Cybersecurity Law: Hong Kong Legislation to protect computer systems of Critical Infrastructure

Cybersecurity Law: Hong Kong Legislation to protect computer systems of Critical Infrastructure

Cybersecurity Law: Hong Kong Legislation to protect computer systems of Critical Infrastructure 1400 788 Hauzen

Hong Kong has faced an alarming increase in cyberattacks in the past two years. Last September, more than 13,000 people had personal data stolen when Hong Kong’s Cyberport suffered a data breach. In February 2024, the Hong Kong College of Technology was hacked and over 8,100 individuals’ information were reportedly publicised on the dark web. Just two months ago, Oxfam Hong Kong suffered a data breach. With computer systems increasingly reliant on digital technologies, they have become prime targets for malicious cyber activities that could disrupt essential services, jeopardize public safety, and compromise the confidentiality of personal data.

To address this issue, in July 2024, the Hong Kong Legislative Council Panel on Security proposed new cybersecurity legislation (“Proposed Legislation”) to enhance protection of the computer systems of critical infrastructures (“CIs”). The intended purpose of the Proposed Legislation is to promote good preventative management systems by operators of CIs and securing the operation of their critical computer systems (“CCS”), thereby enabling the smooth operation of essential services and consolidating Hong Kong’s favourable business environment and status as an international financial centre.

The Proposed Legislation is tentatively named the “Protection of Critical Infrastructure (Computer System) Bill”.

In this article, we summarise the Proposed Legislation for you below.

A. Who does the Proposed Legislation target and what are CIs?

The proposed legislation targets the CCS of operators of crucial infrastructure (“CI Operators”) in two major categories:

Category 1: Infrastructures for delivering essential services in Hong Kong

Category 2: Other infrastructures for maintaining important societal and economic activities

(a) Energy;

(b) Information Technology;

(c) Banking and Financial Services;

(d) Land Transport;

(e) Air Transport;

(f) Maritime;

(g) Healthcare Services; and

(h) Communications and Broadcasting.

Other infrastructures (e.g. major sports and performance venues, research and development parks, etc.), where their damage, loss of functionality or data leakage may have serious implications on important societal and economic activities in Hong Kong.

Based on an “organisation-based” approach, it is intended that only expressly designated CI Operators, which are mostly large organisations, will be subject to the Proposed Legislation. Small and medium enterprises and the general public will not be affected. For security reasons, the names of the designated CI Operators will not be published.

Further, only the CCS of CI Operators will be regulated. Specifically, a CCS refers to computer systems that are relevant to the provision of essential service or the core functions of computer systems, and those systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIs. Whilst CI Operators have many concurrent operation systems, the Proposed Legislation only aims to regulate their CCS.

B. Intended statutory obligations of CI Operators

The Proposed Legislation seeks to set out the baseline obligations of CI Operators, which should be classified into three main categories (collectively, “Intended Statutory Obligations”).

C. Who will be responsible for overseeing the CI Operators?

The government proposes setting up a Commissioner’s Office under the Security Bureau to monitor the CCS of CI Operators and ensure consistent implementation of the Proposed Legislation. The key duties and functions of the Commissioner’s Office include –

  1. Designating CI Operators and CCSs;
  2. Establishing “Code of Practice” (“CoP”) and giving advice on the measures to be adopted by CI Operators;
  3. Monitoring computer system security threats against CCSs;
  4. Assisting CI Operators in responding to computer system security incidents;
  5. Investigating and following up on non-compliance of CI Operators;
  6. Coordinating with various government departments, e.g. the Office of the Government Chief Information Officer, the Cyber Security and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force (HKPF) and the Hong Kong Computer Emergency Response Team Coordination Centre, etc., in formulating policies and guidelines and handling incidents; and
  7. Issuing written instructions to CI Operators to plug potential security loopholes.

At the same time, given that certain CI Operators are already comprehensively regulated by sector regulators, it is proposed that such regulators can be the designated authorities to monitor the discharging of organisational and preventive obligations (i.e. the first two Intended Statutory Obligations) by these essential services sectors, whereas the Commissioner’s Office will be responsible for incident reporting and response (i.e. the third Intended Statutory Obligations). Regulators that might fall under this category are the Hong Kong Monetary Authority (for services in the banking and financial services sector) and the Communications Authority (for service providers in the communications and broadcasting sector).

In any event, to ensure that the Commissioner’s Office has full control over the security of CCSs in Hong Kong as a whole, the Commissioner’s Office retains the power to issue written directions to all CI Operators under the proposed legislation, irrespective of whether the CIO is under the supervision of a designated authority.

D. Offences and penalties

Whilst the legislative purpose of the Proposed Legislation is not to punish CI Operators, to ensure effective implementation of the Proposed Legislation, the following offences are proposed:-

  1. CI Operators’ non-compliance with statutory obligations;
  2. CIO’s non-compliance with written directions issued by the Commissioner’s Office;
  3. Non-compliance with requests of the Commissioner’s Office under the statutory power of investigation; and
  4. Non-compliance with requests of the Commissioner’s Office to provide relevant information relating to a CI.

The penalties under the Proposed Legislation will only include fines. For more details, please refer to Annex I of the LegCo discussion paper (LC Paper No. CB(2)930/2024(03)) (“Discussion Paper”).

E. Investigative powers of the Commissioner’s Office

It is proposed that the Commissioner’s Office be empowered to exercise various investigation powers:

  1. Power to respond to security incidents: Investigate an incident for the purpose of assessing its impact, reducing consequential harm, and preventing a further incident from arising. This includes requests to answer questions, provide information, enter the relevant premises with the consent of the CIO or apply for a magistrate’s warrant to do so in serious cases.
  2. Power to investigate offences under the legislation: This includes powers to question, request information, and enter premises for investigation with a magistrate’s warrant.

For details, please refer to Annex II of the Discussion Paper.

F. Appeal Mechanism

It is suggested that the Proposed Legislation include a provision for an appeal process through the creation of an appeal board, consisting of professionals in the computer and information security and legal sectors, amongst other sectors. This will offer operators a separate route for appeal if they contest a CIO or CCS designation or a directive from the Commissioner’s Office.

G. Subsidiary Legislation

For ease of administration, it is proposed that proposed legislation should empower the Secretary for Security to specify or amend by way of subsidiary legislation in respect of the following matters, among others:

  1. The type of essential services sectors that may be designated as CI;
  2. List of designated authorities;
  3. Information that may be required by the Commissioner’s Office from a CIO;
  4. The type of material changes to CCSs that is required to be reported to the Commissioner’s Office;
  5. The scope of, and the manner for the carrying out of, computer system security management plans and computer system security audits;
  6. The scope of the computer security risk assessments and emergency response plans;
  7. The types of computer system security incidents that are required to be reported to the Commissioner’s Office; and
  8. Deadlines for reporting.

H. CoP

The Proposed Legislation should authorize the Commissioner’s Office to release a CoP laying out the intended standards according to statutory obligations. This will grant the Commissioner’s Office more flexibility in promptly revising the guidelines to align with the most recent technology and international standards, thereby aiding CI Operators in fulfilling statutory requirements.

For the scope of the CoP, please refer to Annex III of the Discussion Paper.

I. Conclusion

In light of the escalating frequency and sophistication of cybercrime attacks in Hong Kong, the Proposed Legislation holds paramount importance and should be passed as early as possible. The Proposed Legislation represents an important step forward in Hong Kong cybersecurity regulation.

By mandating cybersecurity measures and dedicated statutory obligations for CI Operators, the Proposed Legislation will fortify the resilience of vital systems, mitigate the risks of cyber incidents, and safeguard the integrity of Hong Kong’s essential services in the face of evolving cyber threats. At the same time, the Proposed Legislation will allow Hong Kong to catch up with other leading jurisdictions (e.g. Australia, UK, Singapore, PRC) which have already implemented similar legislation.

To learn more about how the Proposed Legislation could impact your business, contact us today.

Back to top
Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.  View our Legal Notices

For performance and security reasons we use Cloudflare
required
Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.
Our website uses cookies, including from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.