SFC Names AI Attacks; No Cover Follows
What the Circular Names
The SFC, Hong Kong's securities regulator overseeing approximately 3,000 licensed corporations, issued a cybersecurity circular this week naming AI-enabled attacks as a distinct threat category. The guidance separates AI-assisted phishing, deepfake social engineering, and automated credential attacks from the generic cyber-threat language the SFC has run since its 2019 cybersecurity framework. Firms whose controls were benchmarked to that 2019 standard now face a circular that names three new threat categories without mapping the compliance gap.
The circular covers licensed firms and VASPs, the exchanges and custodians licensed to hold digital assets on client behalf. By end of 2025, the SFC had granted full operating licenses to a small number of VASPs, with more applications pending. An AI-enabled attack against a VASP custody system puts client digital assets at risk on the VASP's own books. The circular names that exposure. It quantifies none.
Licensed firms reading the circular find no insurance requirement and no compliance timetable. A firm can update its documentation and walk into its next SFC inspection with no cyber cover. As of June 2026, no SFC circular requires otherwise. A firm can sit its next SFC inspection carrying no cyber policy. No SFC circular requires one.
Where the Cover Isn't
Munich Re, one of the four largest cyber reinsurers globally, put global cyber insurance premiums at roughly $14 billion for 2024. Total cyber economic losses, by Munich Re's own modeling, run in the trillions. Munich Re writes the reinsurance behind many of those policies. The firm that quantifies the gap also collects the premium that sets its width. A corporate policyholder on the other side of that ledger negotiates renewal against the institution that just published the shortfall.
APAC runs at roughly 10 percent of global cyber premiums, per Swiss Re's cyber market data, against an economic-loss share well above that figure. Hong Kong's SFC-licensed sector sits inside a market where AI-specific endorsements are largely absent. A licensed firm hit by a deepfake attack this year would file against a 2023-vintage policy that was not written for it.
The protection gap, the share of losses no policy covers, is structural here. Parametric cyber products, which pay against a defined trigger rather than proven loss, exist in London and Bermuda markets but have thin placement in Asia. Lloyd's writes that placement. No Hong Kong broker is arranging it.
The Insurance Authority has not issued guidance to match the SFC circular. The July 1 Lloyd's renewal opens in four weeks. If the Insurance Authority issues product guidance before that date, underwriters have a regulatory anchor for AI-attack policy language. If it does not act, the renewal proceeds under terms set before the SFC named deepfake attacks as a distinct threat category. Hong Kong family offices and VASPs renewing after July 1 negotiate against whatever language the underwriters bring.