Management Summary
- Purpose / Background: The HKMA is issuing this circular to share observed good practices for addressing residual operational resilience vulnerabilities. This follows the industry-wide implementation of the Supervisory Policy Manual (SPM) module OR-2 and serves as a guide for AIs during the final stage of their resilience journey.
- One-line conclusion: AIs must review and integrate the HKMA’s identified "good practices" into their operational resilience frameworks to ensure robust risk management and full compliance by 31 May 2026.
- Key Changes:
- Shift in focus from initial mapping and testing to "last mile" vulnerability assessment and remediation.
- Adoption of a "resilience-first" and "resilience by design" mindset in ICT and cyber strategies.
- Enhanced integration of operational resilience into Third-Party Risk Management Frameworks (TPRMF).
- Refinement of Business Continuity Planning (BCP) and incident management to shrink recovery time objectives (RTOs) under extreme disruption scenarios.
- Key Dates / Deadlines: 31 May 2026 (Deadline for securing full operational resilience).
- Applicability / Impact scope: All Authorized Institutions (AIs).
- Recommended management actions:
- Perform a gap analysis comparing current frameworks against the "good practices" highlighted in the Annex.
- Evaluate residual risks and vulnerabilities identified in prior testing/mapping exercises.
- Update ICT, cyber, and third-party risk policies to reflect "resilience by design" principles.
- Enhance BCP and incident management programs to meet tighter tolerance levels for extreme disruptions.
- Engage internal stakeholders to finalize "last mile" improvements before the 31 May 2026 deadline.
Detailed Summary
- Document overviewThis circular provides guidance on operational resilience, building upon the requirements of SPM module OR-2. It aims to assist AIs in identifying and mitigating residual vulnerabilities through industry-tested good practices.
- Main requirementsAIs are expected to align their frameworks with the following four pillars:
- ICT Risk Management: Eliminate single points of failure, enhance asset recovery, and adopt "resilience by design."
- Cyber Security: Strengthen the full lifecycle of cyber risk management through individual capability uplift and ecosystem collaboration.
- Third-Party Dependency: Integrate resilience into the TPRMF, covering governance, contracts, risk monitoring, and exit strategies.
- BCP & Incident Management: Optimize recovery timelines to ensure the institution remains within established disruption tolerances during extreme events.
- Key changesThe regulatory focus has evolved from foundational framework implementation to the "last mile" of operational stability—specifically addressing the outcomes of previous simulations and testing to eliminate identified residual vulnerabilities.
- Important dates & transition
- 31 May 2026: Final deadline for AIs to secure and demonstrate full operational resilience.
- Post-May 2026: The HKMA will shift supervisory focus toward long-term sustenance and continuous improvement of resilience postures.
- Impact and risks
- Operational: Potential requirement to redesign ICT architecture to remove single points of failure.
- Compliance: AIs failing to address residual risks by the deadline may face heightened supervisory scrutiny.
- Third-Party: Existing vendor contracts and monitoring frameworks may require renegotiation or adjustment to meet new resilience standards.
- Compliance action checklist
- Review internal assessment results against the four pillars mentioned above.
- Conduct a stress test or simulation specifically targeting identified "residual vulnerabilities."
- Update vendor exit strategies and contractual resilience clauses.
- Prepare documentation for HKMA supervisory review to demonstrate progress ahead of the May 2026 deadline.
- Appendices/attachments summary
- Annex (Good Industry Practices): Provides technical details on implementing the four pillars (ICT, Cyber, Third-Party, and BCP). It serves as a practical blueprint for AIs to refine their risk management frameworks and ensure operational continuity during extreme stress.