The Growing Case for Cyber Resilience in Hong Kong
Hong Kong, as a major international financial hub, is facing increasingly sophisticated cyber threats that pose risks to its financial stability and overall economic operations. The heavy reliance of critical infrastructure providers on digital platforms further amplifies the potential impact of cyber attacks.
To address this evolving threat landscape, the Hong Kong Monetary Authority (HKMA) launched the Cybersecurity Fortification Initiative (CFI) in 2016. This initiative aims to enhance the cyber resilience of the banking sector through three core components:
-
the Cyber Resilience Assessment Framework (C-RAF),
-
the Professional Development Programme (PDP), and
-
the Cyber Intelligence Sharing Platform (CISP).
Recognizing the rapid pace of technological change and emerging cyber risks, the HKMA introduced an enhanced version, CFI 2.0, in November 2020, which became effective in January 2021. CFI 2.0 applies to all Authorized Institutions (AIs) operating in Hong Kong, including international banks with a local presence, requiring compliance with updated cybersecurity standards and assessment frameworks.
Beyond the banking industry, the Insurance Authority (IA) has developed its own Cyber Resilience Assessment Framework (CRAF) as part of the revised Guideline on Cybersecurity (GL20), which will take effect on January 1, 2025. These initiatives represent a coordinated effort to strengthen cybersecurity practices across Hong Kong’s financial institutions.
Further emphasizing the government’s commitment to cyber resilience, the forthcoming “Protection of Critical Infrastructure (Computer System) Bill”, also referred to as the Critical Infrastructure Cybersecurity Law, is scheduled for implementation in 2026. This legislation will reinforce cybersecurity requirements across multiple sectors, underscoring the importance of protecting critical systems and data assets.
The urgency for such measures has been underscored by recent global incidents, such as the 2024 global IT outage, which highlighted the challenges of maintaining operational resilience and managing third-party risks even among large, well-resourced organizations. In response, the Hong Kong government continues to advance its cybersecurity frameworks to safeguard its financial ecosystem and ensure sustained economic stability.
