Kevin Lau

Kevin is a Principal of Moore Hong Kong, leading the firm’s cybersecurity and IT risk practice. He works with boards and senior management across a broad range of industries to help organisations manage technology risk, strengthen their security posture and meet evolving regulatory expectations.

Kevin brings 20 years of experience in IT service and security management. Prior to joining Moore Hong Kong, he held senior operational and risk management roles at a major telecommunications group and a leading data centre provider, where he oversaw world-class critical IT facilities, cloud hosting environments and IT service and security compliance programmes across the APAC region. He has also previously lectured in corporate governance and risk management at a leading Hong Kong university.

His consultancy experience spans financial services, virtual assets and fintech, critical infrastructure, retail, telecommunications, technology and the public sector. Kevin specialises in cybersecurity framework and compliance reviews covering ISO/IEC 27001, NIST, SOC 2 and PCI DSS, as well as virtual asset platform security and governance under SFC regulatory expectations, critical infrastructure protection under Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance, OT and ICS security assessments under IEC 62443, red team exercises, penetration testing, and application and mobile security assessments. He is also experienced in Security Risk Assessment and Audit, Privacy Impact Assessment, and AI governance and data privacy frameworks, serving both private and public sector clients in Hong Kong and internationally.

Kevin holds a Bachelor’s degree in Information Management from University College London and a Master of Economics from the University of Hong Kong. He is a certified lead auditor for ISO/IEC 27001/27017/27018 and ISO/IEC 20000, a member of ISACA, and a member of the IEEE Computer Society.

Kevin is a specialist in cybersecurity framework and compliance (ISO/IEC 27001; NIST; SOC 2; PCI DSS), virtual asset platform security and SFC governance, critical infrastructure protection (PCICSO; IEC 62443), red team exercises and penetration testing, application and mobile security (OWASP), security risk assessment, audit and privacy impact assessment, and AI governance and data privacy frameworks.