<img alt="" src="https://secure.weed6tape.com/193471.png" style="display:none;">
Products & Solutions
Products & Solutions
Explore our portfolio of cutting-edge cybersecurity solutions, centered around our flagship Hardware Security Modules (HSMs). From encryption and key management to secure access and authentication, our products ensure robust protection for your most critical data and systems.
menu icon
Hardware Security Module (HSM)
HSM Overview What is an HSM? Primus HSM CyberVault (X2 Models) Primus HSM CyberVault Core (E2 Model) Primus HSM X-Series Primus HSM E-Series Primus HSM S-Series Primus HSM Blockchain Post-Quantum Cryptography HSM
menu icon
Cloud Security
Securosys CloudHSM Cloud Console What is CloudHSM? CloudHSM Service Offerings Integrated Technologies HashiCorp Vault Docker Image Security Bring Your Own Key (BYOK) External Key Store (XKS) Proxy for AWS Fortinet Fortigate Keyfactor EJBCA/SignServer
menu icon
Additional Products and Services
Decanus Terminal Transaction Security Broker (TSB) Key Attestation Smart Key Attributes (SKA) Securosys Authorization App S365 DKE - add-in for Microsoft 365 Securosys VaultCode CyberVault Key Management System
Partners
Partners
shield-people-colourful
Partners
Partner Directory
digital-data-finance-security-transactions-2
Integrations
Integrated Technologies HashiCorp Vault Fortinet FortiGate S365 DKE - adds in for Microsoft Bring Your Own Key (BYOK) External Key Store (XKS) - Proxy for AWS Keyfactor EJBCA/SignServer
Support
Support
menu icon
Support
Online Documentation Support Portal System Status Trainings
finance-institution-colourful
What is ...?
What is an HSM? What is CloudHSM? What is BYOK? What is SIC system?
About
About
Learn more about our mission, explore career opportunities, and access our resources. Discover how we’re shaping the future of cybersecurity and how you can be part of it.
menu icon
Securosys SA
About Us Events News Career
menu icon
Resources
Online Documentation Blog Articles Stories and Paper Video Gallery
document-lock-b&w
Certifications
Security Certifications Safety & Compliance Certifications Company Certification
Compliance
Hong Kong Guidelines for VATP
Contact us
  • There are no suggestions because the search field is empty.

Hong Kong Guidelines for Virtual Asset Trading Platform Operators

How Securosys Primus HSM Technology Meets Recommendations for the Secure Custody of Client Assets
Download Compliance Brief

The Securities and Futures Commission (SFC), the authority responsible for regulating the securities and futures markets in Hong Kong, issued a set of detailed guidelines in June 2023 entitled Guidelines for Virtual Asset Trading Platform Operators. These guidelines cover a wide range of requirements for virtual asset trading platform operators, including due diligence, investor protection, financial resources, custody, and market surveillance. A key emphasis is placed on the need for robust cybersecurity solutions, underscoring the importance of appropriate protection for crypto assets.

Securosys and Hardware Security Modules

Hardware Security Modules (HSMs) are referenced several times in the VATP Operator Guidelines. An HSM is a dedicated physical device designed to ensure that any cryptographic key material is never exposed in the clear within the system memory, where it could be compromised. Securosys Primus HSMs ensure the secure generation, storage, and management of digital identities, encryption keys, asset keys and digital signature keys.

This document examines specific guidelines and highlights areas in which Securosys Primus HSM solutions enable organizations to meet and exceed these requirements.

X. Custody of Client Assets
Page Section Guideline
62

X. Custody of Client Assets

Client Virtual Assets

10.6 A Platform Operator should establish and implement, and should also ensure that its Associated Entity establishes and implements, written internal policies and governance procedures which include, but are not limited to, the following:”

   

“(c) The Platform Operator and its Associated Entity should store 98% of clientvirtual assets in cold storage (such as Hardware Security Module (HSM)-based cold storage) except under limited circumstances permitted by the SFC on a case-by-case basis to minimise exposure to losses arising from acompromise or hacking of the platform.”

 

Securosys Primus HSMs directly address this requirement by providing cold storage for crypto assets while offering comprehensive blockchain and cryptocurrency support of any Hardware Security Module – Ethereum (ETH), Bitcoin (BTC) based assets, Ripple, IOTA and many more, as well as derivatives of leading cryptocurrencies. A complete list of supported technologies is available on the Securosys website. Crypto asset keys are protected against compromise and misuse at all times, with all signing operations performed within the physical boundary of the HSM.

 

Page Section Guideline
63

X. Custody of Client Assets

Client Virtual Assets

10.8 A Platform Operator should establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and private keys are securely generated, stored and backed up. The Platform Operator should ensure that the Associated Entity establishes and implements the same controls and procedures. These will include the following:”

   

“(a) The generated seeds and private keys must be sufficiently resistant to speculation or collusion. The seeds and private keys should be generated inaccordance with applicable international security standards and industry bestpractices so as to ensure that the seeds (where Hierarchical Deterministic

Wallets, or similar processes, are used) or private keys (if seeds are not used)are generated in a non-deterministic manner which ensures randomness andthus are not reproducible. Where practicable, seeds and private keys shouldbe generated offline and kept in a secure environment, such as a HSM, with appropriate certification for the lifetime of the seeds or private keys.”

 

Keys can be generated directly within a Securosys Primus HSM leveraging its onboard True Random Number Generator (TRNG) and ensuring they are protected by hardware throughout their entire lifecycle. Alternatively, keys generated externally may be securely imported: import keys based on a given seed and derive keys based on a BIP32 / SLIP10 master key.

Securosys Primus HSMs have been independently validated and certified in accordance with both the FIPS 140 Level 3 and Common Criteria EAL 4+ standards.

 

Page Section Guideline
63

X. Custody of Client Assets

Client Virtual Assets

10.8 A Platform Operator should establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and private keys are securely generated, stored and backed up. The Platform Operator should ensure that the Associated Entity establishes and implements the same controls and procedures. These will include the following:”

   

“(b) Detailed specifications for how access to cryptographic devices or applications is to be authorised and validated, covering key generation, distribution, use, storage and destruction, as well as the immediate revocation of a signatory’s access as required. Where practicable, multi-factor authentication is used to authenticate authorised personnel for access to applications governing the use of private keys

 

There are two distinct areas of authentication within any HSM-protected asset trading platform that require strong controls to ensure the security of the overall system. The first and most straightforward concerns the administration of the HSM itself by authorized personnel. Securosys Primus HSMs feature multi-factor authentication for administrative access, requiring the presentation of a smart card and associated PIN either directly at the front panel of the HSM, or optionally via a Decanus Remote Administration Terminal located remotely.

Risk can be distributed across multiple individuals by enforcing an m-of-n authentication model, whereby a defined number (m) of smart cards and associated PINs from a group of (n) must be presented before administrative tasks can be performed. This approach, which is common to several HSM providers, ensures that no single individual holds unrestricted ‘superuser’ or ‘root’ privileges.

By contrast, legacy HSM architectures are less effective at enforcing fine-grained access controls for private keys. While some form of multi-factor authentication is often provided, this generally allows access to an entire partition or group of keys. In the context of an asset trading platform, stronger controls are required - specifically, the ability to map a unique, specific policy onto every individual asset key in the system. To address this, some vendors rely on the use of some form of additional software to implement trusted access control for customer authentication. While such approaches may mitigate certain risks, they will never be as secure as controls implemented directly within the hardware itself. Other vendors may also offer trusted execution modules to enable customers to extend the HSM’s functionality; however, implementing this requires significant development effort and may compromise the FIPS compliance of the HSM.

Securosys Smart Key Attributes (SKA) technology enables customers to apply a dedicated access policy to every individual key protected by a Primus HSM. This allows VATP Operators to build an architecture in which only the rightful owners of an asset are permitted to access or transact with the associated asset key. Pre-defined policies may require authorisation in the form of a digital signature from a single individual or from an m-of-n quorum, as described above. Beyond this, more advanced policies can be enforced, requiring multiple signatures and optionally strict limits for timeouts and time windows.

The optional Transaction Security Broker (TSB) facilitates the SKA approval process by collecting authorizations, coordinating multi-step workflows, and forwarding completed authorization data to the HSM. This architectural separation ensures that all the approvals required by the SKA policy have been gathered by the TSB outside the HSM, while the HSM itself remains solely responsible for enforcing all defined security policies.

 

Page Section Guideline
64

X. Custody of Client Assets

Client Virtual Assets

10.8 A Platform Operator should establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and private keys are securely generated, stored and backed up. The Platform Operator should ensure that the Associated Entity establishes and implements the same controls and procedures. These will include the following:”

   

“(e) Seeds and private keys are securely stored in Hong Kong.

 

Securosys Primus HSMs can be deployed on-premises to protect seeds and private keys, either at a customer site in Hong Kong or within a locally hosted data center.

XII. Cybersecurity
Page Section Guideline
79

XII. Cybersecurity

Security of Platform

12.12 A Platform Operator should employ adequate, up-to-date and appropriate security controls to protect the platform from being abused. The security controls should at least include:”

    “(b) two-factor authentication for login to clients’ accounts;”

 

Securosys Primus HSMs support two-factor authentication (and beyond – please refer to our response to 10.8(b) above for further details), ensuring that client asset keys can be accessed and utilized solely by their rightful owners.

 

Page Section Guideline
82

XII. Cybersecurity

Security of Platform

12.12 A Platform Operator should employ adequate, up-to-date and appropriate security controls to protect the platform from being abused. The security controls should at least include:”

   

“(h) up-to-date security tools to detect, prevent and block any potential unauthorised intrusion, security breach and cyberattack attempts. In particular, the Platform Operator should implement an effective monitoring and surveillance mechanism to detect unauthorised access to clients accounts or the Platform Operator’s accounts (if any);”

 

Securosys Primus HSMs protect asset keys within secure, physical, tamper-protected hardware, preventing unauthorized access to or compromise of valuable and sensitive key material.

Additional security measures include:

  • Tamper-Responsive Design: Primus HSMs feature active tamper-detection mechanisms. Any attempt to physically compromise the device triggers immediate key zeroization, ensuring that cryptographic material cannot be extracted, even through sophisticated hardware attacks.
  • Defense-in-Depth with SKA: Even if an attacker were to gain network access to an HSM, Smart Key Attributes policies prevent unauthorized key usage. Without the required approvals from designated signatories, keys cannot be used to sign transactions, regardless of network-level access.
  • Comprehensive Audit Logging: Tamper-evident audit logs record all access attempts and operations, supporting forensic analysis and compliance reporting requirements.

 

Page Section Guideline
83

XII. Cybersecurity

Capacity of Platform

12.15 A Platform Operator should ensure that:”

   

“(a) the usage capacity of the platform is regularly monitored and appropriate capacity planning is developed. As part of the capacity planning, a Platform Operator should determine and keep a record of the required level of spare capacity;”

 

Securosys provides an app for Splunk, and Primus HSMs also support SNMP, allowing the monitoring of uptime and capacity.

2025 Circular

In April 2025, the Securities and Futures Commission (SFC) released updated guidance in the form of a circular entitled Circular on SFC-authorised funds with exposure to virtual assets.

Custody
Page Section Guideline
3 Custody

20 The trustee/custodian and any delegate responsible for taking custody of VA holdings of an SFC-authorised VA Fund should comply with the following:”

    “(a) it should ensure that the VA holdings are segregated from its own assets and the assets it holds for its other clients;”

 

Separating virtual asset material stored within Securosys Primus HSM hardware is straightforward. As with any HSM-based architecture, separate HSMs may be used for distinct holdings, or assets may be split them across different partitions within the HSM. As discussed earlier in this document, Securosys Smart Key Attributes provide the ability to apply a specific policy to each individual key protected by the HSM, ensuring full separation even within the same HSM partition.

 

Page Section Guideline
3 Custody

20 The trustee/custodian and any delegate responsible for taking custody of VA holdings of an SFC-authorised VA Fund should comply with the following:”

    “(b) it should store most of the VA holdings in the cold wallet. The amount and duration of VA holdings stored in the hot wallet should be minimised as much as possible, save for meeting the needs of subscriptions and redemptions; and”

 

Securosys Primus HSM, together with Smart Key Attributes (SKA) technology, allow customers to authorize transactions using a strong multi-signature policy, even where the HSM is operating as a cold wallet in an air-gapped, offline environment.

 

Air-Gapped TSB Architecture, Securosys SA

The diagram above illustrates such a cold wallet architecture, in which the asset keys are held in a Primus HSM that is fully disconnected from the network. A ‘Standalone’ Transaction Security Broker (TSB) instance gathers the approval(s) required for a transaction. Once all required approvals have been obtained, they can be manually transferred to the offline TSB that is directly connected to the HSM to perform the transaction. Approval and transaction data are typically transported across the ‘airgap’ via USB drives, Java smart cards or QR codes.

 

Page Section Guideline
3 Custody

20 The trustee/custodian and any delegate responsible for taking custody of VA holdings of an SFC-authorised VA Fund should comply with the following:”

    “(c) it should ensure the seeds and private keys are (i) securely stored in Hong Kong; (ii) tightly restricted to authorised personnel; (iii) sufficiently resistant to speculation (eg, through generation in a non-deterministic manner) or collusion (through measures such as multi-signature and key sharding); and (iv) properly backed up to mitigate any single point of failure.”

 

Securosys Primus HSMs can be deployed on-premises to protect seeds and private keys, either at a customer site in Hong Kong or within a locally hosted data center. Two-factor authentication and support for m-of-n policies ensure that all sensitive operations are restricted to authorized personnel. All Primus HSM devices feature a true random number generator (TRNG), providing non-deterministic random number generation (NDRNG). In addition, individual Smart Key Attributes (SKA) policies can be applied to any key within the HSM to ensure multiple signatures are required before a key may be accessed.

Securosys HSMs natively support clustering functionality, allowing keys generated in one HSM to be securely and automatically made available across all HSMs within a cluster. This ensures that there is no single point of failure, and it allows the HSM cluster itself to serve as the sole backup mechanism, ensuring that keys exist exclusively within secure hardware. An HSM cluster can be spread across multiple locations, such that the loss of one or more sites does not result in a loss of valuable and sensitive asset keys.

For organizations requiring an additional layer of resilience, including protection against the highly unlikely event of simultaneous multiple hardware failures, Securosys HSMs also support secure backup of the entire device or specific partitions. Backups are created in a strongly protected (encrypted) format to external media that can be stored offsite. The backup operations can be performed automatically or initiated manually through the HSM front panel or remotely via a Decanus Remote Administration Terminal. Any restore operation of these backups requires the use of secure credentials and a backup password.

Automated Approvals with VaultCode

As discussed in this document, Securosys Smart Key Attributes (SKA) technology enables customers to apply rules to individual asset keys protected by a Primus HSM, ensuring that they can only be used when the defined policy conditions are met. For example, a policy may require authorization from three out of a total of five designated individuals before a transaction can be approved. The Transaction Security Broker (TSB) acts as a workflow engine to collect these approvals.

Having the ability to enforce manual intervention for significant transactions in this way can be vital for valuable asset keys, especially where those transactions are irreversible. However, there are also scenarios in which a manual approval process could prove impractical. Under certain conditions, it might be preferable for transactions to be processed automatically, to avoid the system grinding to a halt. This conditional architecture can be achieved by using Securosys VaultCode secure runtime environment technology, running on standard Primus HSM CyberVault devices.

VaultCode Architecture, Securosys SA

Using VaultCode, customers can define their own business logic to be executed securely in a container within the physical boundary of the Primus HSM. This logic acts as a compliance filter, enabling automated decision-making based on predefined rules. A popular use of VaultCode is to allow lower-value transactions to be completedautomatically without manual intervention, while still requiring all significant transactions to be manually approved with SKA.

Another example would be to implement a trusted list of blockchain addresses, combined with the explicit denial of sanctioned addresses. In such a scenario, VaultCode-based business logic, enforced directly within the HSM, permits only withdrawals to trusted blockchain addresses without manual intervention, while automatically rejecting transactions involving sanctioned addresses. The policy engine verifies transaction details against the trusted list, ensuring that compliance rules are met, optionally requesting manual SKA approval for unknown blockchain addresses.

 

Why Securosys for VATP Compliance?

  • Per-Key Policy Control: Unlike traditional HSMs that apply access controls at the partition level, Securosys Smart Key Attributes (SKA) enable unique, multi-signature policies for every individual asset key. This capability is particularly critical for multi-tenant platforms, where each client’s assets require distinct authorization rules.
  • Custom Compliance Logic: VaultCode secure runtime environment allows customer-defined business logic to execute securely within the HSM’s validated boundary, without compromising FIPS certification.
  • Swiss Security Heritage: Securosys solutions are designed and manufactured in Switzerland with a fully transparent supply chain. Customers can review blueprints and source code, supporting a high level of trust and assurance with no hidden components or undocumented functionality.
  • Comprehensive Blockchain Support: Securosys Primus HSMs provide native support for all major blockchain protocols including Bitcoin (BTC), Ethereum (ETH), Ripple, IOTA, and derivatives, ensuring a comprehensive cryptocurrency support across diverse virtual asset environments.

 

Additional Relevant Securosys Technologies

Attestation

Attestation provides cryptographic evidence of all relevant attributes, allowing auditors to verify the identity and origin of keys, devices, and users in a cost-efficient manner without requiring physical presence. Where, for example, proof is needed that a cryptographic key was created securely in hardware on a specific device, attestationenables customer keys to be signed using a Primus HSM root key, securely stored in a certified keystore on the device. This capability can reduce or eliminate the need for in-person key ceremonies involving external auditors.

Fireblocks Integration

Fireblocks is a digital asset and custody infrastructure platform supporting a wide range of public blockchains. Using the Fireblocks web interface, users can manage their digital assets and initiate, approve, and receive transactions. As an alternative to splitting the wallet keys via Multi-Party Computation (MPC), Fireblocks Key Link enables customers to connect a Securosys Primus HSM directly to Fireblocks. This approach provides multiple advantages:

  • Tamper-protection: Intel SGX has a well-documented history of vulnerabilities. HSMs, by contrast, are specifically designed for secure key storage, providing strong, certified tamper protection.
  • Full ownership: With on-premises HSMs, customers retain full ownership and control over the hardware used to store wallet keys.

 

Integration Ecosystem

Securosys Primus HSMs integrate seamlessly with the complete virtual asset technology stack:

  • Blockchain Platforms: Native support for all major protocols including Bitcoin (BTC), Ethereum (ETH), Ripple, IOTA, Stellar, Cardano, and many more.
  • Digital Asset Custody: Fireblocks Key Link integration for institutional custody, alongside direct support for leading wallet providers.
  • Enterprise Infrastructure: PKCS#11 for application integration, KMIP for key management interoperability, REST API for modern application development, SNMP for enterprise monitoring, and a Splunk application for security analytics.
Our Contacts
APAC
Securosys Hong Kong Ltd.
11/F - 12/F & Roof Floor, 133 Wai Yip Street, Kwun Tong, Hong Kong
+852 35116390