Strengthening Cybersecurity in Hong Kong: A Legislative Response to Growing Threats

In recent years, the world has witnessed a surge in cyberattacks targeting critical infrastructure, prompting governments to take decisive action to bolster their cybersecurity frameworks. Hong Kong is no exception. In response to the increasing frequency and severity of these threats, the Hong Kong government has embarked on a mission to enhance its cybersecurity measures, aiming to safeguard the city’s vital cyber capabilities and fortify its resilience against potential breaches.

Legislative Framework Proposal

In June, the Hong Kong government proposed a new legislative framework designed to enhance the protection of computer systems that underpin critical infrastructure. This initiative has been subject to industry consultation, which ran until August, allowing stakeholders to voice their opinions and concerns regarding the proposed changes. Legal experts, including lawyers from Bird & Bird, have expressed optimism about the potential impact of this legislation, although the actual implementation of feedback from consultations remains to be seen.

The government plans to establish a Commissioner’s Office under the Security Bureau within one year of the proposed bill’s approval. This office will be tasked with investigating and enforcing compliance with the new obligations outlined in the bill, which is expected to take effect six months after its approval.

Key Provisions and Scope of the Bill

The proposed Protection of Critical Infrastructure (Computer System) Bill focuses on operators of critical infrastructure (CIOs) essential for the uninterrupted provision of vital services in Hong Kong. According to Wilfred Ng and Danny Leung, partners at Bird & Bird, the bill adopts an “organisation-oriented” approach, clearly defining its scope. Only the critical computer systems (CCSs) of CIOs will be regulated under this legislation.

CCSs are defined as systems necessary for delivering essential services, and any interruption to these systems could severely impact the normal functioning of the CIOs. Importantly, the statutory obligations will apply to these systems regardless of their physical location, meaning that even CCSs situated outside Hong Kong will fall under the bill’s jurisdiction.

The bill places accountability on organizations rather than individuals, urging businesses to closely monitor the legislative progress and evaluate their current cybersecurity measures. Key obligations outlined in the bill include:

• Organizational Obligations: CIOs must keep the Commissioner’s Office informed about ownership and operational changes related to their infrastructure.
• Preventive Obligations: CIOs are required to submit a security management plan and the results of regular independent audits.
• Incident Reporting and Response Obligations: CIOs must report incidents and respond to inquiries from the Commissioner’s Office, even if the relevant information is located outside Hong Kong.

Challenges Ahead

While the proposed bill aims to establish a robust cybersecurity framework, several challenges remain. Designated industry-specific regulators, such as the Hong Kong Monetary Authority and the Communications Authority, will be responsible for setting industry standards and requirements. This is crucial for ensuring compliance with the organizational and preventive obligations outlined in the bill.

However, Ng and Leung caution that the Commissioner’s Office may need to collaborate with the Cyber Security and Technology Crime Bureau and the Hong Kong Computer Emergency Response Team Coordination Centre to address incidents effectively. This necessitates clear regulatory guidance to help organizations navigate their response mechanisms to cybersecurity incidents.

Moreover, underlying risks and vulnerabilities persist, particularly concerning ransomware attacks targeting IT and cloud service providers. The risks are heightened for enterprise customers bound by industry-specific obligations, such as those in the financial services sector. The increasing use of AI-assisted technologies in processing sensitive data further complicates the cybersecurity landscape, making it imperative for organizations to remain vigilant.

Future Directions for Regulators

Once the bill is enacted, it is anticipated that organizations designated as CIOs will leverage existing compliance frameworks to meet the new cybersecurity obligations. Ng and Leung suggest that CIOs should integrate the organizational and preventive obligations stipulated in the bill into their current information security and cybersecurity compliance programs. This includes adhering to incident reporting deadlines and considering how statutory obligations may affect vendor agreements with third-party service providers.

Interestingly, the bill’s implications extend beyond CIOs. Other non-CIO organizations may also be encouraged to reassess and enhance their cybersecurity compliance frameworks. Additionally, the Privacy Commissioner of Personal Data has indicated plans to introduce mandatory breach notification requirements as part of proposed amendments to the Personal Data (Privacy) Ordinance. This means that both CIOs and other organizations must prepare for potential mandatory breach notification requirements under both cybersecurity and data protection laws in the future.

Conclusion

As Hong Kong moves forward with its proposed cybersecurity legislation, the city is taking significant steps to protect its critical infrastructure from the ever-evolving landscape of cyber threats. While challenges remain, the establishment of a dedicated Commissioner’s Office and the introduction of clear obligations for CIOs signal a proactive approach to enhancing cybersecurity resilience. Organizations across the board must remain vigilant, adapting to new regulations and evolving threats to ensure the safety and security of their operations in an increasingly digital world.