
Hong Kong Securities and Futures Commission Mandates Anti-Phishing Authentication for Virtual Asset Platforms to Counter AI-Driven Cyber Threats
The Hong Kong Securities and Futures Commission (SFC) has ordered all licensed virtual asset service providers (VASPs) and online brokers to implement anti-phishing login mechanisms within 12 months. This measure aims to strengthen investor protection amid a surge in sophisticated phishing attacks utilizing AI.
On July 9, 2026, the Hong Kong Securities and Futures Commission (SFC) ordered all licensed Virtual Asset Service Providers (VASPs) and online brokers to adopt anti-phishing login requirements to counter evolving cyber threats. This directive follows a circular released in June 2026, granting platforms a 12-month grace period to overhaul their authentication infrastructure against AI-driven phishing attacks that threatened the regional security landscape in 2025 and early 2026.
The SFC specified that licensed corporations and VASPs must meet the newly issued anti-phishing login requirements. The regulator set a 12-month compliance deadline for security upgrades within the regulated virtual asset ecosystem, an obligatory measure to ensure the safety of digital asset trading in Hong Kong. Platforms must replace existing vulnerable authentication methods within the specified timeframe.
Existing multi-factor authentication methods have limitations in blocking sophisticated AI phishing attacks, and the introduction of robust hardware-based authentication systems is urgent.
This measure signifies a shift away from traditional multi-factor authentication (MFA) methods, such as SMS codes, toward hardware security keys or Passkeys that comply with FIDO2 standards. These technologies are designed to fundamentally prevent attackers from intercepting user login information or directing them to fake sites. They are expected to play a key role, particularly in responding to sophisticated social engineering attacks utilizing AI.
Background of Record-Breaking Security Incidents in 2025 and Regulatory Strengthening
According to the 'Hong Kong Cyber Security Outlook 2026' report released by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), cybersecurity incidents in Hong Kong reached a record high of 15,877 in 2025. This represents a 27% increase from the previous year, with phishing accounting for approximately 60% of all incidents, triggering immediate intervention from regulatory authorities. The table below summarizes the status of cybersecurity incidents in Hong Kong for 2025.
- Surge in cases of AI-based phishing email body and landing page generation
- As of January 2026, approximately 11% of phishing emails include AI-supported indicators
- Intensified attempts at user deception and asset theft through sophisticated social engineering techniques
- Supply chain risks and AI-related attacks emerging as major security concerns
In the first half of 2026, global virtual asset hacking incidents reached a record high of 207 cases, but the total loss decreased to approximately $972 million, which is less than $1 billion. This suggests that while the frequency of attacks has increased, enhanced security measures have begun to mitigate actual financial damage. Hong Kong's recent measures are also in line with this global trend of strengthening security and aim to minimize the scale of damage.
This security order is complementary to other regulatory initiatives in Hong Kong, such as the secondary trading framework for tokenized funds announced in April 2026. Robust anti-phishing regulations are an essential foundation for solidifying Hong Kong's position as a 'global digital asset hub' that prioritizes investor protection. Regulatory authorities have made it clear that market growth without guaranteed security is unsustainable.
However, with approximately 30% of Hong Kong companies lacking dedicated cybersecurity personnel, implementation difficulties are expected for small and medium-sized VASPs. Securing professional personnel to operate the technical infrastructure, as well as the cost of building it, is expected to be a major challenge for platforms over the next 12 months. Concerns have also been raised that rising compliance costs could act as a barrier to market entry.
The SFC plans to continuously monitor platform compliance through 'Scameter+' reports and regular audits until the June 2027 deadline. Regulatory authorities intend to strictly evaluate a platform's response capabilities and compliance in the event of a security incident, reflecting this in the decision to maintain their license. Investors should carefully check whether the platforms they use in the future meet these security standards.
| Metric | Value |
|---|---|
| Total Reported Incidents | 15,877 |
| Annual Increase in Incidents | 27% |
| Phishing Share of Total | Nearly 60% |
| Enterprises Lacking Dedicated Cyber Personnel | Nearly 30% |
Data from HKCERT highlighting the dominance of phishing in the record-high incident volume of 2025.


This content is for information and commentary only and is not investment advice.
Join the reader conversation
Read reactions to this article and leave your own note.