The SFC's June circular to licensed securities firms and registered virtual-asset service providers names credential theft accelerated by generative models and deepfake-assisted authorization calls as its lead threat tier, and directs boards to map controls against each. The circular is guidance only. It carries no mandatory cyber-insurance floor, no capital charge against breach losses, and no trigger on HK's Investor Compensation Fund, which caps recovery at HK$500,000 per claimant for securities defaults and does not extend to VASP hacking losses.

Chainalysis put global crypto-platform theft at roughly $2.2 billion in 2024, before current AI attack tooling was widely available to attackers. The SFC licenses the VASPs it warns. HK's licensing conditions require registered platforms to hold 98% of client virtual assets in cold storage, with insurance on the hot-wallet balance, a framework calibrated to custody risk, not to AI-assisted social-engineering fraud on the authorization desk. When a VASP fails to hold the line, the accountability path runs through the SFC's licensing review under the Anti-Money Laundering Ordinance, and the first cohort of licensed VASPs faces its annual compliance attestation cycle in mid-2026.