Hong Kong’s Proposed Legislation for Critical Infrastructure Cybersecurity: A Step Towards Enhanced Protection
In an era where cyber threats loom larger than ever, the importance of safeguarding critical infrastructure cannot be overstated. While Hong Kong currently lacks statutory requirements for critical infrastructure cybersecurity, the global landscape is shifting. Countries like mainland China, Australia, the UK, and the EU have enacted legislation to protect their critical infrastructure from cyberattacks, recognizing the severe repercussions such malevolent actions can have. In response to this pressing need, Hong Kong is poised to introduce the Protection of Critical Infrastructure (Computer System) Bill, a significant step towards bolstering its cybersecurity framework.
Regulation Targets
The proposed legislation aims to regulate operators of critical infrastructure essential for the continuous delivery of services across eight key sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting. Additionally, it will encompass entities that maintain vital societal and economic activities, such as major sports venues and research and development parks.
Importantly, the new law will focus exclusively on computer systems integral to the functioning of critical infrastructure, irrespective of their physical location. However, it will not extend to other systems operated by these organizations. Notably, essential services managed by the government—such as water supply and emergency relief—will remain under the existing administrative framework, as the government already has comprehensive internal IT security policies in place.
Administration
To facilitate the implementation of this proposed legislation, a new commissioner’s office will be established under the Security Bureau. The designation of critical infrastructure will hinge on several factors, including the provision of essential services, reliance on information technology, and the potential societal impact in the event of a cyber incident.
The commissioner’s office will designate certain operators as Critical Infrastructure Operators (CIOs). While these operators will predominantly consist of large organizations, the list of designated CIOs will remain confidential to mitigate the risk of cyberattacks targeting these entities.
Designated CIOs will be required to adhere to three categories of obligations:
-
Organizational Obligations: This includes maintaining a physical address in Hong Kong, reporting changes in ownership or operations, and establishing a computer system security management unit supervised by a dedicated professional.
-
Preventive Obligations: CIOs must inform the commissioner’s office of significant changes to their critical computer systems, develop and implement a security management plan, conduct annual risk assessments, and ensure compliance from third-party service providers.
- Incident Reporting and Response: CIOs will be required to participate in security drills, formulate emergency response plans, and notify the commissioner’s office of serious security incidents within two hours, and other incidents within 24 hours.
Sector Regulators
Certain essential service sectors in Hong Kong are already subject to comprehensive regulation by statutory sector regulators. The proposed legislation will leverage this existing framework, with the Hong Kong Monetary Authority overseeing the banking and financial services sector, and the Communications Authority regulating the communications and broadcasting sector. The commissioner’s office will maintain oversight of all CIOs, coordinating incident responses and investigations to prevent incidents from escalating.
Code of Practice
To ensure compliance and best practices, the commissioner’s office will issue a code of practice. This code will outline requirements for reporting material changes to critical computer systems, conducting independent security audits, performing risk assessments, and adhering to incident response obligations.
Way Forward
The Hong Kong government plans to present the proposed legislation to the Legislative Council by the end of 2024. Following its passage, the commissioner’s office is expected to be established within a year, with the legislation coming into effect six months thereafter.
It is crucial to note that the proposed legislation places the onus of securing critical computer systems solely on the CIOs, without granting the government access to personal data or business information from these systems. As such, organizations that may qualify as CIOs should proactively evaluate and enhance their cybersecurity measures, familiarize themselves with the legal requirements, and allocate budgets for compliance. Collaboration with outsourced contractors will also be essential to meet the forthcoming statutory obligations.
However, a significant challenge lies ahead: the recruitment of competent cybersecurity experts and supervisors. This issue warrants careful consideration from both CIOs and their outsourced contractors, as the demand for skilled professionals in this field continues to grow.
In conclusion, Hong Kong’s proposed legislation for critical infrastructure cybersecurity marks a pivotal moment in the region’s approach to safeguarding essential services from cyber threats. By establishing a regulatory framework and promoting best practices, Hong Kong aims to enhance its resilience against cyberattacks, ensuring the continued delivery of vital services to its citizens.
Rossana Chu is a partner at YYC Legal, specializing in cybersecurity and regulatory compliance.
Contact Information:
YYC Legal
2803 & 2803A, China Resources Building
26 Harbour Road, Wanchai, Hong Kong
Tel: +852 2816 6888
Fax: +852 3797 3835
E-mail: rossana.chu@east-concord.com.hk
Website: www.yyc-ec.com