How to Meet HKMA OR-2 Compliance with Illumio

In banking, technology infrastructure can often feel like a bowl of wonton soup: endpoints, routers, and storage devices floating around in a broth of data flows.  

And it’s not always the comforting, hug-in-a-bowl kind that maa maa used to make. It’s messy. It’s unpredictable. If you can't see each component of the soup clearly, it can ruin the whole bowl.

When something goes wrong, it’s rarely isolated and can have a far reaching impact that can be felt across the banking ecosystem.  

That’s why regulators like the Hong Kong Monetary Authority (HKMA) are raising the bar with compliance requirements like OR-2, which demand operational resilience, not just risk awareness. For banks, this means proving they can see the full picture, containing disruptions when they occur, and continuously testing their ability to recover.

In this post, we’ll explore what OR-2 requires, why visibility is the linchpin for reaching compliance, and how Illumio can help.

ICBC breach wounds run deep!

In 2023, Industrial and Commercial Bank of China (ICBC), the world’s largest bank by assets, was hit by a ransomware attack that disrupted its U.S. broker-dealer operations.  

The result? Almost US$9 billion in unsettled Treasury trades. Employees had to revert to USB drives and Gmail just to process transactions. The ripple effects spread across the US$26 trillion U.S. Treasury market.

Like pouring hot chili oil into an open wound, less than a year later, ICBC’s London branch was breached. Attackers exfiltrated 6.6 terabytes of sensitive data. The timing couldn’t have been worse.  

The breach didn’t just expose data. It exposed fragility, and in banking, fragility is the one thing you can’t afford to show.  

Regulators all around the globe demand resilience. The Hong Kong Monetary Authority (HKMA), like their peers in Europe, Australia, and Singapore, are doing exactly that through its Operational Resilience framework (OR-2).  

The ICBC incident underscored OR-2’s objective of preventing these operational blind spots that turn disruptions into crises.  

When ripples turn to tides, regulators step in  

The thing about banking operations is that they’re deeply interconnected. A small disruption in one corner of the system can ripple across functions, geographies, and even financial markets. When those ripples turn into waves, regulators take notice.

Under OR-2, banks in Hong Kong are expected to demonstrate that they can deliver critical operations through severe but plausible disruptions.  

They are asking banks to map out how operations, systems, and third parties are connected to understand how things could break. Most importantly, they want banks to be able to contain the damage when they do.

Visibility: banking’s biggest security challenge  

Many institutions have the frameworks, governance policies, and playbooks in place. But few are asking the question that actually matters: can we truly see the interconnections we’re supposed to map?

HKMA’s OR-2 urges banks to go beyond documentation. Banks must be able to identify and understand how their critical operations are connected. Not just the obvious ones, but the hidden dependencies between systems, teams, vendors, and processes.

It’s not enough anymore to say, “We know our environment.” Compliance regulations like OR-2 require banks to deeply understand how their digital operations work.

This is where most banks start to feel the pressure. Resilience isn’t just about having a plan but about having the visibility to make that plan a reality.  

In other words, you can’t protect what you can’t see.

In Hong Kong’s hybrid environments, where legacy systems meet new cloud deployments and third-party integrations, maintaining visibility across all layers is often the hardest part. Yet, it’s exactly what regulators expect you to master.

Containment is no longer just technical, it’s cultural

HKMA’s OR-2 regulation goes beyond technology and into governance and culture. It asks banks to identify their important business services, set impact tolerances, and test their ability to operate within those limits during disruption.

Containment isn’t just a technical term anymore. It’s become a boardroom priority. When banks falter, customers don’t just lose access; they lose confidence. And confidence, once shaken, is hard to rebuild.

In Hong Kong’s relationship-driven banking ecosystem, where trust, stability, and brand reputation are everything, a breach isn’t just a technical failure. It’s a cultural and business crisis.

Testing, testing, and more testing

How do you know your process can withstand the blow of a disruptive ransomware attack? You test, test, and test again. Thoroughly!  

HKMA expects scenario-based resilience testing. And not the kind where everyone nods through a tabletop exercise and goes back to their desks. They want realistic simulations of what happens when systems fail, vendors collapse, or cyberattacks spread faster than expected.

A test is not fun if you haven’t studied. Studying for the test in resilience terms means having a well-defined and well-rehearsed incident response program that can detect, contain, and recover from end-to-end disruptions.  

You also need well-curated and well-designed exercises to prove that you are maintaining operational continuity, managing customer communication, and reporting to regulators.

And this isn’t a one-and-done exercise. OR-2 expects continuous improvement: updating documentation, refining controls, and learning from every incident, whether internal or across the industry.

How to meet OR-2 compliance with Illumio

Organizations must start with getting granular, end-to-end visibility in order to meet OR-2's compliance requirements.  

Illumio gives banks a real-time map of how systems, applications, and data flows interact across cloud, data center, and endpoint environments without relying on traditional network scans or heavy agents.

With Illumio, you can see your critical assets, understand how they communicate, and identify where a single disruption could cascade through the network if left unchecked.

This means when HKMA comes asking how you’re managing operational risk under OR-2, you’re not playing blind man’s bluff by reacting to whatever sounds and triggers come from your environment.  

Instead, Illumio helps you approach compliance with clarity. You can quickly and easily demonstrate that you’ve identified your important business services and mapped your interconnections.

With this visibility, you can use then use Illumio Segmentation to instantly isolate threats and limit their blast radius.  

You can contain a ransomware attack within seconds, stopping lateral movement before it affects critical systems or spreads to third-party connections. This ability to contain damage in real time is central to OR-2’s objective of delivering critical operations through plausible disruptions.

Instead of scrambling after a breach, Illumio gives you the tools to understand your environment and respond with control, precision, and speed. This means you can keep the rest of bank operations up and running while you investigate and recover.

OR-2 preaches preparedness, not perfection

HKMA isn’t asking for perfection. It’s asking for preparedness: for banks to be pragmatic, responsive, and clear-eyed about their risks.  

Granular visibility from Illumio helps you get there without the noise.

Preparedness isn’t just the easiest way to strengthen your OR-2 operational resilience posture. It’s also the smartest way to build trust with regulators, with your board, and with your customers.

Because at the end of the day, resilience isn’t about having a binder full of policies. It’s about knowing what’s connected, what’s vulnerable, and what you’ll do when — not if — something goes wrong.

Visibility is the foundation of resilience, and Illumio is how you build it.

Get started with Illumio Insights Heute.