Opinion

Hong Kong proposes new critical infrastructure cybersecurity law

Published Date
Jul 2 2024
New cybersecurity legislation to enhance the protection of computer systems of critical infrastructures (“CIs”) was proposed by the Hong Kong Government on 25 June 2024. The legislation is tentatively titled the Protection of Critical Infrastructure (Computer System) Bill (the “Bill”).

Important highlights

  • The proposed legislation will seek to regulate large organizations responsible for critical services, requiring them to secure their critical computer systems, but does not extend to personal data and business information in these systems.
  • A new Commissioner’s Office will be established under the Security Bureau.
  • The Commissioner’s Office will designate critical infrastructure operators (“CIOs”) and the legislation will only apply to those designated.
  • New short incident reporting timelines will be imposed on CIOs:
  1. within two hours after becoming aware of a serious computer system security incident (including incidents that lead to a large-scale leakage of personal data and other data); and
  2. within 24 hours after becoming aware of the other computer system security incidents.
  • The Commissioner’s Office will have extensive powers to investigate computer system security incidents and offences.
  • Financial penalties will be imposed on organizations only (not individuals) in the range of HK$500,000 to HK$5 million and daily fines of HK$50,000 or HK$100,000 for persistent offences.
  • CIOs will be held responsible for non-compliance caused by their third-party service providers, further emphasising the importance of vendor oversight.
  • The Bill will likely be introduced to the Legislative Council by the end of this year.

Key components of the proposed legislation

The key components of the proposed legislation are as follows.

1. Scope and targets

  • The legislation will apply only to expressly designated critical infrastructure operators (“CIOs”) and their critical computer systems (“CCSs”). The list of the CIOs will not be disclosed.
  • CIs will cover two major categories: (a) infrastructure in the following eight essential services sectors: (i) Energy; (ii) Information Technology; (iii) Banking and Financial Services; (iv) Land Transport; (v) Air Transport; (vi) Maritime; (vii) Healthcare Services; and (viii) Communications and Broadcasting, and (b) other infrastructure for maintaining important societal and economic activities (such as major sports and performance venues, research and development parks).
  • CCSs will be designated as only computer systems that (a) are relevant to the provision of essential service or the core functions of computer systems, and (b) if interrupted or damaged, will seriously impact the normal functioning of the CIs, regardless of whether they are physically located in Hong Kong or not. CIOs will be consulted by the Commissioner’s Office on what systems are essential to their operations in considering the designation.
  • An organization-based approach will be adopted, which means the organization responsible for operating a CI is required to fulfill its obligation to safeguard the security of its computer systems.
  • The legislation will not cover the essential services operated by the Government (such as water supply and drainage relief) as existing policy and guidelines will continue to apply to them.

2. Obligations of CIOs

Statutory obligations imposed on CIOs will be classified into three categories: (a) organizational; (b) preventive; and (c) incident reporting and response.

Organizational
  • CIOs must provide the Commissioner’s Office with an address and office in Hong Kong, report ownership changes and establish a dedicated security management unit.
Preventive
  • CIOs must report any material changes to CCSs to the Commissioner’s Office, implement a computer system security management plan, conduct annual computer system security risk assessments and perform independent computer system security audits every two years. 
  • The security management plan and reports on the assessments and audits will be required to be submitted to the Commissioner’s Office. 
  • Where third-party service providers are engaged, CIOs will remain responsible for the statutory obligations. 
Incident reporting and response
  • CIOs must participate in security drills organized by the Commissioner’s Office every two years, formulate an emergency response plan and submit it to the Commissioner’s Office.
  • CIOs must report computer system security incidents within (a) two hours after becoming aware of a serious computer system security incident (including incidents that lead to a large-scale leakage of personal data and other data) and (b) 24 hours after becoming aware of the other computer system security incidents.
  • If the initial report is made by telephone or text message, the CIO will need to submit a written report within 48 hours after the initial report has been made.
  • For incidents reporting involving personal data, such incidents may fall under the purview of both the Commissioner’s Office and the Office of the Privacy Commissioner for Personal Data. It is unclear whether the investigations to be conducted by both Offices will be joint or separate.

Upon request by the Commissioner’s Office while investigating an incident or offence related to the three obligation categories above, CIOs are required to submit information available to them, even if such information is located outside Hong Kong.

3. Commissioner’s office and designated authorities

  • A new Commissioner’s Office will be established under the Security Bureau to oversee the implementation of the legislation. 
  • The Office will designate CIOs and CCSs, establish a code of practice, monitor threats, assist in incident response, investigate non-compliance of CIOs, coordinate with other government departments and issue written instructions to CIOs to require potential security concerns to be fixed.
  • Specific sector regulators will be designated as authorities to monitor compliance with organizational and preventive obligations, while the Commissioner’s Office will handle the incident reporting and response. It is proposed that (a) the Hong Kong Monetary Authority will be designated as the authority to regulate service providers in the banking and financial services sector and (b) the Communications Authority as the authority to regulate service providers in the communications and broadcasting sector.

4. Offences, penalties and investigation powers

  • The legislation will stipulate offences for non-compliance with statutory obligations and failure to comply with written directions and requests from the Commissioner’s Office. 
  • Financial penalties are to be imposed on an organizational basis, with fines ranging from HK$500,000 to HK$5 million and additional daily fines of HK$50,000 or HK$100,000 for persistent non-compliance of certain offences.
  • Where third-party service providers are engaged and lead to non-compliance with the statutory obligations, the CIOs will be held responsible for the non-compliance. 
  • The Commissioner’s Office will have extensive powers to investigate computer system security incidents and offences under the legislation. Specifically, the Commissioner’s Office will have the power to question and request information from the CIOs, request remedial measures, enter premises for investigation with the CIO’s consent or a magistrate’s warrant. In more serious cases, the Commissioner’s Office can require a person other than the CIO who appears to control the CCS to assist in the investigation with a magistrate’s warrant. 

5. Appeal mechanism and subsidiary legislation 

  • An appeal board will be established for CIOs to contest designations or directions made by the Commissioner’s Office.
  • The Secretary for Security will have the authority to specify or amend certain details through subsidiary legislation, including the type of essential services sectors that may be designed as CI and the scopes of security management plans and security audits. 
     
Way forward and timeline

The Security Bureau is scheduled to consult the Legislative Council Panel on Security on 2 July and the relevant sectors. Following the one-month consultation period, the Government plans to introduce the Bill to the Legislative Council by the end of 2024, establish the Commissioner’s Office within a year of the Bill’s passage, with the legislation coming into force six months later.

Key points of note

At present, Hong Kong does not have any statutory requirements on the protection of the computer systems of CIs, while other jurisdictions have already enacted similar laws e.g. Cybersecurity Law (2016) and Regulation for Safe Protection Critical Information Infrastructure (2021) in China, the Cybersecurity Act (2018) in Singapore and the Security of Critical Infrastructure Act (2018) in Australia. 

The Hong Kong Chief Executive revealed in the 2022 Policy Address that a new law would be introduced to improve cybersecurity for CIs. With the surge in cybersecurity incidents involving major public bodies in Hong Kong within the past few months, the proposed legislation is a timely response by the Government and recognises the importance of protecting the security systems of CIs.

While we await the result of the consultation and the draft Bill from the Government, we recommend that organizations and business in Hong Kong should consider taking the following steps:

  • assess their potential status as CIOs and the applicability of the proposed legislation to their operations, particularly for those in the eight essential services sectors;
  • evaluate and strengthen cybersecurity measures against the proposed statutory requirements and the detailed requirements set out in Annex III of the Paper (which may form the content of the future code of practice);
  • consider the implications of the proposed legislation on both existing and future contracts, particularly with third-party service providers; and
  • prepare for and allocate a budget to implement the organizational changes required to meet the proposed obligations, such as establishing a security management unit and formulating security management plans.
  • We will closely monitor and provide further updates as the legislation develops.

The paper submitted to the Legislative Council by the Security Bureau can be found here.