In response to the increasing number of cyberattacks and significant breaches of critical infrastructure globally in recent years, Hong Kong has quickly taken steps to enhance its cybersecurity framework, aiming to protect the city’s cyber capabilities and strengthen its resilience.

In June, the government proposed a new legislative framework to enhance the protection of computer systems of critical infrastructures, which has been undergoing consultation within the industry until August.

Lawyers are positive about the legislative impact of the bill, but it remains to be seen the extent to which these consultation responses will materialise into the changes to the proposed bill.

The government plans to establish a Commissioner's Office under the Security Bureau within one year of the proposed Bill's approval, with the Bill set to take effect six months thereafter. This office will have the authority to investigate and enforce compliance with the new obligations outlined in the Bill.

WHAT ARE THE KEY PROVISIONS AND THE SCOPE OF THE BILL?

The Protection of Critical Infrastructure (Computer System) Bill focuses on operators of critical infrastructure (CIOs) essential for the uninterrupted provision of vital services in Hong Kong, as well as for sustaining key societal and economic functions within the city.

Wilfred Ng and Danny Leung, partners at Bird & Bird in Hong Kong, point out that the proposed bill adopted an “organisation-oriented” approach with a clearly defined scope. Only the critical computer systems (CCSs) of CIOs will be regulated under the proposed bill.

“CCSs are systems which are necessary for the provision of essential services and those systems which, if interrupted, will seriously impact the normal functioning of the CIOs,” note Ng and Leung. “Once designated, the statutory obligations will apply to the CCSs regardless of whether they are physically located in Hong Kong or elsewhere.”

Organisations, instead of individuals, will be held accountable for potential non-compliance with the obligations. As such, businesses are advised to keep a close eye on the progress of the proposed legislation and assess their current cybersecurity measures.

Notably, key obligations to the Commission’s Office set out in the bill include organisational obligations, which mean CIOs need to keep the office updated on the ownership and operatorship of the infrastructure; preventive obligations that mandate the submission of security management plan and results of regular independent audits; and incident reporting and response obligations.

These obligations may also affect CCSs physically located outside of Hong Kong. “In addition, upon request by the office in the course of investigating an incident or offence, CIOs must submit relevant information available to them, even if such information is located outside Hong Kong,” note Ng and Leung.

WHAT CHALLENGES REMAIN?

Under the proposed bill, designated industry-specific regulators such as the Hong Kong Monetary Authority and the Communications Authority, will be entrusted to set industry standards and requirements in the essential services sector. This is important for meeting the organisational and preventive obligations outlined in the Bill.

Nonetheless, Ng and Leung also note that the Commissioner’s Office may initiate investigation and address the incident with the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and the Hong Kong Computer Emergency Response Team Coordination Centre as necessary.

“Accordingly, further regulatory clarity is expected between the office and industry regulators to ensure there is clear guidance for organisations to navigate when establishing its response mechanisms to computer security incidents,” they caution.

There are also underlying risks and cybersecurity vulnerabilities that remain inadequately addressed, including risks associated with ransomware attack for providers of IT and cloud-based services, as well as customers of such solutions.   

“The risks are exacerbated when enterprise customers are regulated by industry-specific obligations such as those in the financial services sector,” add Ng and Leung. “Further, the use of AI-assisted technology in the processing of personal, business and operational data is rendering such risks ever more prevalent.”

WHAT DIRECTION ARE THE REGULATORS LIKELY TO BE HEADED?

Once the bill is enacted, Ng and Leung expect organisations designated as a CIO leveraging on existing compliance framework to meet the relevant cybersecurity statutory obligations.

“In preparing for the statutory obligations, the CIOs should capitalise on existing infosec and cybersecurity compliance programme taking into account the organisational and preventative obligations stipulated under the Bill, incident reporting deadlines, and the extent to which any statutory obligations will need to be reflected in vendor agreements with affiliated entities or third-party service providers,” they explain.

But Ng and Leung also point out that the bill targets not only the CIOs as other non-CIO organisations could also be indirectly encouraged to revisit and expand on their existing cybersecurity compliance framework. 

Notably, aside from the incident reporting obligations applicable to CIOs under the proposed cybersecurity legislation, the Privacy Commissioner of Personal Data has indicated plans to introduce mandatory breach notification requirements as part of the proposed amendments to the Personal Data (Privacy) Ordinance.

“Both CIO and other organisations should therefore be aware of its potential mandatory breach notification requirements under both cybersecurity and data protection laws in the future,” they add.