Are you ready for Hong Kong’s Cybersecurity law?

The Hong Kong Government recently tabled a legislative proposal to regulate the cybersecurity obligations of critical infrastructure operators (“Proposed Framework”) to the Legislative Council Panel on Security (“Panel”) for consultation on 2 July 2024. Upon the Panel consultation, the Government will further consult relevant industry sectors on the legislative proposals over a one-month period.

According to the current timetable, the relevant bill has been included in the 2024 Legislative Programme. This signifies the imminent enactment of Hong Kong’s first cybersecurity legislation.

Legislative Background

Currently, Hong Kong law does not impose any cybersecurity obligations on critical infrastructures.

Against the backdrop of legislative developments in other jurisdictions, particularly the Mainland China (Cybersecurity Law 2016 and Regulation for Safe Protection of Critical Information Infrastructure 2021), the Government has been carrying out preparatory work since 2021 to introduce a legislation that regulates the protection of computer systems of critical infrastructures. After a series of discussions throughout 2022 and 2023, the Proposed Framework prepared jointly by the Security Bureau, Office of the Government Chief Information Officer and Hong Kong Police Force is now ready for Panel and industry consultation.

Separately, the Hong Kong Law Reform Commission released the Consultation Paper in July 2022 proposing the New Cybercrime Offences, which aim to rein in cybercrime with tougher penalties of up to life imprisonment. These proposed offences focus on cyber-dependent crimes, those that can be committed only through the use of information and communications technology devices, where the devices are both the tool for committing the crime and the target of the crime.

Scope

Under the Proposed Framework, the Protection of Critical Infrastructure (Computer System) Bill (the “Bill”) imposes obligations on Critical Infrastructure Operators (see CIOs defined below) to take appropriate measures on strengthening the security of their computer systems. In addition, the Bill proposes to establish a new Commissioner’s Office under the Security Bureau with investigative powers and designate industry-specific regulators of the essential services sectors, such as the Monetary Authority and Communications Authority, to monitor compliance. The Bill also formulates offences and penalties for non-compliance.

What is Critical Infrastructure?

Critical Infrastructure (“CI”) is defined as facilities that are necessary for the normal functioning of Hong Kong society covering two categories.

Category 1: Infrastructures for delivering essential services
The infrastructures which, if disrupted, compromised or rendered unavailable for an extended period, will significantly impact the everyday life and functioning of the society. These include infrastructures in the following sectors: (a) Energy; (b) Information Technology; (c) Banking and Financial Services; (d) Land Transport; (e) Air Transport; (f) Maritime; (g) Healthcare Services; and (h) Communications and Broadcasting.

Category 2: Other infrastructures for maintaining important societal and economic activities This includes essential services where their damage, loss of functionality or data leakage may have serious implications on important societal and economic activities in Hong Kong, such as major sports venue, performance spaces and research and development parks.

Who and what will be targeted by the Bill?

The Bill will adopt an “organisation-based” approach and only govern CI Operators (“CIOs”) expressly designated by the new Commissioner’s Office (the “Office”). However, the list of the designated CIOs will not be disclosed under the proposed legislation; rather only the names of the eight essential services sectors will be set out.

Importantly, only the Critical Computer Systems (“CCSs”) of CIOs will be regulated. Other computer systems of CIOs not designated as CCSs will not be regulated.

The CCSs of each CIO will be designated by the Office. CCSs are systems which are necessary for the provision of essential services and those systems which, if interrupted, will seriously impact the normal functioning of the CIs.  Once designated, the statutory obligations will apply to the CCSs regardless of whether they are physically located in Hong Kong or elsewhere.

Key CIOs obligations

Organisational obligations

• To keep the Office updated on the ownership and operatorship of CI; and
• To appoint a dedicated team with professional knowledge to manage cybersecurity.

Preventive obligations

• To inform the Office of any material changes to CCSs;
• To create detailed plans to protect their computer systems and to submit a computer system security management plan to the Office;
• To conduct risk assessment on the computer security system at least once per year and submit a report to the Office;
• To conduct independent computer system security audit at least once every two years and submit a report to the Office; and
• ‘To ensure their CCSs’ compliance in the course of engaging third party service providers.

Incident reporting and response obligations

• To take part in a security drill for computer system organised by the Office at least once every two years;
• To formulate an emergency response plan for responding to computer system security incident which needs to be submitted to the Office within three months of designation; and
• To inform the Office when there are security incidents within a specified time frame (for instance, serious incidents shall be reported within two hours and other security incidents shall be reported within 24 hours).

Investigation powers and non-compliance

The Office is empowered to investigate a security incident for the purposes of assessing its impact, reducing consequential harm and preventing recurrence. In doing so, the powers of the Office include: requesting a CIO to answer questions and submit information and take remedial measures, or in certain cases, it may also enter into the relevant premises for investigation with a court warrant. In addition, the Office may also exercise similar powers for investigating the offences under the proposed legislation, such as requesting for information and entering into premises to take possession of documents pursuant to a court warrant.

Non-compliance will be an offence but the Bill proposes to impose penalties only on the CIOs (i.e. on an organisational level) but not on the heads or staff of the CIOs at the individual level. CIOs’ non-compliance could be met with the handing down of fines, which range from HK$500,000 to HK$5 million. Additional daily fines could be imposed if there is persistent non-compliance.

Key observations

• Upon the passage of the proposed legislation, the Government aims to set up the Office within one year and to bring the legislation into force within six months. By that time, it is expected that the Office will have reviewed the level of readiness of different CIOs and the impact of its services on society.Whilst the Government intends to designate CIOs and CCSs in a progressive and phased manner upon the taking of effect of the proposed legislation, organisations should leverage on existing infosec and cybersecurity framework to prepare for compliance in advance, particularly if they have already been consulted as a potential organisation to be designated as CIO.
• Organisations should note that the requirements of the proposed legislation will apply to all CCSs, regardless of whether they are physically located in Hong Kong or not. In addition, upon request by the Office in the course of investigating an incident or offence, CIOs must submit relevant information available to them, even if such information is located outside Hong Kong.
• While CIOs are expected to only report to the designated industry-specific authorities for the discharge of organisational and preventive obligations, in the event of a computer security incident, CIOs must report to the Office under the proposed requirements. Additionally, it is expected that the Office will investigate and address the incident with the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and the Hong Kong Computer Emergency Response Team Coordination Centre as necessary.
• Aside from the incident reporting obligations applicable to CIOs under the proposed legislation, the Privacy Commissioner of Personal Data has indicated plans to introduce mandatory breach notification requirements as part of the proposed amendments to the Personal Data (Privacy) Ordinance. A CIO should be aware of its potential mandatory breach notification requirements under both cybersecurity and data protection laws in the future.