The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

Introduction

The highly anticipated Protection of Critical Infrastructures (Computer Systems) Bill (Bill) is finally gazetted. The publication of the Bill is a culmination of a series of public consultation earlier this year. The Bill provides much needed clarity and certainty as to how critical infrastructures and computer systems in Hong Kong should be regulated. Following our previous insight Are you ready for Hong Kong’s Cybersecurity law?, the purpose of this update focuses on the key aspects of the Bill, as well as a useful comparison of the Bill with the current cybersecurity regulatory landscape in Mainland China.

Timeline

 

Which entities are caught?

Critical Infrastructure (CI)

  • Essential infrastructure in a specified sector in Hong Kong (telecoms and broadcasting, energy, IT, banking and financial services, air, land and maritime transport, healthcare services) or
  • Infrastructure which if compromised will substantially affect critical societal or economic activities in Hong Kong.

Critical Computer Systems (CCS)

Designated computer systems (whether under the control of the operator or not) that are accessible in or from Hong Kong and are essential to the core function of a CI by CIO.

This means only those systems expressly designated by the Commissioner of Critical Infrastructure (Computer-system Security) will be regulated by the Bill.

Critical Infrastructure Operators (CIO)

Designated operators which operate a Specified CI.

The Bill introduces the concept of specified critical infrastructure (Specified CI) which was not previously covered in the public consultation. Put simply:

A CI is a Specified CI if:

  1. it is prescribed as a Specified CI under the designated authority within the specified sector; or
  2. it is otherwise determined to be a Specified CI for the Commissioner in accordance with the Bill.

Importantly, this means the Commissioner has the discretion to designate any other infrastructure outside of the specified sectors currently prescribed under the Bill as a critical infrastructure, as long as the Commissioner is satisfied that its compromise may substantially affect critical societal or economic activities in Hong Kong.

Comparison between the Hong Kong and PRC positions

Notably, the Bill draws reference from the relevant cybersecurity and critical infrastructure legislations in other jurisdictions. We juxtapose below a high-level comparison of fundamental aspects under the Bill and the Mainland China regime (Cybersecurity Law (2016) and Regulation for Safe Protection of Critical Information Infrastructure (2021) the “PRC position”), including definitions, scope of application, obligations and penalties for non-compliance.

HONG KONG

PRC

REMARKS

Definition of CI

  • Essential infrastructure in a specified sector in Hong Kong (telecoms and broadcasting, energy, IT, banking and financial services, air, land and maritime transport, healthcare services); or
  • Infrastructure which if compromised will substantially affect critical societal or economic activities in Hong Kong.
  • Key network facilities and info systems in important industries (e.g. public telecoms, energy, transport etc.) which if compromised will seriously endanger national security or economy, people’s livelihood or public welfare.

Key similarities: Both definitions are very similar in scope, stressing specific sectors as well as the negative impact if such CI is compromised (e.g. suffering damage, loss of functionality or data leakage).

Subject of regulation

CI, CIO and CCS

CI and CIO

Key similarityBoth laws place primary obligations on CIOs

Notable differences: The PRC position does not have a separate category for CCS and no express references to systems accessible in or from the jurisdiction.

Responsible Regulatory Authorities

Key authority: Commissioner of Critical Infrastructure (Computer-system Security) (Commissioner).

Other currently designated authorities are the HKMA and CA.

While the primary power to designate CIOs and CCS rests with the Commissioner, the designated authorities will be involved in monitoring the discharging of organisational and preventive obligations (see Category 1 and 2 below).

Key authority: Cyberspace Administration of China (CAC).

Other authorities include public security departments and relevant departments of each important industry.

Key similarityBoth laws establish a regulatory mechanism whereby a central key regulator is supported by other regulatory bodies.

Comment: In line with majority respondents’ views, HKMA and CA are designated to regulate CIOs for Categories 1 and 2 obligations in their respective sectors, given their familiarity and capabilities. The Commissioner will regulate all sectors for Category 3 obligations.

Organisational Obligations (Category 1 Obligations)

  • Maintain office in Hong Kong
  • Notify operator changes
  • Maintain computer-system security management unit (including employee with “adequate knowledge”)
  • Notify operator’s merger, demerger, dissolution
  • Maintain independent and specialised security management institutions and designate responsible persons

Key similaritiesBoth laws require establishment of dedicated internal units and personnel to oversee network security, as well as notification requirements regarding certain types of operator changes.

Preventive Obligations (Category 2 Obligations)

In relation to computer system:

  • Notify material changes
  • Implement security management plan
  • Conduct security risk assessments at least once a year (this includes vulnerability assessment and penetrating testing)
  • Conduct security audits at least once every 2 years
  • Notify material changes
  • Formulate internal security management systems
  • Conduct cybersecurity detection and risk assessment at least once a year

Key similaritiesBoth laws require internal cybersecurity plans or policies in place, and periodical cybersecurity protective practices (the results of which must be submitted to the regulators).

Notable difference: In contrast to the Bill, the PRC position does not specifically prescribe an audit requirement.

 

Incident Reporting and Response Obligations (Category 3 Obligations)

  • Partake in security drill
  • Submit and implement emergency response plan
  • Notify security incidents, as soon as possible:
    • within 12 hours (from awareness) if core function is or likely to be disrupted;
    • within 48 hours (from awareness) in any other case.
  • Carry out drills periodically
  • Formulate emergency response plans for cybersecurity incidents
  • Promptly report network security incidents or major threats

Key similaritiesBoth laws contain similar incident reporting and response obligations.

Notable difference: The Bill is more prescriptive for the timing of incident reporting.

Comment: To strike a balance between regulatory aims and respondents’ concerns, the Bill relaxes the timing for reporting serious incidents (from 2 hours to 12 hours) and other incidents (from 24 hours to 48 hours).

Penalties for Non-Compliance

In general:

Cat 1*

HKD 300K – 500K

Cat 2

HKD 300K – 500K

Cat 3

HKD 3 M – 5 M

*Failure to notify operator changes is subject to HKD 3 M – 5 M.

Depending on the offence in question, the penalties typically range between RMB 100,000 – 1,000,000.

Comment: The maximum fines set out in the Bill largely align with the initial proposal by the Government in July 2024, despite respondents’ concerns that the fines are excessive.


What should I do in practice?

If you are a CIO or operates CI

According to the consultation report published by the Government, the CIOs and CCSs are expected to be designated in a progressive and phased manner. As an action point, the existing infosec and cybersecurity framework would serve as a good starting point for organisations to ensure compliance with the three categories of obligations by consolidating and configuring existing operating and response procedures.

It should be noted that while the primary responsibility under the Bill is placed on CIOs to comply with various obligations, the CIOs must also ensure that their computer systems that are accessible in or from Hong Kong (whether or not under the control of the operator) comply with the requirements under the Bill.  In practice, CIO and CI customers will be expected to review existing supplier contractual relationships in light of the Bill to ensure sufficient and robust contractual rights are provided, such as compensatory, audit, termination rights and service level assurances. This is similar to the relationship between data users and data processors under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (e.g. how data users are responsible for the acts and omissions of data processors).

If you provide computer system services to CIO or CI

On the other hand, third party service providers (e.g. IT, cloud or outsourcing service providers) should expect a degree of ‘indirect regulation’ when CIO or CI customers seek to ‘flow down’ their statutory obligations under the Bill. Several respondents have expressed concerns over CIOs’ liabilities over third party service providers (particularly foreign service providers) in the public consultation, but the position has been retained in the Bill, with further provisions and guidelines on “due diligence” performance and “reasonable endeavor” to be included in subsequent Codes of Practices. In this light, given the similarities between the Bill and the PRC position, for suppliers providing cross-jurisdictional service arrangements to CIO or CI customers, it remains to be seen whether a market practice will emerge to harmonise suppliers’ critical infrastructure obligations across these two jurisdictions.

CONCLUSION

In conclusion, the Bill marks a significant step forward in enhancing Hong Kong’s cybersecurity framework by clearly defining CI and CCS, and outlining the responsibilities of CIOs. The Bill also aligns Hong Kong with global cybersecurity trends and reinforces Hong Kong’s commitment to protecting its critical infrastructures in an increasingly interconnected world. From a compliance perspective, similarities between the Hong Kong and PRC positions in this regard could make a useful case for harmonised approach, but in any event operators and service providers alike should keep an eye out on further clarity and future guidelines and codes of practices we will continue to see in the near future.

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line blue background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
featured image

Saudi Arabia: Qualified obligation on data controllers to register with Data Protection Authority

3 minutes Dec 03 2024

Read More