From Complacency to Compliance: Securing Critical Mainframe Systems in Hong Kong and Beyond
I’ve had many conversations with CISOs and IT security consultants where they tell me that security assessments, penetration testing and vulnerability scans have been non-existent on their mainframes. Such services have simply never been done “on platform”—putting into question just how secure these systems really are against a cyberattack. That situation has to change.
As in so many other regions worldwide, Hong Kong faces a rising tide of cybercrime, with 2024 seeing a 65.2% increase in cybersecurity incidents, according to the Hong Kong Computer Emergency Response Team Coordination Centre. In the first half of 2025, the region recorded 8,142 cyber security incidents, an increase of around 49% year-on-year. The South China Morning Post reported, “Losses in first six months of year hit HK$3.04 billion, while those specifically from hacking attacks surged tenfold to HK$39.4 million.”
Protecting and Defending Critical Mainframe Infrastructure
People still think that you can’t hack a mainframe, unless you have someone on the inside. That’s not true. All it takes is for one person to get past a firewall on the perimeter and with all the resources now available including AI, they can potentially write programs to elevate privileges and gain carte blanche access: the keys to the kingdom. All it takes is one breach, one vulnerability … and hackers are both patient and persistent.
Whilst the mainframe is a very secure platform, it’s not impregnable—and it’s now part of a wide area network. However, this may not necessarily be the perception in Asia Pacific because, in mainframe security terms, I think we lag a little behind North America and Europe. But this is a global issue, of course. And the best way to prove if your platform is secure (or not) is close scrutiny via a security assessment, pen test or vulnerability scan.
New Threats, New Compliance
The situation has become more acute in my own patch with new legislation from the Hong Kong Legislative Council coming into effect in January 2026. The Protection of Critical Infrastructure (Computer Systems) Bill seeks to boost the resilience of critical systems and to enhance cybersecurity for key services (similar in some ways to DORA in Europe). The HK ordinance covers sectors such as energy, banking and financial services, transport, healthcare and telecommunications.
If you maintain a physical address or office in Hong Kong, you will need to do the following:
- Establish a dedicated computer system security management (CCSM) unit
- Develop and implement CSSM plans aligned with international standards (e.g., ISO 27001, NIST)
- Conduct annual risk assessments and biennial independent audits
- Ensure compliance by any third-party service providers
Other requirements include security drills at least every two years, submitting emergency response plans and reporting serious incidents within 12 hours. Compliance extends to critical systems hosted outside Hong Kong.
The bill also comes with financial penalties. Non-compliance will trigger fines ranging from HKD 500,000 (USD 65,000) to HKD 5 million (USD 640,000), and additional daily fines of up to HKD 100,000 (USD 13,000) for ongoing breaches. I hear that criminal penalties are also planned. And the problem is, organizations are unprepared.
Compliance in a Heightened Threat Landscape
Under the legislation, the Hong Kong Monetary Authority (HMA) will oversee banking sector compliance, with a unified reporting channel for incidents. And organizations need to act now, because the clock is ticking. The designation of Critical Infrastructure Operators (CIOs) and Critical Computer Systems (CCS) starts in mid-2026.
In parallel, the cyber risks will only increase, with AI-driven attacks and ransomware threatening banking systems and potentially disrupting critical services. The reasons suggested for recent cybersecurity incidents in Hong Kong range from a lack of multi-factor authentication for remote access, a lack of monitoring of third-party service providers, inadequate data security management and inadequate information security policies to insufficient security audits.
By 2025, the average global cost of a data breach was being reported as USD 4.44 million, with U.S. organizations seeing an average cost of USD 10.22 million, according to IBM’s “Cost of a Data Breach Report 2025.” So it’s little wonder that CISOs are starting to push back on their infrastructure teams to more clearly understand the state of their mainframe systems’ security posture, not least to ensure they meet the basic compliance requirements of the new bill.
Mitigating the Risks, Reducing Your Exposure
An analysis of 2024 incidents by the Hong Kong Police Force Cyber Security and Technology Crime Bureau indicated three recurring issues: “Inadequate access control and configuration, outdated and unpatched systems, lack of effective threat detection mechanisms.” It all sounds very familiar. And while these are all solvable issues, a lack of expert personnel with the right skills can be a major stumbling block.
Indeed, while most organizations will agree on the importance of mainframe security as part of an end-to-end zero trust strategy, including basic tasks like avoiding misconfiguration and ensuring good integration with enterprise applications, the same organizations face a lack of experienced people with specialist experience.
For many, the first step is securing the services of experts. But there are pitfalls to avoid. Many providers including the big consulting and accounting firms will happily perform a security or systems audit for you. Beware: This could add to the complacency, to a false sense of security that systems are protected and compliant, as it will most likely be a checklist exercise by individuals with little or (more likely) no experience on the mainframe. They will almost certainly not request actual access to the platform. But that level of “due diligence” will no longer cut it, in terms of the new bill and the Hong Kong Monetary Authority.
Next Steps
A valuable starting point is deciding whether you need a security assessment, penetration test, vulnerability scan or perhaps a combination.
A security assessment is a comprehensive evaluation designed to understand and improve your overall security posture. A penetration test is a focused and entirely safe attack simulation that identifies exploitable vulnerabilities in your mainframe environment, such as escalating user privileges or exploiting poorly configured dataset profiles, typically executed after a security assessment and remediation to validate tightened security posture. Vulnerability scanning, meanwhile, analyzes your platform for backdoors, weaknesses and vulnerabilities that criminals can exploit. It’s a way to check and validate essential controls and achieve a more proactive security stance.
There are many other options available. For example, in an interconnected world, does your mainframe team have complete visibility of traffic flowing into and out of your network, with the opportunity to exert access controls? Network discovery tools and activities like network micro-segmentation help to further secure your platform and increase resilience. And the list goes on: What about those mundane but essential security housekeeping activities like patch management and certificate management?
Approaches such as these, delivered by genuine mainframe experts, could ultimately save your platform from an as-yet-unknown cyber attack, protecting your organization, data and customers. And if you’re subject to increasingly strict cybersecurity regulations—not only in Hong Kong but in every other part of the world—these services can help you to achieve the compliance you need.