SFC Regulatory Expectations for Sponsor Cybersecurity Risk Management

The SFC’s December 2024 circular on cybersecurity preparedness for licensed corporations has placed sponsor firms squarely in the crosshairs of a regulatory push that, until recently, focused primarily on retail-facing brokers and asset managers. The circular, issued under section 399 of the Securities and Futures Ordinance (SFO), explicitly extends heightened expectations to Type 6 (advising on corporate finance) and Type 6A (sponsor) licensees, a category that had largely operated under the assumption that its core due diligence work was insulated from the operational cyber risk frameworks governing trading desks. This assumption is no longer tenable. The SFC’s 2024 Annual Report, published in April 2025, recorded 837 cybersecurity-related incidents reported by licensed corporations in 2024, a 22% increase from 685 in 2023. For sponsors, the regulatory risk is not merely operational: a material cyber breach that compromises confidential IPO due diligence materials, including pre-IPO financial projections, legal opinions, or third-party verification reports, can trigger a breach of the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code), particularly paragraph 12.1 on internal controls and paragraph 16.3 on the management of confidential information. The SFC has signalled that sponsor firms will be subject to the same thematic inspections on cybersecurity that it has applied to larger broker-dealers, with the first wave of targeted reviews expected to commence in Q3 2025.

The Regulatory Framework: From General Principle to Sponsor-Specific Obligations

The SFC’s cybersecurity expectations for sponsors are not codified in a single standalone rulebook but are instead embedded across multiple layers of the regulatory architecture. The primary instrument is the SFC’s December 2024 circular on “Cybersecurity Preparedness for Licensed Corporations,” which sets out baseline requirements for all licensees, including Type 6/6A firms. The circular mandates that sponsors implement a cybersecurity risk management framework that covers five core pillars: governance, identification, protection, detection, and response. For sponsors, the governance pillar is the most consequential, as it requires the board of directors or equivalent governing body to approve the cybersecurity policy and to receive at least annual reporting on cyber risks. This is a direct extension of the SFC’s Management, Supervision and Internal Control Guidelines for Licensed Corporations (the ICG), specifically paragraph 2.1, which requires senior management to establish and maintain effective internal controls.

Paragraph 12.1 of the Code and the Sponsor’s Duty of Care

The SFC’s Code of Conduct, paragraph 12.1, requires licensed corporations to maintain appropriate internal controls, including those for information security. For a sponsor, this duty extends to the protection of confidential client data, including pre-IPO financial statements, due diligence reports, and correspondence with regulators. A breach that results in the leakage of material non-public information (MNPI) can expose the sponsor to liability under section 300 of the SFO, which prohibits insider dealing. The SFC’s enforcement record in 2024 includes two cases where inadequate information security controls were cited as contributing factors to insider dealing charges, although neither case involved a sponsor firm directly. The precedent is clear: the SFC will treat a sponsor’s failure to secure its IT systems as a failure of internal controls, not merely a technical glitch.

The 2024 Circular’s Specific Requirements for Data Classification

The December 2024 circular introduces a mandatory data classification requirement that has direct implications for sponsors. Licensed corporations must classify all data assets into at least three tiers: public, internal, and confidential. For a sponsor, confidential data includes all materials received from listing applicants, including draft prospectuses, verification memos, and correspondence with the HKEX. The circular requires that confidential data be stored on segregated systems with multi-factor authentication (MFA) and that access logs be retained for a minimum of seven years, aligning with the record-keeping requirements under the Securities and Futures (Records) Rules (Cap. 571N). This seven-year retention period is longer than the six-year requirement under the Companies Ordinance (Cap. 622) for financial records, creating a compliance trap for sponsors that have not updated their data retention policies.

Operational Risks Unique to Sponsor Firms

Sponsor firms face cyber risks that are structurally different from those of retail brokers or asset managers, largely because of the nature of their deal flow and the sensitivity of the information they hold. A sponsor’s IT infrastructure typically handles multiple concurrent IPO mandates, each with its own set of confidential documents, third-party verification reports, and regulatory filings. The concentration of MNPI across multiple deals in a single system creates a single point of failure that, if breached, could compromise multiple listings simultaneously.

The Threat of Third-Party Vendor Breaches

A significant vector for cyber risk in sponsor firms is the reliance on third-party vendors for due diligence work. Many sponsors outsource elements of their verification process to external law firms, forensic accountants, and market research providers. The SFC’s 2024 circular explicitly requires licensed corporations to conduct due diligence on third-party service providers that have access to their systems or data, and to include cybersecurity requirements in all vendor contracts. This requirement is consistent with the HKMA’s Supervisory Policy Manual module SA-2 on outsourcing, which applies to banks but has been referenced by the SFC as a benchmark for best practice. For sponsors, the practical implication is that each vendor contract for a due diligence engagement must now include a clause requiring the vendor to maintain cybersecurity insurance with a minimum coverage of HKD 10 million per incident, a standard that the SFC has indicated it considers appropriate for the sensitivity of IPO-related data.

Remote Work and the Permanent Shift in Attack Surface

The post-2020 shift to hybrid working has permanently expanded the attack surface for sponsor firms. SFC data from its 2024 Annual Report indicates that 68% of licensed corporations now permit employees to work remotely at least two days per week, compared to 22% in 2019. For sponsors, this creates a regulatory tension: the SFC’s Code of Conduct, paragraph 16.3, requires that confidential information be stored and transmitted in a manner that prevents unauthorised access, but remote work inherently increases the number of endpoints and networks over which that data travels. The SFC’s 2024 circular addresses this by requiring that all remote access to confidential data be routed through a virtual private network (VPN) with endpoint detection and response (EDR) capabilities, and that employees use company-issued devices for all work-related activities. Sponsors that permit bring-your-own-device (BYOD) policies for due diligence work are now effectively non-compliant, as the SFC has made clear that personal devices do not meet the security standards required for MNPI.

Enforcement Trends and Thematic Inspections

The SFC has signalled a shift from issuing general guidance to conducting targeted enforcement actions in the cybersecurity space. In its 2025-26 Enforcement Priorities, published in January 2025, the SFC listed cybersecurity and data protection as one of four priority areas for the coming year, alongside anti-money laundering, market manipulation, and sponsor misconduct. This marks the first time cybersecurity has been elevated to a standalone enforcement priority, rather than being subsumed under the broader category of internal controls.

The 2024 Enforcement Cases: A Precursor

While no sponsor firm has yet been fined solely for cybersecurity failures, the SFC’s 2024 enforcement actions against two mid-sized brokers for inadequate cybersecurity controls provide a template for what sponsors can expect. In September 2024, the SFC reprimanded and fined Broker A HKD 3.5 million for failing to implement MFA on its trading systems, leading to a breach that compromised 47 client accounts. In December 2024, Broker B was fined HKD 5.2 million for failing to conduct annual penetration testing, as required by the ICG. The SFC noted in both cases that the firms’ senior management had been aware of the deficiencies but had not taken corrective action within a reasonable timeframe. For sponsors, the lesson is that the SFC will not accept a remediation plan that takes more than six months to implement for a critical control deficiency.

Thematic Inspections: What Sponsors Should Expect

The SFC’s thematic inspection programme for 2025-26 will include a specific module on sponsor cybersecurity, according to the SFC’s 2025-26 Business Plan. The inspection will focus on four areas: (i) the adequacy of the sponsor’s data classification framework, (ii) the implementation of MFA and access controls for confidential data, (iii) the sponsor’s vendor risk management programme, and (iv) the sponsor’s incident response plan, including the requirement to notify the SFC within 24 hours of a material breach. This 24-hour notification requirement is new and is derived from the SFC’s 2024 circular, which states that licensed corporations must report any cybersecurity incident that results in the loss or unauthorised access of client data or MNPI to the SFC’s Enforcement Division within 24 hours. For sponsors, this creates a significant operational challenge, as the 24-hour clock begins when the firm becomes aware of the incident, not when it has confirmed the extent of the breach.

Practical Compliance Steps for Sponsor Firms

Sponsor firms should take a structured approach to aligning their cybersecurity posture with the SFC’s expectations. The following steps are derived from the SFC’s 2024 circular, the ICG, and the SFC’s thematic inspection findings.

Step One: Conduct a Data Inventory and Classification Exercise

The first and most critical step is to conduct a comprehensive data inventory, classifying all data assets into the three tiers required by the SFC. For a sponsor, the classification exercise must extend to data held by third-party vendors, including law firms and forensic accountants. The inventory should be documented in a format that can be produced to the SFC within 48 hours of a request, as the SFC’s thematic inspection teams have been known to request data inventories on the first day of an onsite visit.

Step Two: Implement Multi-Factor Authentication for All Systems

MFA must be implemented for all systems that access confidential data, including email, document management systems, and virtual data rooms. The SFC’s 2024 circular requires that MFA be based on at least two of the following three factors: something the user knows (password), something the user has (token or mobile device), or something the user is (biometric). Sponsors that rely on SMS-based one-time passwords are at risk, as the SFC has indicated that SMS-based MFA is not considered sufficiently secure for confidential data.

Step Three: Establish a Vendor Risk Management Programme

Sponsors must review all existing vendor contracts and ensure that each contract includes a cybersecurity clause that meets the SFC’s minimum requirements. The clause should include the vendor’s obligation to maintain cybersecurity insurance, to notify the sponsor of any breach within 12 hours, and to submit to periodic security audits by the sponsor or its designee. The SFC’s 2024 circular recommends that sponsors conduct an initial security audit of each vendor within six months of the circular’s effective date, which was January 1, 2025.

Actionable Takeaways

• Sponsor firms must complete a full data classification exercise by Q3 2025, classifying all IPO-related documents as confidential and storing them on segregated systems with MFA.
• The SFC’s 24-hour breach notification requirement applies to any incident involving the loss or unauthorised access of MNPI; sponsors must have a documented incident response plan that designates a specific individual responsible for notifying the SFC Enforcement Division.
• All vendor contracts for due diligence services must include cybersecurity clauses requiring minimum HKD 10 million insurance coverage and a 12-hour breach notification obligation.
• Remote work policies must be revised to mandate company-issued devices with VPN and EDR for all employees handling confidential data, with BYOD policies eliminated for sponsor-related work.
• The SFC’s thematic inspection programme for 2025-26 will include a sponsor cybersecurity module; firms should prepare by conducting a mock inspection using the SFC’s 2024 circular as the assessment framework.