Publication
COP29: It’s all about the money and paying to survive in this climate-challenged world
The 29th Conference of Parties (COP 29) will be held in Baku, Azerbaijan between 11 and 22 November 2024.
Hong Kong SAR | Publication | July 2024
The Proposed Legislation targets CIOs that are (i) necessary for the continuous delivery of essential services in Hong Kong1 and (ii) those maintaining important societal and economic activities in Hong Kong2, and will require these CIOs to fulfil baseline requirements set as statutory obligations, from which these CIOs can build up and enhance their capabilities for securing their computer systems with regard to their own needs and characteristics.
To enable the CIOs to focus their resources, it is proposed that only “Critical Computer Systems” (CCS, i.e. computer systems that are relevant to the provision of essential services or the core functions of the computer systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIOs) are to be covered. Further, names of CIOs would not be explicitly disclosed under the Proposed Legislation to avoid attracting targeted cyberattacks, and only names of the essential service sectors will be set out.
The key statutory obligations to be imposed are:
Organisation
CIOs shall:
Preventive
CIOs shall:
Incident reporting and response
CIOs shall:
CIOs should also note that if it is required by the Commissioner’s Office to provide relevant information available in the course of investigating an incident or offence related to the above obligations, they must submit the information even if it is located outside Hong Kong.
A Commissioner’s Office is proposed to be set up under the Security Bureau, who will have powers, among others, to designate CIOs, establish Code of Practices, investigate and follow up on non-compliance of CIOs, issue written instructions to CIOs to plug potential security loopholes and investigate offences (including powers to question, request information, and enter premises for investigation with a magistrate’s warrant) under the Proposed Legislation.
Some sector regulators will also be designated to monitor the discharging or organisational and preventive obligations by the essential services sectors, which include the Hong Kong Monetary Authority and the Communications Authority.
Since the Proposed Legislation intends to target CIOs, offences and penalties are proposed to be imposed on an organisational basis only, with fines ranging from HK$500,000 to HK$5 million and additional daily fines of HK$50,000 or HK$100,000 for persistent non-compliance with certain offences. The current proposed offences include:
That being said, if the relevant violations touch upon existing criminal legislation (e.g. submitting false information to the Commissioner’s Office), any personnel involved may be held personally criminally liable. CIOs will also be liable for any inadequate actions leading to non-compliance with the Proposed Legislation on the part of any third-party service providers engaged by them.
Various questions were raised at the LegCo Discussion, including the following:
For query (i), the Hong Kong government confirmed at the Legco Discussion that CIOs will receive notifications if they fall under the ambit of the Proposed Legislation in order to ensure that CIOs have sufficient time to prepare for compliance with the Proposed Legislation.
As to query (ii), the current Proposed Legislation will only target large corporations designated as CIOs and small and medium enterprises (SMEs) are not regulated. That said, as the Proposed Legislation will be implemented in phases, if it later extends to cover SMEs, subsidies may be provided and detailed Practical Guidelines will be issued.
For query (iii), since CIOs will remain liable for any non-compliance with the Proposed Legislation on part of the third-party service providers engaged by them, CIOs should make sure that any such contractors they engage are qualified and competent.
There will be a one-month consultation period with relevant sectors after the discussion with LegCo on 2 July 2024, with plans to introduce the Proposed Legislation into LegCo for consideration by the end of 2024. On passage of the Proposed Legislation, the Commissioner’s Office is expected to be established within a year, with the legislation coming into force six months after.
While the Proposed Legislation is yet to take effect, CIOs should be aware of their potential statutory obligations and set up a computer system security management unit as soon as possible to ensure compliance with the Proposed Legislation.
CIOs should also:
Publication
The 29th Conference of Parties (COP 29) will be held in Baku, Azerbaijan between 11 and 22 November 2024.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023