
Hong Kong SFC Releases Cybersecurity Report: A Must-Read for Web3 Licensed Companies
TechFlow Selected TechFlow Selected

Hong Kong SFC Releases Cybersecurity Report: A Must-Read for Web3 Licensed Companies
How should Web3 licensed companies handle cybersecurity issues?
By: Iris
Cybersecurity has always been a "deep-seated pain" for the Web3 industry.
According to data from SlowMist Security Team, losses due to security incidents and phishing attacks reached nearly $100 million in January 2025—only the tip of the iceberg compared to total industry losses. Annually, cybersecurity issues result in losses ranging from several billion to tens of billions of dollars for projects and individual users.
Therefore, cybersecurity remains critical for Web3 projects.

On February 6, 2025, the Hong Kong Securities and Futures Commission (SFC) released its report titled “Thematic Review on Cybersecurity of Licensed Corporations 2023/24,” stating that licensed firms must recognize that cybersecurity is not merely an IT department responsibility. In fact, senior management plays a key role in overseeing and implementing robust cybersecurity measures to protect their organizations from evolving threats.
So how should Web3-licensed companies address cybersecurity challenges?
In this article, ManQin Law breaks down the SFC’s latest report, highlighting key points and offering actionable strategies.
Senior Management Bears Primary Responsibility
Traditionally, project or product security issues are often attributed solely to a company's IT team, seen as their primary responsibility.
However, under the regulatory framework of the Hong Kong SFC, senior management of licensed corporations are not only central to strategic decision-making but also the first line of accountability for cybersecurity compliance, bearing ultimate legal responsibility for failures in cybersecurity. The SFC explicitly states that the following individuals fall within the scope of senior management and must assume cybersecurity oversight duties:
-
Responsible Officers (RO)
-
Executive & Non-Executive Directors
-
Managers-in-Charge (MIC)
The Hong Kong SFC emphasizes that cybersecurity is not just an IT concern—it is a core component of corporate governance. Senior management must ensure the establishment and maintenance of strong cybersecurity control systems and provide strategic-level supervision over the implementation of security measures. This responsibility requires more than awareness of cybersecurity risks; it demands active efforts to implement appropriate risk mitigation measures and ensure full compliance with SFC regulations.
Moreover, cybersecurity compliance extends beyond technical controls to include shaping corporate culture. Senior leaders should actively promote security awareness training, establish clear accountability systems, and foster an internal culture where “cybersecurity comes first.” Only when management treats cybersecurity as an essential part of enterprise risk management can Web3-licensed firms operate securely and stably amid complex and ever-changing cyber threats.
Commonly Overlooked Internal Security Vulnerabilities
Security incidents plague the Web3 industry, yet many breaches do not stem from sophisticated hacking techniques, but rather from internal security management flaws within licensed firms themselves.
The Hong Kong SFC’s report identifies two major vulnerabilities commonly present in licensed firms’ cybersecurity practices. These weaknesses often serve as entry points for hackers, directly threatening customer data, transaction security, and even triggering regulatory risks.
Use of Outdated Software
The continued use of outdated software by Web3-licensed firms is a significant cybersecurity vulnerability highlighted in the SFC report.
Since such software no longer receives security updates, patches, or technical support from vendors, newly discovered vulnerabilities remain unpatched—providing cybercriminals with opportunities to launch malware attacks, leading to data breaches and system intrusions.
To mitigate this risk, Web3 firms must implement structured software lifecycle management processes, with direct oversight by senior management for risk assessment of software assets. Where applicable, companies may consider adopting the following measures in their operations:
-
Establish a software update mechanism. Maintain an updated inventory of all software and operating systems, proactively identify soon-to-be-obsolete software, and set up regular evaluation procedures.
-
Plan upgrades in advance. Proactively schedule upgrades or replacements before official vendor support ends, ensuring business continuity and avoiding unexpected disruptions.
-
Implement temporary mitigation measures. Apply security controls such as access restriction and network isolation for systems that cannot be immediately upgraded.
-
Conduct regular vulnerability assessments. Licensed firms should establish continuous security monitoring mechanisms to promptly detect and address software-related risks.
In addition, senior management at Web3 firms must ensure that IT teams have sufficient resources to effectively manage the software lifecycle and prevent unnecessary exposure of customer data and financial assets due to failure in upgrading critical systems.
Weaknesses in Encryption Algorithms
Encryption algorithms form the core defense line for protecting customer data, securing transactions, and meeting regulatory requirements. However, the Hong Kong SFC report notes that some licensed firms still rely on outdated or weak encryption algorithms, exposing sensitive financial and personal data to high cybersecurity risks such as data leakage and unauthorized account access.
Key encryption vulnerabilities listed by the SFC include:
-
Using obsolete algorithms such as MD5, SHA-1, or outdated RSA implementations, which are vulnerable to modern cryptographic attacks.
-
Insufficient key length—for example, RSA keys shorter than 2048 bits or AES keys below 128 bits—making brute-force attacks more feasible.
-
Poor key management, including reusing keys across multiple environments, failing to rotate keys regularly, or storing encryption keys in insecure locations.
To reduce these risks, Web3-licensed firms should adopt industry-standard encryption protocols to strengthen data protection and meet SFC regulatory expectations, including:
-
Adopt strong encryption algorithms such as AES-256 to ensure both data at rest and in transit are protected with high-strength encryption.
-
Upgrade to more secure key systems—for instance, using Elliptic Curve Cryptography (ECC) as an alternative to RSA—to achieve higher security with shorter key lengths and improved computational efficiency.
-
Implement end-to-end encryption (E2EE) to keep data encrypted during transmission, preventing man-in-the-middle attacks or unauthorized access.
-
Strengthen key management practices: avoid using the same key across multiple environments, rotate keys regularly, and store keys according to the highest security standards (e.g., Hardware Security Modules, HSM).
-
Conduct regular cryptographic audits—at least once per year—to ensure all encryption practices align with the latest industry standards and regulatory requirements.
From a compliance perspective, weak encryption is not merely a technical oversight—it could lead to serious regulatory consequences. In Hong Kong, laws such as the Personal Data (Privacy) Ordinance impose strict data protection obligations on financial institutions, while global data security standards (e.g., ISO 27001, NIST) continue to raise the bar for encryption compliance.
Therefore, if a Web3-licensed firm fails to implement sufficiently strong encryption measures, any resulting data breach or unauthorized access could lead to legal liabilities, loss of customer trust, or even regulatory penalties. As such, senior management must treat encryption security as a core compliance function, ensuring encryption strategies evolve alongside industry best practices and emerging cyber threats, and are effectively implemented to safeguard customer data and ensure long-term compliant operations.
External Cybersecurity Threats and Mitigation
Beyond internal vulnerabilities, external cybersecurity threats are also prevalent in the Web3 space, with phishing websites and fake airdrop scams being among the most common.
Hence, the Hong Kong SFC stresses in its report that licensed firms must adopt more proactive security strategies to counter increasingly sophisticated cyberattacks. Particularly in the Web3 business environment, where funds, contracts, and digital assets are highly digitized, traditional financial institutions’ cybersecurity challenges are amplified for Web3 firms.
Below are key high-risk areas emphasized by the SFC, along with targeted defense strategies:
Phishing Attacks
This is likely one of the most common and successful fraud methods in the Web3 industry.
For Web3 firms, phishing is far more than a simple scam—it can serve as a gateway for larger-scale attacks. In the Web3 space, phishing often precedes fund theft, smart contract exploits, malicious authorizations, or even private key leaks. Attackers trick users into revealing sensitive information through forged trading sites, fraudulent dApp links, or impersonating official teams—often without the user realizing it—ultimately causing severe financial loss and security crises.
To mitigate these threats, Web3 firms must go beyond basic awareness training and adopt multi-layered defense strategies, including:
Advanced Email Security Gateways (SEG)
Traditional email filters are no longer sufficient against increasingly sophisticated phishing attacks. The SFC recommends deploying advanced email security gateways (SEG) capable of detecting and blocking phishing emails. For example, AI-powered email security solutions can detect spoofed domains, suspicious attachments, and malicious links. These tools should also integrate real-time threat intelligence to block emerging phishing campaigns.
Implement Strong Authentication Mechanisms
Since phishing primarily targets login credentials, Web3 firms should enforce multi-factor authentication (MFA) across all critical systems—especially those involving trading platforms, private key management, hot wallet access, and compliance systems. Additionally, user account privileges should be minimized based on the Principle of Least Privilege (PoLP), limiting the potential impact of a successful phishing attack.
Regular Employee Training and Simulated Phishing Tests
Employees are the first line of defense, but standard security training alone rarely changes habitual behavior. Therefore, Web3 firms are advised to take two steps: (1) Provide ongoing cybersecurity awareness training tailored to financial services and digital asset-specific risks, enabling employees to identify and report sophisticated phishing attempts; (2) Conduct regular simulated phishing exercises to analyze and assess employee awareness and response, improving incident response protocols accordingly.
Establish Rapid Response and Emergency Procedures
Web3 firms should establish standardized reporting procedures for phishing attempts to enable swift investigation and threat mitigation before escalation. For example, upon detection of a phishing incident, the company should immediately isolate affected accounts or systems and initiate emergency response procedures—including revoking malicious contract approvals, freezing impacted funds, and notifying relevant regulators and customers. Any successful phishing intrusion should trigger forensic reviews and updates to internal security policies.
Transaction and Signature Security Alerts
In Web3 contexts, malicious websites and dApps (decentralized applications) may trick users into signing harmful smart contracts. Firms should therefore implement secure transaction confirmation mechanisms—such as providing detailed explanations of smart contract permissions within wallet interfaces—and encourage users to verify transaction behavior using simulation tools before granting authorization.
For Web3 firms handling virtual asset transactions, tokenized assets, and DeFi services, phishing risks extend far beyond traditional email scams. Hackers now employ more deceptive social engineering tactics—such as forging official communications, luring users into approving malicious smart contracts, or even faking wallet signature requests—to bypass conventional defenses and gain direct control over users' digital assets.
Thus, anti-phishing strategies for Web3 firms must go beyond basic awareness training to include wallet security management, rigorous review of smart contract interactions, and strict transaction verification mechanisms to minimize potential risks.
Remote Access Security
Remote work has become the norm for Web3 firms, but it also expands the attack surface for cyber threats. Poorly managed remote access allows hackers to exploit weak credentials, unencrypted connections, or compromised devices to access core systems, creating serious security risks.
To secure remote access, Web3 firms should consider the following measures:
-
Mandate multi-factor authentication (MFA), especially when accessing admin panels, private key storage systems, and financial transaction backends.
-
Adopt a zero-trust architecture (ZTA), ensuring all access requests undergo strict verification, rather than relying solely on IP whitelists or VPNs.
-
Monitor remote access logs to detect anomalous patterns—such as logins from unusual times, locations, or devices.
-
Encrypt all remote connections using end-to-end encryption (E2EE) and enterprise-grade VPNs to prevent man-in-the-middle attacks.
Potential Security Risks from Third-Party IT Service Providers
Using third-party IT service providers introduces additional cybersecurity considerations. Companies must conduct thorough due diligence to evaluate the provider’s security posture. This includes reviewing their security policies, understanding their incident response procedures, and confirming compliance with relevant regulatory requirements. Establishing clear contractual obligations around data protection and conducting regular security assessments can further reduce risks associated with third-party providers.
Many Web3 firms rely on third-party providers for cloud storage, identity verification, smart contract auditing, and payment processing. However, if these suppliers have inherent security flaws, they can become entry points for attackers.
To reduce supply chain attack risks, Web3-licensed firms can:
-
Conduct security due diligence to assess the provider’s cybersecurity maturity, data handling policies, incident response capabilities, and compliance certifications (e.g., ISO 27001 or SOC 2).
-
Define clear contractual obligations, ensuring the provider assumes responsibility for data protection, incident response, and security audits.
-
Perform regular supplier security assessments—such as requiring up-to-date security reports and conducting penetration tests—to confirm their infrastructure has no critical vulnerabilities.
Cloud Security Threats
Cloud computing has become a core infrastructure for Web3 firms, yet misconfigured cloud storage, unencrypted data, and overly permissive access rights can allow hackers easy access to sensitive information.
To ensure cloud security, Web3 firms should consider the following:
-
Enforce strict access controls using Role-Based Access Control (RBAC) to limit access to sensitive data.
-
Encrypt data at rest and in transit, ensuring all customer data stored in the cloud is protected with AES-256 encryption to prevent data leaks.
-
Conduct regular cloud security audits to identify misconfigurations and potential risks—avoiding common issues like publicly accessible S3 buckets.
Additionally, Web3 firms must understand the shared responsibility model of cloud security—knowing which aspects are managed by the cloud provider and which remain the firm’s own responsibility.
ManQin Law Summary
The SFC report reaffirms that cybersecurity is not just a technical issue, but a core element of compliant operations for licensed firms. Whether it’s senior management accountability, internal defenses, or responses to external threats, Web3-licensed firms must build long-term, robust cybersecurity strategies to meet regulatory requirements and protect customer assets.
Notably, on February 7, the SFC announced plans to comprehensively review existing cybersecurity requirements and expectations in 2025 and develop an industry-wide cybersecurity framework, providing clearer compliance guidance for all Web3-licensed firms to better manage cybersecurity risks.
Therefore, Web3-licensed firms should prepare early to swiftly adapt when regulatory standards are upgraded. Moreover, ManQin Law advises that regardless of licensing status, all Web3 firms should proactively assess their current cybersecurity frameworks, improve internal governance, and enhance compliance readiness to reduce operational risks from future regulatory adjustments and strengthen market competitiveness.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














