Hong Kong, a key international financial hub, is confronting increasingly sophisticated cyber threats that demand strong cyber resilience to protect its financial stability and economic operations. The dependence on digital platforms by essential infrastructure providers increases the potential impact of cyber attacks.

To address this evolving threat landscape, the Hong Kong Monetary Authority (HKMA) launched the Cybersecurity Fortification Initiative (CFI) in 2016. This program aims to strengthen the cyber defenses of the banking industry and is built upon three main components: the Cyber Resilience Assessment Framework (C-RAF), the Professional Development Programme (PDP), and the Cyber Intelligence Sharing Platform (CISP).

Acknowledging the need to keep pace with technological progress and new cyber strategies, the HKMA introduced an enhanced version, CFI 2.0, in November 2020, which became operational in January 2021.

Expanding beyond the banking sector, the Insurance Authority (IA) has also developed its framework, the Cyber Resilience Assessment Framework (CRAF), which is included in the updated Guideline on Cybersecurity (GL20), effective from January 1, 2025. These efforts are vital for reshaping cyber security practices within Hong Kong’s financial institutions.

The forthcoming “Protection of Critical Infrastructure (Computer System) Bill” (Critical Infrastructure Cybersecurity Law), slated for implementation in 2026, emphasizes the critical need for robust cyber resilience frameworks across various sectors.

The Hong Kong Monetary Authority’s Cybersecurity Fortification Initiative (CFI) 2.0 applies to all Authorized Institutions (AIs) operating in Hong Kong, including international banks with a local presence. This means that all such institutions—regardless of their global operations—must comply with the enhanced cyber security standards and assessment frameworks introduced under CFI 2.0.

The Growing Case for Cyber Resilience in Hong Kong

Hong Kong’s financial sector and critical infrastructure are increasingly vulnerable to sophisticated cyber attacks due to digital transformation. These attacks threaten economic stability and operational continuity, with potential for significant financial losses and systemic disruptions within the interconnected financial ecosystem. A 2024 global IT outage served as a stark reminder of the challenges in maintaining cyber resilience and managing third-party risks, even for large corporations. Recognizing this escalating threat, the Hong Kong government is proactively strengthening cyber security measures.

Per Check Point Research’s Threat Intelligence Report:

• An organization in Hong Kong is being attacked on average 1675 times per week in the last 6 months.
• The most common vulnerability exploit type in Hong Kong is Information Disclosure, impacting 70% of the organizations.

Breaking Down the Cybersecurity Fortification Initiative

CFI is built on three foundational pillars designed to address distinct but interconnected aspects of cyber security enhancement.

CFI 2.0 Refinements

With the launch of CFI 2.0 in January 2021, the HKMA introduced enhancements to address gaps identified in the earlier program while aligning with emerging cyber trends and technology. Enhancements:

• Governance: Clearer definition of responsibilities for relevant parties
• Forensics and Incident Response: Updated frameworks for improved attack countermeasures
• Enhanced Access Security: New MA principles for emerging technologies, including virtualization and internet of things (IoT)
• Streamlined Assessments: Utilize evaluations from other group entities. Detailed iCAST guidance on threat intelligence reports, scenario storylines, and test goals

The Role of iCAST in Cyber Readiness

• Intelligence-led Cyber Attack Simulation Testing (iCAST) is the crown jewel of the C-RAF, offering banks a deeper understanding of their vulnerabilities. Unlike traditional penetration tests, iCAST uses actionable threat intelligence to recreate the tools and tactics of modern cyber adversaries
• iCAST is not conducted in isolation but rather as an informed and targeted exercise that builds upon the foundational assessments of risk and maturity established in the earlier phases of the C-RAF process
• iCAST is the third and final step in the Cyber Resilience Assessment Framework (C-RAF), a mandatory requirement for Authorized Institutions (AIs) with medium or high inherent cyber security risk

What makes iCAST essential

Beyond Banking – Harmonizing cyber resilience across Hong Kong’s financial ecosystem

While CFI primarily focuses on the banking sector, efforts to bolster cyber security are extending to other industries. For example, the Insurance Authority (IA) introduced its Cyber Resilience Assessment Framework (CRAF) under the revised Guideline on Cybersecurity (GL20), effective in 2025. The framework, while sharing a three-step structure similar to C-RAF, is tailored specifically for insurers.

This widespread drive demonstrates Hong Kong’s commitment to building a connected and strong cyber security defense network.

Contrasting the HKMA C-RAF and the Insurance Authority CRAF

Continuous Challenges and the Road Ahead

Hong Kong’s cyber resilience frameworks must constantly adapt to the evolving cyber threat landscape. The growing use of AI and cloud computing presents new challenges and vulnerabilities for future assessment methodologies. Effective cross-sector collaboration and information sharing will remain vital for tackling borderless cyber threats.

Regulations may extend cyber resilience assessment frameworks to other critical infrastructure sectors globally and in Hong Kong, reflecting a global focus on strengthening cyber security for essential services.

The future of cyber resilience assessment in Hong Kong will likely involve a proactive and adaptive approach, continuously evolving to address emerging threats and technological changes, thereby ensuring a secure and resilient digital environment for its financial sector and critical infrastructure.

Check Point Infinity Global Services (IGS): Empowering Authorized Institutions & Insurers

• Check Point Infinity Global Services offers customized cyber security solutions for Hong Kong’s financial institutions. Services include, but are not limited to, risk and maturity assessments, remediation planning and implementation, penetration testing, and incident response. In-compliance with HKMA regulations while assessing security effectiveness
• With significant experience supporting banks and insurance companies, Check Point Infinity Global Services enables institutions in Hong Kong to strengthen their security and build resilience against emerging threats. This proactive strategy enhances trust and reputation in a highly competitive environment
• CREST-accredited – recognized mark of quality, professionalism, and assurance, giving cyber security providers a competitive edge while enabling buyers to make informed decisions with confidence