The Hong Kong Government recently tabled a legislative proposal to regulate the cybersecurity obligations of critical infrastructure operators (“Proposed Framework”) to the Legislative Council Panel on Security (“Panel”) for consultation on 2 July 2024. Upon the Panel consultation, the Government will further consult relevant industry sectors on the legislative proposals over a one-month period.
According to the current timetable, the relevant bill has been included in the 2024 Legislative Programme. This signifies the imminent enactment of Hong Kong’s first cybersecurity legislation.
Currently, Hong Kong law does not impose any cybersecurity obligations on critical infrastructures.
Against the backdrop of legislative developments in other jurisdictions, particularly the Mainland China (Cybersecurity Law 2016 and Regulation for Safe Protection of Critical Information Infrastructure 2021), the Government has been carrying out preparatory work since 2021 to introduce a legislation that regulates the protection of computer systems of critical infrastructures. After a series of discussions throughout 2022 and 2023, the Proposed Framework prepared jointly by the Security Bureau, Office of the Government Chief Information Officer and Hong Kong Police Force is now ready for Panel and industry consultation.
Separately, the Hong Kong Law Reform Commission released the Consultation Paper in July 2022 proposing the New Cybercrime Offences, which aim to rein in cybercrime with tougher penalties of up to life imprisonment. These proposed offences focus on cyber-dependent crimes, those that can be committed only through the use of information and communications technology devices, where the devices are both the tool for committing the crime and the target of the crime.
Under the Proposed Framework, the Protection of Critical Infrastructure (Computer System) Bill (the “Bill”) imposes obligations on Critical Infrastructure Operators (see CIOs defined below) to take appropriate measures on strengthening the security of their computer systems. In addition, the Bill proposes to establish a new Commissioner’s Office under the Security Bureau with investigative powers and designate industry-specific regulators of the essential services sectors, such as the Monetary Authority and Communications Authority, to monitor compliance. The Bill also formulates offences and penalties for non-compliance.
Critical Infrastructure (“CI”) is defined as facilities that are necessary for the normal functioning of Hong Kong society covering two categories.
Category 1: Infrastructures for delivering essential services
The infrastructures which, if disrupted, compromised or rendered unavailable for an extended period, will significantly impact the everyday life and functioning of the society. These include infrastructures in the following sectors: (a) Energy; (b) Information Technology; (c) Banking and Financial Services; (d) Land Transport; (e) Air Transport; (f) Maritime; (g) Healthcare Services; and (h) Communications and Broadcasting.
Category 2: Other infrastructures for maintaining important societal and economic activities This includes essential services where their damage, loss of functionality or data leakage may have serious implications on important societal and economic activities in Hong Kong, such as major sports venue, performance spaces and research and development parks.
The Bill will adopt an “organisation-based” approach and only govern CI Operators (“CIOs”) expressly designated by the new Commissioner’s Office (the “Office”). However, the list of the designated CIOs will not be disclosed under the proposed legislation; rather only the names of the eight essential services sectors will be set out.
Importantly, only the Critical Computer Systems (“CCSs”) of CIOs will be regulated. Other computer systems of CIOs not designated as CCSs will not be regulated.
The CCSs of each CIO will be designated by the Office. CCSs are systems which are necessary for the provision of essential services and those systems which, if interrupted, will seriously impact the normal functioning of the CIs. Once designated, the statutory obligations will apply to the CCSs regardless of whether they are physically located in Hong Kong or elsewhere.
The Office is empowered to investigate a security incident for the purposes of assessing its impact, reducing consequential harm and preventing recurrence. In doing so, the powers of the Office include: requesting a CIO to answer questions and submit information and take remedial measures, or in certain cases, it may also enter into the relevant premises for investigation with a court warrant. In addition, the Office may also exercise similar powers for investigating the offences under the proposed legislation, such as requesting for information and entering into premises to take possession of documents pursuant to a court warrant.
Non-compliance will be an offence but the Bill proposes to impose penalties only on the CIOs (i.e. on an organisational level) but not on the heads or staff of the CIOs at the individual level. CIOs’ non-compliance could be met with the handing down of fines, which range from HK$500,000 to HK$5 million. Additional daily fines could be imposed if there is persistent non-compliance.