Hong Kong Suggests Establishing a Legal Framework for Regulating Critical Infrastructure | Insights

Regulatory Compliance
Hong Kong Suggests Establishing a Legal Framework for Regulating Critical Infrastructure | Insights

Published:

Reading time: 5 min.

The Rise of Cybersecurity Legislation in Hong Kong: An In-Depth Look at the Proposed Framework

Introduction

In recent years, Hong Kong has witnessed a significant surge in cyber-attacks targeting companies across various sectors. In 2023 alone, the Office of the Privacy Commissioner of Hong Kong received over 60 notifications of such attacks, with many more likely going unreported. This alarming trend has catalyzed discussions surrounding the urgent need for comprehensive cybersecurity legislation.

The concept of cybersecurity legislation was first introduced during the Chief Executive’s policy address in October 2022. Since then, the Hong Kong government has actively engaged with stakeholders, conducting over 15 consultation sessions with more than 110 participants, including potential Critical Infrastructure Operators (CIOs). By the end of June 2024, a discussion paper outlining a proposed legislative framework for regulating critical infrastructure and critical computer systems was presented to the Legislative Council Panel on Security. This framework, collaboratively developed by the Security Bureau, the Office of the Government Chief Information Officer, and the Hong Kong Police Force, marks a pivotal step towards establishing cybersecurity obligations for organizations in the region.

As Hong Kong seeks to align itself with global standards, the Proposed Framework emerges amidst a wave of recent cybersecurity developments in neighboring jurisdictions, such as Thailand and Singapore. This article delves into the key elements of the Proposed Framework, its implications for organizations, and the broader context of cybersecurity legislation in Hong Kong.

Key Elements of the Proposed Framework

Scope of Application

The Proposed Framework adopts an organization-focused approach, imposing obligations specifically on Critical Infrastructure Operators (CIOs) concerning Critical Computer Systems (CCS). Notably, any non-CCS owned, controlled, or used by a CIO will not fall under the proposed regulations. The focus is squarely on the computer systems themselves, rather than the information they contain.

CIOs and CCSs must be expressly designated by the Commissioner’s Office, which will not publicly identify individual entities to mitigate the risk of cyberattacks. The initial eight Designated Sectors include:

  1. Energy
  2. Information Technology
  3. Banking and Financial Services
  4. Land Transport
  5. Air Transport
  6. Maritime
  7. Healthcare Services
  8. Communications and Broadcasting

The Commissioner will consider the implications of potential disruptions to essential services and the level of dependence on information technology when designating CIOs. Importantly, designated entities will have the right to appeal their designation through a separate appeal board.

Obligations of CIOs

The Proposed Framework outlines three main categories of obligations for CIOs:

  1. Organizational Obligations:

    • Maintain a registered office in Hong Kong and keep the Commissioner’s Office updated on any changes.
    • Establish a dedicated cybersecurity team, whether in-house or outsourced.

  2. Preventive Obligations:

    • Regularly update the Commissioner’s Office on material changes to CCSs.
    • Formulate and submit a comprehensive computer system security management plan.
    • Conduct annual risk assessments and independent security audits every two years.
  3. Incident Reporting and Response Obligations:
    • Participate in security drills organized by the Commissioner’s Office every two years.
    • Submit an emergency response plan and notify the Commissioner’s Office of security incidents within specified time frames (within 2 hours for serious incidents and 24 hours for others).

CIOs are also required to cooperate with the Commissioner’s Office during investigations, providing information even if it is located outside Hong Kong.

Offences and Penalties

The Proposed Framework outlines several offences, including non-compliance with statutory obligations and failure to respond to requests from the Commissioner’s Office. Notably, penalties will apply to organizations rather than individuals, with a maximum fine of HK$5 million (approximately US$640,000) for non-compliance. Daily fines may also be imposed for continued violations.

The Role of the Commissioner’s Office

The Commissioner’s Office will be established under the Security Bureau, tasked with investigating cybersecurity incidents and ensuring compliance with the Proposed Framework. It will have the authority to issue a Code of Practice to guide CIOs and will work alongside sector regulators to monitor compliance.

Comparison with Other Jurisdictions

As Hong Kong moves towards implementing its cybersecurity legislation, organizations may find similarities with compliance obligations in nearby jurisdictions such as Singapore and China. A high-level comparison reveals key features, including security risk assessments, audits, and incident reporting timelines, which may help organizations in Hong Kong establish their compliance mechanisms.

Unresolved Questions

Compliance Timeline

The private designation of CIOs and CCSs by the Commissioner’s Office introduces uncertainty for organizations in the Designated Sectors. The government aims to crystallize the Proposed Framework into a bill by the end of 2024, with the legislation expected to come into force within six months of the Commissioner’s Office being established. This timeline may pose operational challenges, particularly for large organizations that require significant lead time to implement compliance measures.

Scope of “Computer System”

The Proposed Framework currently applies to “computer systems,” raising questions about whether this definition extends beyond CCSs. The delineation between IT and operational technology (OT) systems is particularly complex, especially as the technological landscape evolves and the convergence of IT and OT becomes more pronounced.

Review and Approval Processes

It remains unclear whether the obligation for CIOs to submit emergency response plans will be subject to review and approval by the Commissioner’s Office. This ambiguity could impact compliance costs and timelines for organizations.

Further Observations

Organizations in the Designated Sectors should consider several factors as they prepare for the Proposed Framework:

  • The obligation to provide information to the Commissioner’s Office, even if located outside Hong Kong, necessitates careful consideration in agreements with third-party service providers.
  • The emphasis on organizational and preventive obligations underscores the importance of robust information security measures within CIOs.
  • The short incident reporting timelines may pose challenges for organizations, particularly in establishing awareness of incidents and determining their impact.

Conclusion

As Hong Kong moves towards implementing its cybersecurity legislation, the Proposed Framework represents a significant step in enhancing the region’s cybersecurity posture. The government has indicated a commitment to further consult stakeholders, and organizations in the Designated Sectors should actively participate in this process to voice their concerns and seek clarification on the proposed obligations. The evolving landscape of cybersecurity legislation in Hong Kong will undoubtedly shape the future of organizational compliance and resilience in the face of increasing cyber threats.

Related articles

Recent articles

Latest news

© 2024 BasicFundas.com [ CYBERSECURITY NEWS UPDATES ] All Rights Reserved.