8 Asian Legal Business | October 2024 Can a new cybersecurity law make Hong Kong safer? In response to the increasing number of cyberattacks and significant breaches of critical infrastructure globally in recent years, Hong Kong has quickly taken steps to enhance its cybersecurity framework, aiming to protect the city’s cyber capabilities and strengthen its resilience. In June, the government proposed a new legislative framework to enhance the protection of computer systems of critical infrastructures, which has been undergoing consultation within the industry until August. Lawyers are positive about the legislative impact of the bill, but it remains to be seen the extent to which these consultation responses will materialise into the changes to the proposed bill. The government plans to establish a Commissioner’s Office under the Security Bureau within one year of the proposed Bill’s approval, with the Bill set to take effect six months thereafter. This office will have the authority to investigate and enforce compliance with the new obligations outlined in the Bill. 1 What are the key provisions and the scope of the bill? The Protection of Critical Infrastructure (Computer System) Bill focuses on operators of critical infrastructure (CIOs) essential for the uninterrupted provision of vital services in Hong Kong, as well as for sustaining key societal and economic functions within the city. Wilfred Ng and Danny Leung, partners at Bird & Bird in Hong Kong, point out that the proposed bill adopted an “organisation-oriented” approach with a clearly defined scope. Only the critical computer systems (CCSs) of CIOs will be regulated under the proposed bill. “CCSs are systems which are necessary for the provision of essential services and those systems which, if interrupted, will seriously impact the normal functioning of the CIOs,” note Ng and Leung. “Once designated, the statutory obligations will apply to the CCSs regardless of whether they are physically located in Hong Kong or elsewhere.” Organisations, instead of individuals, will be held accountable for potential non-compliance with the obligations. As such, businesses are advised to keep a close eye on the progress of the proposed legislation and assess their current cybersecurity measures. Notably, key obligations to the Commission’s Office set out in the bill include organisational obligations, which mean CIOs need to keep the office updated on the ownership and operatorship of the infrastructure; preventive obligations that mandate the submission of security management plan and results of regular independent audits; and incident reporting and response obligations. These obligations may also affect CCSs physically located outside of Hong Kong. “In addition, upon request by the office in the course of investigating an incident or offence, CIOs must submit relevant information available to them, even if such information is located outside Hong Kong,” note Ng and Leung. 2What challenges remain? Under the proposed bill, designated industryspecific regulators such as the Hong Kong Monetary Authority and the Communications Authority, will be entrusted to set industry standards and requirements in the essential services sector. This is important for meeting the organisational and preventive obligations outlined in the Bill. Nonetheless, Ng and Leung also note that the Commissioner’s Office may initiate investigation and address the incident with the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and the Hong Kong Computer Emergency Response Team Coordination Centre as necessary. “Accordingly, further regulatory clarity is expected between the office and industry regulators to ensure there is clear guidance for organisations to navigate when establishing its response mechanisms to computer security incidents,” they caution. 3What direction are the regulators likely to be headed? Once the bill is enacted, Ng and Leung expect organisations designated as a CIO leveraging on existing compliance framework to meet the relevant cybersecurity statutory obligations. “In preparing for the statutory obligations, the CIOs should capitalise on existing infosec and cybersecurity compliance programme taking into account the organisational and preventative obligations stipulated under the Bill, incident reporting deadlines, and the extent to which any statutory obligations will need to be reflected in vendor agreements with affiliated entities or third-party service providers,” they explain. But Ng and Leung also point out that the bill targets not only the CIOs as other non-CIO organisations could also be indirectly encouraged to revisit and expand on their existing cybersecurity compliance framework. Notably, the Privacy Commissioner of Personal Data has also indicated plans to introduce mandatory breach notification requirements. The Briefs EXPLAINER
RkJQdWJsaXNoZXIy MjA0NzE4Mw==