Hong Kong proposes new cybersecurity law to enhance protection of critical infrastructure

On 25 June 2024, a new cybersecurity law was proposed to enhance the protection of computer systems of critical infrastructures (CIs) in Hong Kong. The proposed new law is tentatively entitled the "Protection of Critical Infrastructure (Computer System) Bill" (Proposed Legislation), and the proposed legislative framework was set out in a paper (Paper) submitted by the Hong Kong Government to the Legislative Council (LegCo) for its discussion on 2 July 2024. The Government plans to introduce the proposed Bill into LegCo by the end of 2024. The Proposed Legislation, once enacted, would likely be implemented in a staged approach, with full implementation by 2026.

The objectives of the Proposed Legislation are to strengthen the security of the computer systems of CIs, and minimise the chance of essential services being disrupted or compromised due to cyberattacks. 

The developments in Hong Kong are part of a global trend for increased cybersecurity legislation, bringing Hong Kong in line with other key jurisdictions with similar cybersecurity laws regulating operators of CIs such as Mainland China, Macao, Australia, Singapore, Malaysia and Thailand in the Asia-Pacific region, and globally in the UK, the EU, the US and Canada. 

The Proposed Legislation marks a significant step towards aligning Hong Kong with other jurisdictions to enhance the protection of CIs and enhance the overall computer system security in Hong Kong. Businesses should closely monitor the developments relating to the Proposed Legislation and review existing cybersecurity measures.

Key takeaways

• The Proposed Legislation only covers expressly designated critical infrastructure operators (CIOs) and critical computer systems (CCSs). The list of CIOs will not be publicly available.
   
• CCSs physically located outside of Hong Kong may also be regulated.
   
• CIOs will be subject to the following types of statutory requirements – organisational, preventive, and incident response. CIOs will be required to report (i) serious computer system security incidents within 2 hours; and (ii) other computer system security incidents within 24 hours.
   
• A new Commissioner's Office will be established under the Security Bureau.
   
• Specific sector regulators (such as the Hong Kong Monetary Authority (HKMA)) will be designated as authorities to monitor compliance with the respective CIOs' organisational and preventive obligations.
   
• The Commissioner's Office will have extensive investigative powers, such as the power to compel a CIO to provide information (even if such information is located outside Hong Kong) or access to their premises.
   
• The Proposed Legislation will introduce offences, and fines for non-compliance may be imposed on CIOs but not individuals.

Scope of the Proposed Legislation

Only expressly designated CIOs and CCSs will be regulated under the proposed framework.

CIOs and CCSs will be designated by a new Commissioner’s Office and the list of CIOs will not be publicly available. This approach is consistent with the approach adopted in other jurisdictions such as China and Singapore.

• CIOs: An organisation will be designated as a CIO if it operates an infrastructure deemed by the Commissioner’s Office to be a CI, taking into account the organisation’s level of control over the infrastructure.
  
  It has been proposed that large organisations, rather than small and medium enterprises, will be targeted by the Proposed Legislation.
  
  The Proposed Legislation will only require CIOs to bear the responsibility for securing their CCSs and it will not involve the personal data and business information contained in those systems.
   
• CIs: The Government has proposed two major categories:
   
  • Infrastructures for delivering essential services in Hong Kong in eight selected sectors, namely: (i) energy; (ii) information technology; (iii) banking and financial services; (iv) land transport; (v) air transport; (vi) maritime; (vii) healthcare services; and (viii) communications and broadcasting; and
     
  • Other infrastructures for maintaining important societal and economic activities including, amongst other things: (i) major sports and performance venues; (ii) research and development parks, etc.
     
• CCSs: Computer systems will be designated as CCSs if they are "relevant to the provision of essential service or the core functions of computer systems, and those systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIs". This means that other computer systems that are not designated as CCSs will not be subject to the Proposed Legislation.

Similar to the scope of cybersecurity laws in Singapore, CCSs physically located outside of Hong Kong may also be regulated by the Proposed Legislation.

The Commissioner’s Office will engage in discussion with the organisation to be designated as a CIO, and any designated CIO will have an opportunity to object to such designation and appeal to an independent board.

Obligations of critical infrastructure operators

An organisation-based approach will be adopted, which means the organisation responsible for operating a CI is required to fulfil its obligation to safeguard the security of its computer systems. An organisation which has been designated as a CIO will need to fulfil three types of obligations:

1. Organisational obligations include:
   • maintain an address and office in Hong Kong (and keep the Commissioner's Office updated on any subsequent changes);
   • report changes in the ownership and operatorship of CIs; and
   • set up a computer system security management unit with professional knowledge (may be outsourced) supervised by a dedicated supervisor of the CIO.
      
2. Preventive obligations include:
   • inform the Commissioner’s Office of material changes to their CCSs (eg, design, configuration, security, operation);
   • formulate and implement a computer system security management plan and submit the plan to the Commissioner's Office;
   • conduct a computer system security risk assessment (at least once every year) and submit the assessment report to the Commissioner's Office;
   • conduct an independent computer system security audit (at least once every two years) and submit the audit report to the Commissioner's Office; and
   • adopt measures to ensure their CCSs' compliance with the relevant statutory obligations even when third party service providers are employed.
      
3. Incident reporting and response obligations include:
   • participate in a computer system security drill organised by the Commissioner's Office (at least once every two years);
   • formulate an emergency response plan and submit it to the Commissioner's Office; and
   • notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCSs (Mandatory Incident Notification).

The Mandatory Incident Notification obligation means that CIOs will need to report to the Commissioner’s Office computer system security incidents so that the Commissioner may instruct timely response as needed. Computer system security incidents refer to activities carried out without lawful authority on or through a computer system that jeopardises or adversely affects its computer system security.

The time frame for the Mandatory Incident Notification depends on the seriousness of the incident.

• Within 2 hours after becoming aware of the incident – Report serious computer system security incidents, which refer to incidents that have or are about to have a major impact on the continuity of essential services and normal operating of CIs, or lead to a large-scale leakage of personal information and other data; and
   
• Within 24 hours after becoming aware of the incident - Report other computer system security incidents.

If the initial report is made by telephone or text message, the CIO will need to submit a written record within 48 hours after the initial report has been made. The Proposed Legislation also contemplates the submission of a subsequent written report within 14 days after becoming aware of an incident, providing further details of the incident (including the cause(s), impact and remedial measures).

Further detail on the proposed requirements is set out in Annex I of the Paper.

Commissioner's Office and powers

A Commissioner’s Office will be established within the Security Bureau to enforce the Proposed Legislation. The Office will:

• designate CIOs and CCSs;
• establish a Code of Practice;
• monitor security threats;
• assist CIOs in incident response;
• investigate non-compliance of CIOs;
• coordinate with other government departments in formulating policies and handling incidents; and
• issue written instructions to CIOs to plug potential security loopholes.

The Commissioner's Office will have extensive powers to investigate (i) computer system security incidents; and (ii) offences under the Proposed Legislation. This is consistent with cybersecurity laws elsewhere, for example in Singapore and Malaysia. Specifically, the Commissioner's Office will have the power to request the CIOs to provide information (even if such information is located outside Hong Kong) and take remedial measures, and enter relevant premises for investigation with a magistrate's warrant. In more serious cases (ie, where a CIO is unwilling or unable to respond to a cyber incident), the Commissioner's Office can connect equipment to or install program in the CCS with a magistrate's warrant. Further detail is set out in Annex II of the Paper, and the extent of the Commissioner Office's powers will become clearer once the Bill is published.

Sector regulators

Given that some of the CIs are already comprehensively overseen by statutory sector regulators, certain sector regulators will be designated as authorities to monitor the fulfilment of the organisational and preventive obligations by the relevant sectors. The Commissioner's Office will monitor the compliance of the incident reporting and response obligations. This approach allows the designated authorities to establish standards and requirements under their existing regulatory regimes that best suit the sectors’ needs. CIOs in these sectors will not be subject to double regulation - they will not need to fulfil additional requirements of the Commissioner’s Office in relation to the organisational and preventive obligations.

Two sector regulators have been proposed at this stage, namely (i) the HKMA for the banking and financial services sector; and (ii) the Communications Authority for the communications and broadcasting sector. Designated authorities may issue relevant guidelines for the institutions regulated.

It remains unclear if all financial institutions in Hong Kong will be covered. However, it has been proposed that the HKMA will be responsible for regulating "some" service providers in the banking and financial services sector.  We also note that the CIOs to be regulated will mostly be large organisations.

Legal consequences and penalties

The proposed offences under the Proposed Legislation include:

• CIOs' non-compliance with statutory obligations;
• CIOs' non-compliance with written directions issued by the Commissioner's Office;
• non-compliance with requests of the Commissioner's Office under the statutory power of investigation; and
• non-compliance with requests of the Commissioner's Office to provide relevant information relating to a CI.

The Proposed Legislation only stipulates fines, as determined by courts, as potential penalties. Offences and penalties will only be applicable to organisations so their individual officers or staff members will not be penalised at the individual level.

It is proposed that failure by the CIOs to comply with any of the above obligations will be publishable by fines ranging from HK$500,000 to HK$5 million. Additional daily fines could be imposed if there is persistent non-compliance.

If a CIO's non-compliance with the statutory obligations results from a third-party service provider's inadequate action, the CIO would still be held responsible for the non-compliance.

However, if non-compliance involves existing criminal legislation, such as making false statements or fraud-related crimes, the personnel involved may be held personally criminally liable.

By comparison, non-compliance can lead to criminal penalties including imprisonment in Singapore and Malaysia.

Next steps

The Government plans to introduce the Proposed Legislation into LegCo by the end of 2024 and aims to set up the Commissioner's Office within one year following the passage of the proposed Bill, after which the proposed Bill would come into force within six months.

It is proposed that the Secretary for Security will have the authority to specify or amend certain details through subsidiary legislation, including the type of essential services sectors that may be designated as a CI and the scope of security management plans and security audits.

We will continue to monitor developments in this reform and will provide further updates as the legislation is finalised. Please reach out to your usual HSF contact if you would like to discuss further.