Wayne HUI | Area Vice President, AppSec & DataSec, Greater China and Korea
More About This Author >
Wayne HUI | Area Vice President, AppSec & DataSec, Greater China and Korea
More About This Author >
Quantum computing, data security, and technological complexity are becoming increasingly critical business considerations for Hong Kong’s banking sector, which nearly all operate exclusively in the cloud.
New guidelines by the Hong Kong Monetary Authority (HKMA) seek to curb the fallout of these risks while “laying the groundwork for Hong Kong to lead in the next generation of financial innovation,” as stated by Arthur Yeun, Deputy Chief Executive, HKMA.
With the goal of empowering Hong Kong’s financial services industry to accelerate the safe and responsible adoption of more sophisticated financial technology, as well as set boundaries for safe cloud adoption by humans and AIs alike, the HKMA released earlier in 2026 the Practice Guide on Cloud Adoption and the Fintech Promotion Blueprint.
This post will break down the basic requirements of each, their forward-looking objectives, and how Thales helps Hong Kong’s FSI sector keep pace with these changes.
Assessing the Threat Landscape
Like the rest of the digitally connected world, Hong Kong’s FSI organizations are increasingly susceptible to emerging trends that threaten data, call into question AI, and target weak encryption.
As the Thales 2026 Data Threat Report asserts, “data security has taken center stage” as the foundation for successful AI initiatives. For that reason, the report’s insights are doubly concerning: 47% of sensitive data in the cloud remains unencrypted, and 66% of businesses are unsure of where all their sensitive data is stored.
The report also notes that 52% now regard IAM as the most pressing security discipline in the AI era, and that 67% have witnessed an increase in stolen secrets across cloud environments.
Despite rapid adoption, or perhaps because of it, 61% report that their AI applications are being actively exploited by attackers, and 48% have been the victim of AI-fueled attacks.
Where post-quantum cryptography is concerned, it is in the nascent action stages for the majority: 59% are prototyping or evaluating PQC algorithms as we speak.
The New HKMA Banking Requirements and How Thales Can Help
Against this backdrop, 95% of Hong Kong banks have integrated fintech solutions within the past few years, “from mobile apps that enable remote account opening...to the adoption of Artificial Intelligence...”
This opens the windows wide to data threats due to porous access, weak encryption, AI risks, and (especially) quantum computing attacks. The new guidelines and requirements from the HKMA attempt to mitigate these.
The Practice Guide on Cloud Adoption applies to authorized institutions, such as banks, Stable Value Funds (SVFs), and HKMA-regulated entities. While not required by law, the guidelines are quasi-mandatory, enforceable by regulatory powers and supervisory expectations. They provide a set of “high-level principles for managing cloud-related risks,” including cloud resilience, AI involvement, and IAM in the cloud.
The Fintech Promotion Blueprint applies to all Hong Kong banks and fintechs under HKMA supervision and provides strategic expectations and Key Priorities, including advanced customer-facing AI, tokenization, high-performance computing, data excellence, and cyber resilience. It also provides a Blueprint for implementing the suggested changes, broadly covering Ecosystem Collaboration, Technological Advancement, and Talent & Outreach.
As a strategic partner, Thales offers solutions that enable Hong Kong’s financial institutions to meet the HKMA’s recent requirements.
Data Governance and Protection
Independent Control over Encryption Keys
In the Practice Guide on Cloud Adoption, the HKMA outlines the following practice:
“Exercising independent control over encryption keys, where practicable, through approaches such as Bring Your Own Encryption (BYOE), Bring Your Own Key (BYOK), or Hardware Security Modules (HSMs).”
Thales CipherTrust Key Management unifies all cloud Key Management Services into a single pane of glass, providing centralized visibility across regions for cloud-native, BYOK, and HYOK keys, all via one intuitive UI.
Cryptographic Key Management
The Cloud Guide also suggests that HK FSI organizations engage in:
“Maintaining comprehensive cryptographic key management policies and procedures, covering justification, secure generation, unique assignment, rotation, backup, deletion, and regular review throughout the key lifecycle.”
Thales CipherTrust Data Security Platform is the business end of such policies, centralizing encryption key management while enforcing data access policies that maintain compliance with the strongest encryption standards.
Data Classification
Under the Guide, data protection includes “classifying data by sensitivity and criticality... and applying appropriate protection measures such as de-identification, pseudonymization, or anonymization where appropriate.”
CipherTrust Data Discover and Classification finds and classifies both structured and unstructured data, in the cloud and across on-prem and hybrid environments.
Application and API Security
Secure App Development
Principle 5B of the Cloud Guide, “Secure Architecture & Deployment,” lays out the following application security Good Practice:
“Incorporating established secure development disciplines such as systematic threat analysis and adherence to widely recognised application security principles across the entire lifecycle of cloud applications.”
Thales Application Security Platform is built specifically to protect applications and APIs at every stage of their lifecycle: from design to testing to runtime. It continuously discovers all APIs (including shadow and depreciated APIs), identifies flaws and continuously maps them against known vulnerabilities and design weaknesses, and aligns with OWASP standards.
Least-Privilege Access for APIs
In the same section, the HKMA also suggests that FinServ organizations must be:
“Protecting APIs and micro-services through least-privilege access, strong authentication, active monitoring, timely decommissioning of unused interfaces, and safeguards for service discovery and mesh functions.”
Here again, Thales Application Security (API Security and WAAP) is designed to limit unauthorized access to APIs and microservices at scale. It provides real-time monitoring of all API traffic, detects authentication gaps, and enforces least-privilege access, so only approved API calls, parameters, and behaviors are allowed.
Quantum Preparedness and PQC
The Fintech Promotion Blueprint states that the HKMA will develop a Quantum Preparedness Index to measure the “strategic awareness and operational readiness” of HK FSI organizations within the sector.
A “target index” will follow, complete with a roadmap outlining potential future steps toward quantum readiness.
While not a strict requirement, it speaks to the expectation and unspoken mandate for Hong Kong’s banks to be quantum-ready. To this end, Luna HSM and CipherTrust Key Manager give financial security leaders a head start.
CipherTrust already includes quantum-resistant algorithms, and Luna HSM provides “production-ready, NIST-approved post-quantum cryptography (PQC)” for teams looking to make the transition.
Thales leadership in post-quantum cryptography innovation and data security through secure access makes it an ideal strategic partner for Hong Kong’s pace-setting financial sector.
Conclusion
Hong Kong’s banks are not only competing for customer retention and a regulatory check mark; they are collectively striving to attain the “technological leadership that will strengthen [their] position as a premier international financial centre.”
Thales solutions are uniquely positioned to help Hong Kong’s financial services industry protect against new data threats, adopt AI responsibly, embrace new fintech innovations, and prepare for a post-quantum future.
Download the Thales compliance brief to explore how financial institutions can operationalize the HKMA Practice Guide on Cloud Adoption and comply with the Fintech Promotion Blueprint.