Site icon Check Point Blog

BEYOND DEFENSE: Hong Kong’s New Era of Financial Cyber Resilience

Hong Kong skyline

Hong Kong, a key international financial hub, is confronting increasingly sophisticated cyber threats that demand strong cyber resilience to protect its financial stability and economic operations. The dependence on digital platforms by essential infrastructure providers increases the potential impact of cyber attacks.

To address this evolving threat landscape, the Hong Kong Monetary Authority (HKMA) launched the Cybersecurity Fortification Initiative (CFI) in 2016. This program aims to strengthen the cyber defenses of the banking industry and is built upon three main components: the Cyber Resilience Assessment Framework (C-RAF), the Professional Development Programme (PDP), and the Cyber Intelligence Sharing Platform (CISP).

Acknowledging the need to keep pace with technological progress and new cyber strategies, the HKMA introduced an enhanced version, CFI 2.0, in November 2020, which became operational in January 2021.

Expanding beyond the banking sector, the Insurance Authority (IA) has also developed its framework, the Cyber Resilience Assessment Framework (CRAF), which is included in the updated Guideline on Cybersecurity (GL20), effective from January 1, 2025. These efforts are vital for reshaping cyber security practices within Hong Kong’s financial institutions.

The forthcoming “Protection of Critical Infrastructure (Computer System) Bill” (Critical Infrastructure Cybersecurity Law), slated for implementation in 2026, emphasizes the critical need for robust cyber resilience frameworks across various sectors.

The Hong Kong Monetary Authority’s Cybersecurity Fortification Initiative (CFI) 2.0 applies to all Authorized Institutions (AIs) operating in Hong Kong, including international banks with a local presence. This means that all such institutions—regardless of their global operations—must comply with the enhanced cyber security standards and assessment frameworks introduced under CFI 2.0.

The Growing Case for Cyber Resilience in Hong Kong

Hong Kong’s financial sector and critical infrastructure are increasingly vulnerable to sophisticated cyber attacks due to digital transformation. These attacks threaten economic stability and operational continuity, with potential for significant financial losses and systemic disruptions within the interconnected financial ecosystem. A 2024 global IT outage served as a stark reminder of the challenges in maintaining cyber resilience and managing third-party risks, even for large corporations. Recognizing this escalating threat, the Hong Kong government is proactively strengthening cyber security measures.

Per Check Point Research’s Threat Intelligence Report:

Breaking Down the Cybersecurity Fortification Initiative

CFI is built on three foundational pillars designed to address distinct but interconnected aspects of cyber security enhancement.

CFI 2.0 Refinements

With the launch of CFI 2.0 in January 2021, the HKMA introduced enhancements to address gaps identified in the earlier program while aligning with emerging cyber trends and technology. Enhancements:

The Role of iCAST in Cyber Readiness
What makes iCAST essential

Beyond Banking – Harmonizing cyber resilience across Hong Kong’s financial ecosystem

While CFI primarily focuses on the banking sector, efforts to bolster cyber security are extending to other industries. For example, the Insurance Authority (IA) introduced its Cyber Resilience Assessment Framework (CRAF) under the revised Guideline on Cybersecurity (GL20), effective in 2025. The framework, while sharing a three-step structure similar to C-RAF, is tailored specifically for insurers.

This widespread drive demonstrates Hong Kong’s commitment to building a connected and strong cyber security defense network.

Contrasting the HKMA C-RAF and the Insurance Authority CRAF

Continuous Challenges and the Road Ahead

Hong Kong’s cyber resilience frameworks must constantly adapt to the evolving cyber threat landscape. The growing use of AI and cloud computing presents new challenges and vulnerabilities for future assessment methodologies. Effective cross-sector collaboration and information sharing will remain vital for tackling borderless cyber threats.

Regulations may extend cyber resilience assessment frameworks to other critical infrastructure sectors globally and in Hong Kong, reflecting a global focus on strengthening cyber security for essential services.

The future of cyber resilience assessment in Hong Kong will likely involve a proactive and adaptive approach, continuously evolving to address emerging threats and technological changes, thereby ensuring a secure and resilient digital environment for its financial sector and critical infrastructure.

Check Point Infinity Global Services (IGS): Empowering Authorized Institutions & Insurers
Exit mobile version