Protection of Critical Infrastructures (Computer Systems) Bill published in the Gazette

Key provisions in the Bill

1. Definitions of critical infrastructure and critical infrastructure operator – While confirming that critical infrastructure means any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in a sector specified in Schedule 1² or any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong, “critical infrastructure operator” (CI Operator) is clarified to mean an organization designated under s.12 of the Bill only. The Bill further provides criteria under s.11 to show how the regulating authority may ascertain whether an infrastructure is a specified critical infrastructure or not. A CI Operator must also maintain an office in Hong Kong and must inform the regulating authority in writing if there is any change of address (s.19) and must set up and maintain a computer-system security management unit (s.21). These, among others are categorized as “category 1 obligations” under the Bill. 
2. Obligations relating to prevention of threats and incidents – Multiple notification obligations are placed on the CI Operator in Division 2 of Part 4 of the Bill, including requesting the CI operator to (i) notify the regulating authority within 1 month after occurrence of events specified under s.22(2) of the Bill³, (ii) submit to the regulatory authority a plan for protecting the computer-system security of the critical computer systems of the critical infrastructure within 3 months of the designation date covering all matters specified in Schedule 3 of the Bill (s.23), (iii) implement a computer-system security management plan (s.23), (iv) conduct a computer-system security risk assessment within 12 months of the designation date and every 12 months thereafter covering all matters specified in Schedule 4 (s.24), (v) submit a report for the assessment within 3 months of the assessment, (vi) carry out an audit in respect of the computer-system security of the critical computer systems of the critical infrastructure within 24 months of the designation date and for every 24 months thereafter covering all matters specified in Schedule 5 of the Bill, and (vii) submit a report on the audit within 3 months (s.25). These, among others, are categorized as “category 2 obligations” under the Bill. 
3. Obligations relating to incident reporting and response – CI Operators are also required to (i) participate in a computer-system security drill if requested by the Commissioner (s.26), (ii) submit a plan covering all matters specified in Part 2 of Schedule 3 detailing the emergency response plan within 3 months of the designated date (s.27), notify the Commissioner upon being aware that a computer-system security incident has occurred in respect of a critical computer system of a critical infrastructure as soon as practicable and in any event, with the specified time under column 3 of Schedule 6, i.e.:
   • - If the computer-system security incident concerned has disrupted, is disrupting or is likely to disrupt the core function of the critical infrastructure – 12 hours after the CI Operator becomes aware of the incident 
   • - For any other case – 48 hours after the CI Operator becomes aware of the incident

   CI Operators are also required to submit a written report of the incident within 14 days after the date on which the CI Operator becomes aware of the incident (s.28(4)). 

   These obligations are categorized as “category 3 obligations” under the Bill. 

4. Extraterritorial jurisdiction removed – Since a computer system would be designated as a critical computer system only if it is accessible by the operator in or from Hong Kong and is essential to the core function of a critical infrastructure operated by the operator (s.13), the Bill has no extraterritorial effect.
5. Clarification of the use of code of practice in legal proceedings – The Bill further clarifies at s.9 that failure by an organization to observe the provisions of the code of practice does not by itself make the organization liable to any civil or criminal proceedings, but (i) the code of practice is admissible in evidence in the proceedings and (ii) proof that the organization contravened or did not contravene a relevant provision of the code may be relied on by a party as tending to establish or negate that matter. 

6. Introduction of defences of due diligence and reasonable excuse for certain offences – Depending on the circumstances, defences of “due diligence” (s.65) and “reasonable excuse” (s.66) may be available if certain thresholds can be met.

   To raise a defence of due diligence, (i) sufficient evidence must be adduced to show that the commission of the offence was due to a cause beyond the defendant’s control and the defendant took all reasonable precautions and exercised all due diligence to avoid the commission of the offence, and (ii) the contrary is not established by the prosecution beyond reasonable doubt.

   To raise a defence of reasonable excuse, (i) sufficient evidence must be adduced to raise an issue that the defendant had such a reasonable excuse and (ii) the contrary is not proved by the prosecution beyond reasonable doubt.

Way Forward

As mentioned in our previous article, the Hong Kong government has plans to establish the Commissioner’s Office within a year after the passage of the Bill, with the legislation coming into force six months thereafter.

Since the provisions of the legislation are now clear, potential CI Operators should consider the potential implications of the Bill for them and review their existing cybersecurity measures in place to ensure compliance with the Bill.