HKMA issues binding Sectoral Code of Practice imposing cyber-security obligations on designated critical-infrastructure banks
The HKMA issued a binding Sectoral Code of Practice under the Protection of Critical Infrastructures (Computer Systems) Ordinance, effective 2 June 2026, requiring Authorized Institutions designated as critical-infrastructure operators to meet baseline cyber-security obligations for their critical computer systems — enforceable through Monetary Authority directions whose breach is a criminal offence.
- — Authorized Institutions designated as critical-infrastructure operators must establish and maintain a computer-system security management unit and submit a board- or senior-management-endorsed computer-system security management plan covering the Code's full control set for their designated critical computer systems; failing to do so exposes the institution to Monetary Authority written directions, breach of which is a criminal offence.
- — Designated AIs must conduct periodic computer-system security risk assessments — including vulnerability assessments and penetration tests — and arrange independent security audits of their critical computer systems on the periods set under the Ordinance, retaining the supporting reports and evidence to demonstrate compliance to the Monetary Authority on request.
- — Designated AIs must notify the Monetary Authority of their Hong Kong office address, operator changes, and material changes to designated critical computer systems within the periods specified in the Ordinance, in the form the Monetary Authority requires.
- — Designated AIs relying on third-party and cloud service providers for critical computer systems must extend the Code's supply-chain and cloud-security controls to those providers and avoid over-dependence on a single or few suppliers, because supplier nodes fall within the protected scope of the designated critical computer systems.
- — Authorized Institutions designated by the HKMA as critical-infrastructure operators, and their security, technology-risk and operational-resilience functions
- — Boards and senior management of Designated AIs responsible for endorsing the computer-system security management plan
- — Third-party and cloud service providers operating or supporting designated critical computer systems for Designated AIs
- — Designated AIs must review and, where required, resubmit the computer-system security management plan to the Monetary Authority at least once every two years from its adoption to maintain compliance.