Cyber risk management – the HKMA’s Regtech Adoption Practice Guide

On 26 January 2022, the Hong Kong Monetary Authority (HKMA) published its fifth edition of the Regtech Adoption Practice Guide (the Guide) focusing on cyber risk management regulatory technology (Regtech) solutions. The Guide provides authorised institutions (AIs) with information on the latest Regtech developments, practical guidance on implementation and provides example use cases to show how other institutions have addressed the challenges that arise in managing cyber risks.

Leveraging Regtech Solutions for Cyber Risk Management

The Guide identifies some of the key cyber risk challenges that AIs face, including difficulties in keeping up with the rapidly-changing nature of cyber risk, increased usage of and reliance on third-party services, and the lack of awareness of cyber risks, both amongst personnel and the general public.

The Guide highlights some of the benefits of adopting cyber risk management Regtech solutions in the face of these challenges. By following the Guide’s recommendations, AIs should be in a better position to protect their operations by identifying cyberattack attempts at an early stage, developing vulnerability management solutions, and responding swiftly to cyber incidents.

In particular, AIs are advised to have in place a holistic cybersecurity programme and roadmap in light of the various Regtech solutions to support the planning and adoption of security solutions. Some of the practical considerations for AIs to bear in mind when preparing this roadmap include conducting a cost-and-benefit analysis, assessing the compatibility of Regtech solutions with the AI's existing security solutions, and developing training programmes for relevant personnel, as well as processes to facilitate and review the Regtech solutions on an ongoing basis. 

Implementation Guidance

The Guide includes the HKMA’s guidance on a number of specific considerations for AIs, including:

  • Formulating a cross-functional implementation team by engaging individuals from different competencies to ensure adequate representation from all relevant stakeholders.
  • Conducting business case analysis by evaluating the different solutions available.
  • Conducting evaluation of prospective vendors before committing to a particular Regtech solution.
  • Carrying out a proof of concept test to ensure the effectiveness of a Regtech solution and that it is conducive to the AI's business objectives.
  • Other ongoing measures to facilitate the implementation of Regtech solutions; security operation processes should be updated on an ongoing basis.

Regtech Use Cases

The HKMA presents two use cases showing successful cyber risk management implementation in the Guide, which describe in detail the stages of implementation involved and the key lessons learned.

The Guide sets out the cyber risk management approach adopted by the AI in the use cases and outlines some of the key takeaways and methodologies. These include conducting on-going testing, configuring the Regtech solution, conducting proof of concept, defining use cases and end-goals, defining roles and responsibilities of team members, integrating the solution with existing functions, and upgrading to new capabilities.

Take-Aways for Legal and Compliance Teams and Next Steps

Regtech promises effective and efficient compliance solutions for AIs facing increasingly challenging compliance requirements.The Guide highlights how important Regtech can be in areas of critical operational risk, such as cyber security.

However, it is important to understand that Regtech solutions raise important legal and compliance issues, such as:

  • Regtech solutions need to be assessed against the applicable regulatory requirements, taking into account applicable HKMA regulations, data protection laws, and other relevant considerations.
  • In the context of cyber security incident response, Regtech solutions also need to be integrated with response plans and operating procedures.
  • Agreements with Regtech vendors need to be carefully drafted and negotiated to reflect commercial considerations, AI risk management policies, and compliance with technology risk management and outsourcing requirements, where applicable.

Please see here for the link to the Regtech Adoption Practice Guide: Fifth Issue of Regtech Adoption Practice Guide Cyber Risk Management (


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.