Article

Hong Kong Government considers changes to proposed critical infrastructure cybersecurity law

Published Date
Oct 4, 2024
The Security Bureau has completed its one-month consultation on its proposal in relation to the Protection of Critical Infrastructures (Computer Systems) Bill (the Bill) and released the consultation report in its information paper to the Legislative Counsel. This article provides an update on the consultation findings and the potential way forward. For details on the original proposal, please refer to our previous article.

Important highlights

The key changes to the original proposals under consideration include:

  1. Relaxation of incident reporting timeframe from two to 12 hours for serious incidents and from 24 to 48 hours for other incidents; and
  2. Removal of the reporting requirement for ownership changes.

Consultation overview 

  • The Security Bureau organized five consultation sessions attended by nearly 200 stakeholders, including potential organizations to be designated as Critical Infrastructure Operators (CIOs), cybersecurity service providers and audit firms. Representatives of the proposed designated authorities (the Hong Kong Monetary Authority and the Communications Authority) were also present. 
  • The Security Bureau received 53 written submissions, and the report states that the majority of these were in favor of the proposed legislation.

Some key comments and suggestions received are summarized below.

  • Scope of regulation: The information technology sector should be clearly defined under the law. More sectors should be included and extraterritorial jurisdiction should be removed.
  • Targets of regulation: There should be clear definitions, conditions, and scopes for Critical Infrastructure (CI), CIO and Critical Computer Systems (CCS) to enable CIOs to be fully prepared.
  • Organizational Obligations: There were concerns about the practical difficulties in timely reporting of ownership changes and the definition of operatorship should be clarified.
  • Preventive Obligations: There should be clearer criteria and requirements for reporting changes to CCSs, safeguarding confidentiality, and adopting international standards to minimize duplication of efforts.
  • Incident Reporting and Response: Clear criteria for incident reporting should be set, and reporting timeframes should be relaxed. Repeated reporting should be minimized and flexibility for security drills should be allowed.
  • Commissioner's Office: There should be clarification on written notices issued by the Commissioner’s Office. There were concerns about how data would be protected by the Commissioner’s Office and the division of work with the Police and PCPD Office. Proactive intelligence gathering about cybersecurity risks by the Commissioner’s Office was also suggested.
  • Designated Authorities: Individual statutory sector regulators should be better coordinated to avoid duplication of compliance work.
  • Offenses and Penalties: There are concerns about liabilities arising as a result of non-compliance by third-party service providers. A grace period was suggested to allow time for planning, upskilling and compliance and there was proposal for “reasonable excuse” with respect to penalties.
  • Investigation Powers: There were concerns about the scope of requests, investigations, and on-site evidence collection by CIOs.

Potential changes to the proposal

In response to the comments and suggestions, the Security Bureau has indicated that it will consider implementing the following changes to the proposed bill.

Relaxation of incident reporting timeframe: 

  • There were views that it will be difficult for organizations to conduct a timely investigation into the nature and cause of a serious computer system security incident within two hours after becoming aware of the incident (or within 24 hours after the occurrence of other incidents) and report to the Commissioner’s Office, as required by the proposed legislation.
  • Acknowledging the potential difficulties in incident reporting and in reference to overseas jurisdictions, the Security Bureau is considering relaxing the proposed timeframe for reporting serious computer system security incidents from two hours to 12 hours after becoming aware of the incident, and from 24 hours to 48 hours after becoming aware of other incidents.

Removal of reporting requirement for ownership changes:

  • Under the original proposal, CIOs must report ownership changes of their critical infrastructures. There were views that it would be difficult for organizations (listed companies in particular) to report frequently to the Commissioner’s Office about any changes in ownership. The Security Bureau will seriously consider removing this proposed requirement.

Code of Practice: In formulating the Code of Practice to assist CIOs to comply with the statutory obligations, the Security Bureau has provided more clarity on the content. It is considering including the following details in the Code of Practice:

  • A detailed list of eligible professional qualifications to facilitate the appointment of suitable personnel.
  • Recommended standards for computer system security risk assessments and audits, by making reference to the latest technology and international standards.
  • Qualification requirements for audit staff, by making reference to internationally recognized standards and relevant professional qualifications.
  • Elaboration and details on the coverage of “incidents required to be reported”.
  • Standards and methodologies that are applicable to specific scenarios.
  • More guidelines on “due diligence” performance and “reasonable endeavor”, which will serve as a reference for CIOs when they draw up and enforce contracts with third-party service providers.
  • Requirements and scope of computer system security training and relevant information on training.

Way forward and timeline

Consistent with the original timeline, the Government is currently finalizing the Bill and aims to introduce it to the Legislative Council by the end of 2024, establish the Commissioner’s Office within a year of the Bill’s passage, with the legislation coming into force six months later.

With further clarity now around the bill as the proposals continue to take shape, we recommend that organizations and business in Hong Kong should continue with the steps set out in our last article, that is:

  • Assess their potential status as CIOs and the applicability of the proposed legislation to their operations, particularly for those in the eight essential services sectors;
  • Evaluate and strengthen cybersecurity measures against the proposed statutory requirements and the detailed requirements set out in Annex III of the Paper (which may form the content of the future code of practice);
  • Consider the implications of the proposed legislation on both existing and future contracts, particularly with third-party service providers; and
  • Prepare for and allocate a budget to implement the organizational changes required to meet the proposed obligations, such as establishing a security management unit and formulating security management plans.

We will closely monitor the developments and provide further details of the proposed bill become available.

For further information about the proposed law, similar laws around the world and practical steps you can take to prepare, please join our webinar on October 22 at 11am (GMT+8) . To register, click here.

Related capabilities

DisputesCybersecurityData privacy and data protectionIndustrials and manufacturingDigital infrastructureTechnology

Related people

Anna Gamvros

Anna Gamvros

Partner

Sydney

Anna is Head of Asia Pacific Privacy and Cyber.
Edward Yau

Chun Bun (Edward) Yau

Associate

Hong Kong SAR

Edward has experience of a wide range of cybersecurity, data protection and technology matters.
Image of Ruby Kwok

Ruby Kwok

Senior Associate

Hong Kong SAR

Ruby’s practice focuses on privacy and data protection, cybersecurity and breach response in APAC, and regulatory issues in the t...