Hong Kong Securities and Futures Commission issues letter to licensed virtual asset trading platforms, requiring secure custody of virtual assets.

On August 15, the Securities and Futures Commission of Hong Kong issued a circular to all licensed virtual asset trading platforms, clarifying its requirements for the secure custody of clients' virtual assets, urging virtual asset trading platforms to rigorously review and strengthen their asset custody measures. The Securities and Futures Commission of Hong Kong explained that there have been several recent incidents of overseas virtual asset custody vulnerabilities, and when reviewing the cybersecurity measures of trading platforms earlier this year, they found deficiencies in the monitoring measures of some operators. The Securities and Futures Commission of Hong Kong stated that multiple incidents of overseas virtual asset platform cybersecurity incidents have resulted in significant losses of client assets and highlight the ongoing risks faced by custodial systems globally. Common vulnerabilities in wallet infrastructure and monitoring measures include third-party wallet solutions being compromised, inadequate transaction verification processes, and blind approval of forged transactions by transaction signatories. In the latest circular, the Securities and Futures Commission of Hong Kong listed several good operational examples and minimum standards that virtual asset trading platform operators should meet, covering responsibilities of senior management, infrastructure and operations of client cold wallets, applications of third-party wallets, real-time threat monitoring, and other aspects. These standards will form the core requirements for virtual asset custody service providers in the future, helping to promote uniformity in the virtual asset custody framework across the industry. The specific requirements of the circular are as follows: I. Responsibilities of Senior Management According to paragraphs 3.4 and 3.7 of the "Guidelines for Virtual Asset Trading Platform Operators," corporate governance, internal monitoring, operational review, risk management, and compliance are key elements in determining the competence of platform operators. Additionally, according to paragraphs 5.1(c) and 5.1(k) of the guidelines, senior management has a responsibility to maintain appropriate standards and ensure that platform operators effectively utilize their resources and procedures to properly conduct their business activities. Senior management should ensure: (a) Implementation of effective policies, procedures, and internal monitoring measures; and (b) Adequate senior management supervision and governance by qualified and experienced individuals Therefore, platform operators are required to designate at least one responsible person or a key function head to oversee the matters described in sections II to VI below. II. Infrastructure of Client Cold Wallets According to paragraph 10.8 of the guidelines, platform operators should establish and implement strict internal monitoring measures and governance procedures in private key management to ensure the secure generation, storage, and backup of all encryption seeds and private keys. In feasible situations, seeds and private keys should be generated offline and stored in a secure environment (e.g., HSM), with appropriate authentication throughout the lifecycle of seeds or private keys. Given the critical role played by HSM in the custody of client assets, platform operators should conduct appropriate due diligence on HSM suppliers and conduct regular assessments before adopting HSM. As part of the HSM supplier evaluation, platform operators should ensure that the supplier is capable and committed to: (a) maintaining security standards through effective patch management; and (b) verifying patched HSMs when necessary to maintain security levels, with their certifications promptly updated. The implementation of a cold wallet should not include smart contracts on public blockchains to minimize potential network attack vectors associated with on-chain smart contracts. III. Operation of Client Cold Wallets According to paragraph 10.10 of the guidelines, platform operators should ensure: (a) the development of comprehensive procedures for handling customer virtual asset deposit and withdrawal requests to prevent losses due to theft, fraud, and other dishonest, professional misconduct, or inaction; (b) the implementation of safeguards to prevent fraudulent requests or demands made under duress, and having monitoring measures to prevent one or more senior personnel or employees from transferring assets to wallet addresses outside the customer's designated address; and (c) the destination address of the customer's withdrawal instructions cannot be modified before signing the transaction and transmitting it to the relevant blockchain. The generation and protection of seeds or private keys should be conducted on a cold wallet device isolated from the network. Platform operators should remain vigilant as attacks can occur at any stage of the transaction lifecycle, potentially leading to asset misappropriation. The security of customer assets depends on the security of their weakest link. Platform operators should (a) conduct comprehensive assessments of potential attack vectors regularly, including assessments before implementing any major changes (e.g., changing processes, systems, or authorized personnel); and (b) establish multiple independent data integrity checks at various stages of the transaction process, providing end-to-end integrity protection from transaction creation to transmission and ensuring proper segregation of duties. Platform operators should implement robust and systematic monitoring measures to prevent unauthorized transactions from occurring in cold wallets and adopt whitelist monitoring measures to prevent assets from being transferred to unauthorized wallet addresses. Any modifications or additions to the cold wallet whitelist should be strictly monitored and supervised. Each transaction must undergo systematic verification to ensure that only authorized transactions are executed and that no unauthorized or unexpected parameters exist. Devices used for approving transactions should be dedicated in nature, with restricted functionality and network connectivity, isolated from general working devices to reduce the risk of intrusion. Platform operators should use devices stored in a cold and network-isolated environment to conduct integrity checks on critical transaction data. These devices should require physical contact to modify the code to ensure the reliability of the verification process for data integrity. When transactions require human review before signing, all transaction details should be displayed in a clear and easily readable format for the signatory to review before signing. Good Practices (a) Company A has implemented a cold wallet system that includes an HSM isolated from the network and protected signing terminals in a cold wallet storage facility. The area has implemented a robust multi-factor access control monitoring system with all inbound and outbound records kept. The storage facility is equipped with monitoring cameras for continuous surveillance and recording. These rigorous physical monitoring measures reduce the risk of potential intrusions into the signing terminals, enhancing confidence in the robustness of monitoring measures executed on these terminals. Before signing, the signing terminals display complete transaction details to the signatory, preventing blind signing and reducing internal attack risks to prevent potential substitution of pending transactions or insertion of hidden malicious parameters. If the displayed transaction details do not match the intended transaction details, the signing terminal terminates the process and alerts the signatory through on-screen notifications. The signing terminal implements systematic whitelist monitoring measures during transaction creation to prevent external and internal threats from tampering with destination addresses. For each transaction, the terminal cross-checks the destination address with the whitelist. If the whitelist does not contain the destination address, the signing terminal halts the operation and notifies the security team. (b) Company B uses hardware devices specifically designed for reviewing and approving transactions. These devices are only used for wallet operations, ensuring clear physical segregation from the daily activities of the approvers. (c) Company C has implemented a final stage data validation check before transmission as an additional end-to-end verification measure. Before signing and transmitting signed blockchain transactions, the system goes through a verification process to compare the signed transaction with the original unsigned transaction. If any differences are detected, the signed transaction will not be transmitted. IV. Use of Wallet Solutions and Third-Party Service Providers The area implements strict multi-factor access control monitoring systems, with all inbound and outbound records being saved. The storage facility is equipped with monitoring cameras for continuous surveillance and recording. These rigorous physical monitoring measures reduce the risk of potential intrusions into the signing terminals, enhancing confidence in the robustness of monitoring measures executed on these terminals. Before signing, the signing terminals display complete transaction details to the signatory, preventing blind signing and reducing internal attack risks to prevent potential substitution of pending transactions or insertion of hidden malicious parameters. If the displayed transaction details do not match the intended transaction details, the signing terminal terminates the process and alerts the signatory through on-screen notifications. The signing terminal implements systematic whitelist monitoring measures during transaction creation to prevent external and internal threats from tampering with destination addresses. For each transaction, the terminal cross-checks the destination address with the whitelist. If the whitelist does not contain the destination address, the signing terminal halts the operation and notifies the security team. According to paragraphs 12.8 and 12.10 of the guidelines, platform operators should ensure that any changes to the system (e.g., implementing new systems or upgrading existing systems) are tested before deployment. Platform operators should also conduct regular reviews of their platforms to maintain their integrity, reliability, security, capacity, and have robust contingency measures in place. According to paragraph 12.6 of the guidelines, if platform or any associated activities are provided by third-party service providers or outsourced to third-party service providers, platform operators should conduct appropriate due diligence, ongoing monitoring, and proper arrangements to ensure compliance with the guidelines. Platform operators must strictly enforce duties division and comprehensive monitoring mechanisms for wallet system code management, whether the code repository is developed internally or provided by external sources. These monitoring measures include code reviews, testing, software supply chain management, management approvals, secure deployment practices, and other quality assurance procedures to reduce the risk of malicious code insertion by external attackers or malicious developers. All procedures should be documented through audit tracking methods. Administrators must adhere to the principles of least privilege, separation of privileges, and recognized industry best practices when accessing the system (whether for deployment or upgrade purposes) for strict control. Third-party assessments should include independent code reviews and a thorough understanding of the provider's software development and release processes before establishing a business relationship or implementing significant changes. Such assessments ensure the robustness of procedures to prevent the insertion of malicious code or the occurrence of security vulnerabilities. If using third-party wallet solutions, in addition to conducting appropriate due diligence on providers before adoption, platform operators should also conduct ongoing reviews of providers to ensure full compliance with the guidelines. Ongoing review includes regular assessments of providers' security monitoring measures and operational processes, timely reporting of incidents and emerging risks, and regular testing of providers' disaster recovery capabilities. Platform operators should conduct periodic inherent risk assessments covering third-party dependencies and vulnerability management, and implement mitigation measures to reduce residual risks. According to paragraph 12.13 of the guidelines, platform operators should also regularly conduct independent cybersecurity assessments of deployed systems. As a continuous measure, platform operators should establish procedures for handling emergency situations and business continuity plans, and conduct drills. Platform operators should regularly conduct end-to-end exercises with third-party solution providers to ensure that business continuity plans meet the recovery time objectives set by the Securities and Futures Commission. V. Continuous Real-Time Threat Monitoring According to paragraphs 12.12(f) and 12.14 of the guidelines, platform operators should: (a) implement sufficient security monitoring measures for the platform's infrastructure, including establishing a Security Operations Centre (SOC) or an equivalent function with sufficient resources responsible for all security surveillance processes and technologies, serving as the coordinator for effective incident detection; and (b) establish written policies and procedures specifying how suspected or confirmed cybersecurity incidents should be reported. Platform operators should conduct real-time reconciliation of on-chain customer assets with ledger balances. If any unexpected transactions lead to discrepancies, platform operators should immediately notify the SOC or an equivalent monitoring team and collaborate with relevant teams to take appropriate action. SOC should work closely with domain experts in wallet management, operations, and technology to regularly evaluate and improve alerts and their parameters. Senior management should oversee this process to ensure effective adjustment of alert thresholds for timely detection of potential issues. Platform operators should establish robust mechanisms to detect unauthorized access or intrusion into critical wallet infrastructure, including cold wallet vaults, signing devices, databases, production environment software, and code repositories. Given the complexity and importance of custodial systems, platform operators' monitoring processes should cover custodial systems and their dependencies, including suppliers, technologies, blockchain protocols, encryption programs, and common libraries which can potentially affect the security of customer assets. The monitoring framework should consider significant industry incidents and public security vulnerabilities that may threaten the robustness of custodial systems and related components. Because virtual asset platforms and blockchain activities operate continuously, platform operators should conduct security monitoring around the clock, including during holidays. Platform operators should allocate sufficient resources to address emergencies and develop procedures to mobilize additional resources to handle incidents occurring outside normal business hours. Platform operators should establish a systematic framework for handling security alerts and incident responses based on severity, and assign appropriate response procedures. Good Practices Some companies have implemented effective round-the-clock monitoring capabilities that can identify industry incidents appearing on social media immediately after their occurrence, even during midnight hours in Hong Kong. Although the incident did not directly impact the company's custodial system, its severity was significant enough for the security team to report it to senior management immediately. An incident response team composed of suitable professionals, senior management, technical, and security personnel quickly formed to not only comprehensively assess its potential impact on the custodial system but also closely monitor the developments of the industry incident. VI. Training and Awareness According to paragraph 12.5 of the guidelines, platform operators are required to deploy qualified personnel with sufficient expertise, technical resources, and financial support for the design, development, deployment, operation, and modification of the platform, as well as provide adequate onboarding and ongoing training to personnel to perform specific duties, as stated in section III(3) of the Internal Control Guidelines by senior management. Platform operators should ensure that transaction signatories receive full training to understand validation requirements and proper handling procedures in case of exceptions or uncertainties during transactions. Platform operators should take robust measures to prevent blind signing and ensure effective manual review or approval of transactions. Good Practices In addition to regular security awareness training, Company C provides training to employees on transaction validation, focusing specifically on preventing errors in manual verification procedures. As most network attacks originate from social engineering techniques, particularly phishing attacks, Company B conducts monthly phishing attack simulation exercises for all employees to emphasize the importance of security.