HKMA issues binding Sectoral Code of Practice imposing cyber-security obligations on designated critical-infrastructure banks

On 2 June 2026, the HKMA's Monetary Authority brought into operation a Sectoral Code of Practice under Section 8(1)(b) of the PCICSO for Authorized Institutions designated as critical-infrastructure operators. It sets baseline requirements for protecting designated critical computer systems and details how Designated AIs comply with category 1 and category 2 statutory obligations. Non-compliance with the Code is not itself an offence, but the MA can issue written directions for non-compliant or defective compliance, and breaching such a direction is an offence.

The Monetary Authority issued this Sectoral Code of Practice under the PCICSO, effective 2 June 2026, to set the baseline cyber-security requirements for the critical computer systems (CCSs) of Authorized Institutions designated as critical-infrastructure operators. The Code establishes how the MA will bilaterally designate CCSs and the information Designated AIs must supply for that process, then sets out the operative obligations: maintaining a Hong Kong office and notifying the MA of its address and any change; notifying operator changes and material changes to CCSs; establishing and maintaining a computer-system security management unit with a suitably qualified supervisor; and submitting and implementing a computer-system security management plan endorsed by the board or senior management, reviewed at least once every two years. The plan must address a detailed control set spanning access control, privileged access, cryptography, patch and change management, backup and recovery (including a secure tertiary data backup), network and application security, logging with a minimum six-month retention, supply-chain and cloud risk, monitoring and detection, and training. Designated AIs must also conduct periodic computer-system security risk assessments — including vulnerability assessment and penetration testing — and arrange independent security audits, on the periods specified in the Ordinance. The Code is not subsidiary legislation and non-compliance with it is not itself an offence, but it is the benchmark against which the MA assesses compliance: the MA may issue written directions to require remedial action for non-compliance or defective compliance with category 1 or category 2 obligations, and failing to comply with such a direction is an offence.