their environments. 

Monitoring capabilities also need to evolve. Static or rule-based approaches may no longer be sufficient in identifying emerging attack patterns, particularly those enabled by AI. More adaptive detection methods can help organisations recognise anomalies earlier and respond more effectively.

Incident response planning is another area of focus. Firms should be prepared for scenarios involving simultaneous or large-scale disruptions, including those affecting third-party providers.

Managing risk across an interconnected ecosystem

Digital transformation has increased reliance on cloud platforms, vendors and external service providers. While this enhances flexibility and scalability, it also expands the overall attack surface.

AI-enabled threats can exploit weaknesses across these interconnected environments, meaning risks are no longer confined within organisational boundaries. As a result, firms need stronger oversight of third-party arrangements, supported by ongoing monitoring and clear accountability structures.

Governance and accountability remain central 

The SFC reiterates that senior management plays a critical role in maintaining cyber resilience.

Effective governance requires more than periodic review. It depends on clear ownership, timely risk reporting and coordination across technology, risk and business functions. As cyber threats evolve, decision-making processes must be able to respond with appropriate speed and clarity.

Embedding cybersecurity within enterprise risk management helps ensure that resilience is aligned with broader business priorities, including client protection and regulatory compliance.

From AI adoption to AI-enabled defence

Recent industry efforts have focused on the responsible adoption of AI — establishing governance frameworks and managing model risks. The SFC’s latest circular signals the next phase: preparing for how AI is used externally by threat actors.

This shift is prompting organisations to consider more adaptive approaches to cybersecurity, including enhanced analytics, automation and continuous threat intelligence.

Over time, firms may increasingly adopt an AI-enabled defence model, using advanced technologies to anticipate and respond to emerging risks.