A legislative proposal to regulate the cybersecurity obligations of critical infrastructure operators (CIOs) was tabled by the Hong Kong government for consultation at the Legislative Council (LegCo) on 2 July 2024. The legislation is currently titled the “Protection of Critical Infrastructure (Computer System) Bill” (the Proposed Legislation) and would be the city’s first legislation on cybersecurity.
Key Highlights of the Proposed Legislation
The Proposed Legislation targets CIOs that are (i) necessary for the continuous delivery of essential services in Hong Kong1 and (ii) those maintaining important societal and economic activities in Hong Kong2, and will require these CIOs to fulfil baseline requirements set as statutory obligations, from which these CIOs can build up and enhance their capabilities for securing their computer systems with regard to their own needs and characteristics.
To enable the CIOs to focus their resources, it is proposed that only “Critical Computer Systems” (CCS, i.e. computer systems that are relevant to the provision of essential services or the core functions of the computer systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIOs) are to be covered. Further, names of CIOs would not be explicitly disclosed under the Proposed Legislation to avoid attracting targeted cyberattacks, and only names of the essential service sectors will be set out.
The key statutory obligations to be imposed are:
Organisation
CIOs shall:
- provide and maintain an address and office in Hong Kong;
- update the Commissioner’s Office (to be set up) on any change of ownership and operatorship; and
- set up a dedicated computer system security management unit to manage cybersecurity and to follow up on the directions given by the Commissioner’s Office
Preventive
CIOs shall:
- inform the Commissioner’s Office of material changes to their CCSs, including changes to design, configuration, security, operation, etc.;
- formulate and implement a computer system security management plan and submit the plan to the Commissioner’s Office;
- conduct a computer system security risk assessment at least once every year and submit a report to the Commissioner’s Office;
- conduct an independent computer system security audit at least once every two years and submit a report to the Commissioner’s Office; and
- adopt measures to ensure that their CCS shall comply with the relevant statutory obligations even when third party services providers are employed.
Incident reporting and response
CIOs shall:
- participate in a computer system security drill organised by the Commissioner’s Office at least once every two years;
- formulate an emergency response plan and submit it to the Commissioner’s Office;
- notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCS within a specified time frame3, so that the Commissioner’s Office can promptly give directions on the response when necessary.
CIOs should also note that if it is required by the Commissioner’s Office to provide relevant information available in the course of investigating an incident or offence related to the above obligations, they must submit the information even if it is located outside Hong Kong.
Power of the Commissioner’s Office and designated authorities
A Commissioner’s Office is proposed to be set up under the Security Bureau, who will have powers, among others, to designate CIOs, establish Code of Practices, investigate and follow up on non-compliance of CIOs, issue written instructions to CIOs to plug potential security loopholes and investigate offences (including powers to question, request information, and enter premises for investigation with a magistrate’s warrant) under the Proposed Legislation.
Some sector regulators will also be designated to monitor the discharging or organisational and preventive obligations by the essential services sectors, which include the Hong Kong Monetary Authority and the Communications Authority.
Offences and Penalties
Since the Proposed Legislation intends to target CIOs, offences and penalties are proposed to be imposed on an organisational basis only, with fines ranging from HK$500,000 to HK$5 million and additional daily fines of HK$50,000 or HK$100,000 for persistent non-compliance with certain offences. The current proposed offences include:
- CIOs’ non-compliance with statutory obligations;
- CIO’s non-compliance with written directions issued by the Commissioner’s Office;
- non-compliance with requests of the Commissioner’s Office under the statutory power of investigation; and
- non-compliance with requests of the Commissioner’s Office to provide relevant information relating to a critical infrastructure
That being said, if the relevant violations touch upon existing criminal legislation (e.g. submitting false information to the Commissioner’s Office), any personnel involved may be held personally criminally liable. CIOs will also be liable for any inadequate actions leading to non-compliance with the Proposed Legislation on the part of any third-party service providers engaged by them.
Legco discussion on 2 July 2024 (Legco Discussion)
Various questions were raised at the LegCo Discussion, including the following:
- how can an entity determine if it is a CIO to be regulated under the Proposed Legislation if a full list of CIOs will not be disclosed;
- whether sufficient guidance and resources have been given to these companies to comply with the statutory requirements under the Proposed Legislation; and
- the allocation of responsibility between CIOs and their service providers under the Proposed Legislation.
For query (i), the Hong Kong government confirmed at the Legco Discussion that CIOs will receive notifications if they fall under the ambit of the Proposed Legislation in order to ensure that CIOs have sufficient time to prepare for compliance with the Proposed Legislation.
As to query (ii), the current Proposed Legislation will only target large corporations designated as CIOs and small and medium enterprises (SMEs) are not regulated. That said, as the Proposed Legislation will be implemented in phases, if it later extends to cover SMEs, subsidies may be provided and detailed Practical Guidelines will be issued.
For query (iii), since CIOs will remain liable for any non-compliance with the Proposed Legislation on part of the third-party service providers engaged by them, CIOs should make sure that any such contractors they engage are qualified and competent.
Timetable
There will be a one-month consultation period with relevant sectors after the discussion with LegCo on 2 July 2024, with plans to introduce the Proposed Legislation into LegCo for consideration by the end of 2024. On passage of the Proposed Legislation, the Commissioner’s Office is expected to be established within a year, with the legislation coming into force six months after.
Way forward
While the Proposed Legislation is yet to take effect, CIOs should be aware of their potential statutory obligations and set up a computer system security management unit as soon as possible to ensure compliance with the Proposed Legislation.
CIOs should also:
- conduct an overall review of their cybersecurity measures currently in place;
- be mindful of the proposed reporting deadlines upon occurrence of computer system security incidents;
- carefully review their agreements with any third-party contractors, service providers and vendors to ensure that adequate security measures have been in place and other statutory obligations to be imposed are complied with; and
- continue to monitor future legislation developments, including the potential introduction of a mandatory data breach notification mechanism under the Personal Data (Privacy) Ordinance (PDPO) by the Office of the Privacy Commissioner for Personal Data. As raised in the Legco Discussion, reporting requirements under the Proposed Legislation will not replace any reporting obligations under the PDPO, as the former focuses on maintenance of a secure computer system while the latter focuses on protection of personal data.