Hong Kong Banks Urged To Upgrade Defenses For AI-Driven Cyberattacks

The Hong Kong Monetary Authority (HKMA) has reminded authorised institutions to review their cyber defenses against frontier AI models.

The regulator warned that advanced AI could commoditise the attack process and exploit zero-day vulnerabilities in critical software.

The HKMA noted that while AI-assisted attacks like phishing and deepfakes are not new, frontier AI models represent a step change.

According to AI firms and research institutes, these systems show the capacity to independently identify software flaws, which could reduce the need for human expertise and lead to faster, more frequent breaches.

The HKMA expects financial institutions to assess whether their current multi-layered defenses remain fit for purpose.

This includes requiring institutions to evaluate the cyber resilience of third-party service providers, as threat actors increasingly target them as entry points for supply chain attacks.

As breach scenarios become more probable, the regulator expects banks to uplift their incident response processes.

The HKMA also advises institutions that have not yet implemented a Secure Tertiary Data Backup (STDB) to revisit their decision, and urges those with existing setups to review how they can improve them to counter destructive cyberattacks.

New frameworks and industry collaboration

To support the sector, the HKMA is establishing a Task Force on AI-Driven Cyber Risks.

The group will bring together financial authorities, institutions, and cyber experts to share intelligence and address cross-jurisdictional information gaps.

The regulator is also developing a Cyber Resilience Testing Framework (CRTF) in collaboration with the Hong Kong Association of Banks (HKAB).

An initial test run with selected institutions is targeted for late 2026, augmenting existing prevention-based controls to also include response and recovery capabilities.

The directive aligns with the newly operational Protection of Critical Infrastructures (Computer Systems) Ordinance (PCICSO).

A Sectoral Code of Practice came into effect on June 2, 2026 to guide designated banks in complying with statutory security obligations.

Featured image credit: Edited by Fintech News Hong Kong, based on image by bloodua via Magnific

Hong Kong Banks Urged To Upgrade Defenses For AI-Driven Cyberattacks

HKMA Sets Up Tokenised Bond Expert Group To Support Market Development

ZA Bank And Industrial Bank Launch Southbound Wealth Scheme

TenPay Global Enables Remittances To China For Non-Chinese Users

XTransfer And Societe Generale Partner To Enhance Trade Settlement Infrastructure

XTransfer And BBVA Partner On Cross-Border Payments In Latin America And Europe

Manulife And Alibaba Cloud To Establish AI Hub For Insurance In Hong Kong

Information

media coverage

follow us