How Should Licensed Web3 Companies Address Cybersecurity Issues?

Written by: Iris

Cybersecurity has always been a "deep-seated pain" in the Web3 industry.

According to data from the SlowMist security team, losses due to security incidents and phishing events reached nearly $100 million in January 2025, and this is just the tip of the iceberg for industry losses. Each year, losses for projects and individual users due to cybersecurity issues range from tens of billions to over a billion dollars.

Therefore, cybersecurity for Web3 projects has always been critical.

On February 6, 2025, the Hong Kong Securities and Futures Commission (SFC) released a report titled "2023/24 Licensed Corporation Cybersecurity Thematic Review Report," which pointed out that for licensed companies, it is crucial to recognize that cybersecurity is not solely the responsibility of the IT department. In fact, senior management of licensed companies plays a key role in overseeing and implementing robust cybersecurity measures to protect their organizations from evolving threats.

So, how should licensed Web3 companies address cybersecurity issues?

In this article, lawyer Mankun will break down the SFC's report, highlighting key points while also providing some reference strategies.

Senior Management as the Primary Responsible Party

In the past, we often attributed security issues of projects/products to the company's IT team, believing they were the main responsible party.

However, under the regulatory framework of the Hong Kong SFC, senior management of licensed companies is not only at the core of corporate strategic decision-making but also the primary responsible party for cybersecurity compliance, bearing ultimate responsibility for any legal liabilities arising from cybersecurity failures. The SFC clearly states that all of the following personnel fall within the category of senior management and must assume cybersecurity regulatory responsibilities:

• Responsible Officers (RO)

• Executive and Non-Executive Directors

• Managers-in-Charge (MIC)

The Hong Kong SFC emphasizes that cybersecurity is not just the responsibility of the IT department but an important component of corporate governance. Therefore, senior management must ensure that the company establishes and maintains a robust cybersecurity control system and supervises the implementation of security measures at a strategic level. This responsibility requires management to not only be aware of cybersecurity risks but also to ensure that the company takes appropriate measures to mitigate these risks and comply with SFC regulatory requirements.

Additionally, cybersecurity compliance requirements extend beyond technical controls and involve shaping corporate culture. Corporate management should actively promote security awareness training, establish a security responsibility system, and foster a "cybersecurity first" culture within the organization. Only when management truly views cybersecurity as an integral part of enterprise risk management can licensed Web3 companies maintain secure and stable operations in a complex and ever-changing cyber threat environment.

The Most Easily Overlooked Internal Security Vulnerabilities

The Web3 industry has seen a plethora of security incidents; however, many of these attacks stem not from sophisticated hacker techniques but from the security management deficiencies of licensed companies themselves.

The Hong Kong SFC pointed out in its report that many licensed companies still have two major critical vulnerabilities in cybersecurity management. These vulnerabilities often become entry points for hackers, directly threatening customer data, transaction security, and even triggering compliance risks.

Use of Outdated Software

The continued use of outdated software by licensed Web3 companies is a significant cybersecurity vulnerability highlighted in the SFC report.

Since these software programs no longer receive security updates, patches, or technical support from vendors, newly discovered vulnerabilities remain unpatched, providing cybercriminals with opportunities to exploit these weaknesses for malware attacks, leading to data breaches and system intrusions.

To mitigate this risk, Web3 companies must implement a structured software lifecycle management process, with management directly responsible for assessing the risks associated with software assets. In this regard, companies may consider the following measures in their business operations where applicable:

• Establish a software update mechanism. Maintain an updated list of all software and operating systems within the company, proactively identify software nearing expiration, and set up a regular evaluation process.

• Plan upgrade strategies in advance. Proactively plan upgrades or replacements before vendors officially end support to ensure business continuity and avoid temporary disruptions.

• Implement temporary mitigation measures. Apply security controls such as access restrictions and network isolation for systems that cannot be upgraded immediately.

• Conduct regular vulnerability assessments. Licensed companies can establish ongoing security monitoring mechanisms to ensure that software risks are identified and addressed in a timely manner.

Furthermore, senior management of Web3 companies should ensure that the IT team has sufficient resources to effectively manage the software lifecycle, preventing unnecessary risks to customer data and financial assets due to failure to upgrade critical systems.

Weaknesses in Encryption Algorithms

Encryption algorithms are the core defense for protecting customer data, ensuring transaction security, and complying with regulatory requirements. However, the Hong Kong SFC pointed out in its report that some licensed companies still rely on outdated or weak encryption algorithms, exposing sensitive financial information and personal data to significant cybersecurity risks, such as data breaches and unauthorized account access.

Here are the main encryption vulnerabilities listed by the SFC:

• Use of outdated algorithms, such as MD5, SHA-1, or older RSA implementations, which are susceptible to modern cryptographic attacks.

• Insufficient key lengths, such as RSA keys shorter than 2048 bits or AES keys shorter than 128 bits, making brute-force attacks more feasible.

• Poor key management, such as reusing keys across multiple environments, failing to rotate keys regularly, or storing encryption keys in insecure locations.

To mitigate these risks, licensed Web3 companies can implement encryption protocols that meet industry standards to enhance data protection capabilities and ensure compliance with SFC regulatory requirements, including:

• Adopting strong encryption algorithms, such as Advanced Encryption Standard (AES-256), to ensure that both static and transmitted data are protected with high strength.

• Upgrading to more secure key systems, such as using Elliptic Curve Cryptography (ECC) as an alternative to RSA, which provides higher security while reducing key length requirements and improving computational efficiency.

• Implementing end-to-end encryption (E2EE) to ensure that data remains encrypted during transmission, preventing man-in-the-middle attacks or unauthorized access.

• Strengthening key management mechanisms to avoid using the same key across multiple environments, regularly rotating keys, and ensuring that key storage meets the highest security standards (e.g., Hardware Security Modules - HSM).

• Conducting regular password audits, performing at least annual encryption compliance reviews to ensure that all encryption measures meet the latest industry standards and regulatory requirements.

From a compliance perspective, weak encryption is not only a technical management oversight but may also lead to serious regulatory risks. In Hong Kong, regulations such as the Personal Data (Privacy) Ordinance impose strict data protection responsibilities on financial institutions, while global data security standards (e.g., ISO 27001, NIST) continue to raise the compliance thresholds for encryption technologies.

Therefore, if licensed Web3 companies fail to implement sufficiently strong encryption measures, they may face legal liabilities, a crisis of customer trust, and even regulatory penalties in the event of data breaches or unauthorized access. Additionally, senior management must view encryption security as a core compliance task of the enterprise, ensuring that encryption strategies are continuously optimized in line with industry security standards and emerging cyber threats, and effectively executed to safeguard customer data and ensure the long-term compliance operations of the enterprise.

External Cybersecurity Threats and Responses

In addition to internal vulnerabilities, external security dangers for Web3 are also prevalent, with phishing websites and airdrop scams being the most common.

Therefore, the Hong Kong SFC emphasized in its report that licensed companies must adopt more proactive security strategies to address the escalating threats of cyberattacks. Particularly in the Web3 business environment, the high digitization of funds, contracts, and digital assets further amplifies the cybersecurity challenges faced by traditional financial institutions within Web3 companies.

Here are several high-risk areas highlighted by the SFC, along with targeted defense strategies:

Phishing Attacks

This is likely one of the most common and successful scams in the Web3 industry.

For Web3 companies, phishing is not just a simple fraud; it can also serve as an entry point for hackers to launch larger-scale attacks. Particularly in the Web3 space, phishing often precedes theft of funds, exploitation of smart contract vulnerabilities, malicious authorizations, or even private key leaks. Hackers create counterfeit trading websites, send fraudulent dApp links, or impersonate official teams to lure users into unknowingly disclosing sensitive information, ultimately leading to significant financial losses and security crises.

To mitigate these threats, Web3 companies must go beyond basic awareness training and adopt a multi-layered defense strategy, including:

Advanced Email Security Gateways (SEG)

Traditional email filters can no longer cope with the increasingly sophisticated phishing attacks. The SFC points out that licensed companies should deploy advanced email security gateways (SEG) to detect and block phishing email attacks. For instance, it is recommended to deploy AI-driven email security solutions to detect spoofed domains, suspicious attachments, and malicious links. These tools should also integrate real-time threat intelligence to block emerging phishing activities.

Implement Strong Authentication Mechanisms

Since phishing primarily targets login credentials, Web3 companies should enforce multi-factor authentication (MFA) across all critical systems, especially in environments involving trading platforms, private key management, hot wallet access, and compliance systems. Additionally, user account permissions should be minimized, adopting the principle of least privilege (PoLP) to limit the potential impact of phishing attacks.

Regular Employee Training and Simulated Phishing Tests

Employees are the first line of defense, but simple security training often fails to change habitual behaviors. Therefore, it is recommended that Web3 companies conduct a two-step approach: (1) provide ongoing cybersecurity awareness training specific to financial services and digital asset risks, ensuring employees can identify and report complex phishing attempts; (2) regularly conduct simulated phishing exercises to analyze and assess employees' security awareness and responses, thereby improving incident response protocols.

Establish Rapid Response and Emergency Mechanisms

Web3 companies should establish standardized procedures for reporting phishing attempts to ensure swift action is taken to investigate and mitigate threats before situations escalate. For example, in the event of a phishing incident, companies should quickly isolate affected accounts or systems and immediately initiate emergency response processes, including revoking malicious contract approvals, freezing affected funds, and notifying relevant regulatory bodies and customers. Additionally, any successful phishing intrusion should trigger forensic reviews and updates to internal security policies.

Transaction and Signature Security Alerts

In the Web3 context, malicious websites and dApps (decentralized applications) may induce users to sign malicious smart contracts. Therefore, companies should implement secure transaction confirmation mechanisms, such as providing detailed explanations of smart contract permissions in the wallet transaction interface and encouraging users to use simulation tools to verify transaction behaviors before authorization.

For Web3 companies dealing with virtual asset transactions, tokenized assets, and DeFi types, the risks of phishing have far exceeded traditional email scams. Hackers are no longer limited to sending malicious emails or phishing websites; instead, they employ more deceptive social engineering tactics, such as forging official communications, inducing users to approve malicious smart contracts, and even faking wallet signature requests, thereby bypassing conventional security protections and directly gaining control over users' virtual assets.

In response, the anti-phishing strategies of Web3 companies should not be limited to basic security awareness training but should also encompass wallet security management, smart contract interaction reviews, and strict transaction verification mechanisms to minimize potential risks.

Remote Access Security

Remote work has become the norm for Web3 companies, but it also increases the attack surface for cyberattacks. If remote access is not managed properly, hackers can access core systems through weak credentials, unencrypted connections, or compromised devices, posing serious security risks.

To ensure the security of remote access, it is recommended that Web3 companies take the following measures:

• Enforce multi-factor authentication (MFA), especially when accessing management panels, private key storage systems, and financial transaction backends.

• Use a Zero Trust Architecture (ZTA) to ensure that all access requests are rigorously verified, rather than relying solely on IP whitelisting or VPNs.

• Monitor remote access logs to identify abnormal access patterns, such as unusual time periods, geographic locations, or device logins.

• Encrypt all remote connections using end-to-end encryption (E2EE) and enterprise-grade VPNs to prevent man-in-the-middle attacks.

Potential Security Risks from Third-Party IT Service Providers

Using third-party IT service providers introduces additional cybersecurity considerations. Companies must conduct thorough due diligence to assess the security posture of vendors. This includes reviewing their security policies, understanding their incident response procedures, and ensuring compliance with relevant regulatory requirements. Establishing clear contractual obligations regarding data protection and conducting regular security assessments can further mitigate risks associated with third-party providers.

Many Web3 companies rely on third-party service providers for cloud storage, authentication, smart contract auditing, and payment processing. However, if the vendor has security vulnerabilities, it may become a target for hackers.

To reduce the risk of supply chain attacks, licensed Web3 companies can:

• Conduct security due diligence to assess the vendor's cybersecurity level, data processing policies, incident response procedures, and compliance certifications (such as ISO 27001 or SOC 2).

• Establish clear contractual obligations to ensure that vendors are responsible for data protection, incident response, and security audits.

• Regularly conduct vendor security assessments, such as requiring vendors to provide the latest security reports and conducting penetration tests to ensure their infrastructure is free from significant vulnerabilities.

Cloud Security Threats

Cloud computing has become the core infrastructure for Web3 companies; however, misconfigured cloud storage, unencrypted data, and overly open access permissions can allow hackers to easily steal sensitive information.

To ensure cloud security, it is recommended that Web3 companies:

• Implement strict access controls using role-based access control (RBAC) to limit access to sensitive data.

• Encrypt data at rest and in transit, ensuring that all customer data stored in the cloud is encrypted using AES-256 to prevent data breaches.

• Regularly conduct cloud security audits to identify misconfigurations and potential risks, avoiding common issues such as open access to S3 Buckets.

At the same time, Web3 companies should also understand the shared responsibility model of cloud security, recognizing which security aspects are managed by the cloud provider and which are the company's responsibility.

Summary by Lawyer Mankun

The SFC's report reiterates that cybersecurity is not just a technical issue but a core aspect of compliance operations for licensed companies. Whether it is the direct responsibility of management or the response to internal security protections and external threats, licensed Web3 companies must establish long-term robust cybersecurity strategies to meet regulatory requirements and protect customer assets.

Moreover, it is noteworthy that on February 7, the SFC announced plans to conduct a comprehensive review of existing cybersecurity requirements and expected standards in 2025, and to develop an industry-wide cybersecurity framework to provide clearer compliance guidance for all licensed Web3 companies, helping them manage cybersecurity risks more effectively.

Therefore, licensed Web3 companies should prepare in advance to ensure they can quickly adapt when regulatory requirements are upgraded. Additionally, Lawyer Mankun suggests that regardless of licensing status, Web3 companies should proactively assess their existing cybersecurity architecture, improve internal governance mechanisms, and strengthen compliance connections to reduce operational risks arising from future compliance adjustments and enhance market competitiveness.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。