Types of infrastructure proposed to be covered under the Bill

Two categories of infrastructure as set out below will be covered under the Bill as CI:

1. Infrastructures for delivering essential services in Hong Kong, covering the following eight sectors:

   1. energy;

   2. information technology;

   3. banking and financial services;

   4. land transport;

   5. air transport;

   6. maritime;

   7. healthcare services; and

   8. communications and broadcasting,

where information technology has significant implications on such infrastructure’s operations, and where essential services and important societal and economic activities in Hong Kong could be impacted if there was damage, loss of functionality, or data leakage in such infrastructures.

2. Other infrastructures for maintaining important societal and economic activities (such as major sports and performance venues, research and development parks, etc.), which could seriously impact important societal and economic activities in Hong Kong if there was damage, loss of functionality, or data leakage in such infrastructures, especially if important data is controlled by such infrastructures.

Only CIOs expressly designated by the Commissioner’s Office will be subject to the proposed legislation, however the Bill will only refer to the essential service sectors mentioned above. The list of designated CIOs will not be made public to prevent the CIs from being targets of cyberattacks, but the designation will likely be disclosed only to the organisation. 

The Government is explicitly excluded from the operation of the Bill, and Government departments will continue to be regulated under the existing internal Government information technology security policy and guidelines.

Scope of the Bill and main obligations of CI operators

It is proposed that the Bill will only regulate expressly designated CIOs and their Critical Computer Systems (i.e., computer systems that are relevant to the CI’s provision of essential service or the core functions of computer systems, and those systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIs) (“CCS”). The Commissioner’s Office will consult with CIOs on what systems are essential to their operations and consider if any of their systems should be designated as CCS –  other computer systems of CIOs will not be designated as a CCS and thus are not subject to the Bill. In addition, obligations imposed on CIOs under the Bill will relate only to securing CCS, and will not involve the personal data and business information therein.

To ensure that CIOs will put in place a sound management structure for protecting the security of CCS, implement the necessary measures to prevent cyberattacks on computer systems of the CIs, and promptly respond to and recover 9 the affected systems in the event of computer system security incidents, CIOs will need to fulfil three types of obligations as set out below:

1. Organisational

• maintain an address and office in Hong Kong

• report changes in the ownership and operatorship of critical infrastructure

• set up a computer system security management unit with professional knowledge, (in-house or outsourced), supervised by a dedicated supervisor of the CIO

2. Preventive

• inform the Commissioner’s Office of material changes to their CCS (in relation to its design, configuration, security, operation etc.)

• formulate and implement a computer system security management plan, and submit the same to the Commissioner’s Office

• conduct a computer system security risk assessment at least once every year, and submit a report to the Commissioner’s Office

• conduct an independent computer system security audit at least once every two years, and submit a report to the Commissioner’s Office

• adopt measures to ensure that their third party services providers are in compliance with the relevant statutory obligations

3. Incident Reporting and Response

• participate in a computer system security drill organized by the Commissioner’s Office at least once every two years

• formulate an emergency response plan, and submit a report to the Commissioner’s Office

• notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCS, which are activities carried out without lawful authority on or through a computer system that jeopardises or adversely affects its computer system security, within the following time frame:

  • within 2 hours after becoming aware of serious computer system security incidents, i.e., incidents that have or about to have a major impact on the continuity of essential services and normal operating of CIs, or lead to a large-scale leakage of personal information and other data;

  • within 24 hours after becoming aware of other computer system security incidents

Consequences for contravention

Offences under the Bill include CIO’s non-compliance with statutory obligations, Commissioner’s Office’s written directions, statutory power of investigation or requests to provide relevant information.

Organisations will be fined for violations, with maximum fines ranging from HK$500,000 to HK$5 million. However, if the relevant violations involve breach of some existing criminal legislation, such as making false statements, using false instruments or other fraud-related offences, the officers involved may be held personally criminally responsible.

Designated sector-specific authorities

As some of the essential service sectors to be regulated are already comprehensively regulated by statutory sector regulators, it is proposed under the Bill that certain sector regulators as designated authorities to monitor the discharging of organisational and preventive obligations – at this stage:

• the Monetary Authority as the authority responsible for regulating some service providers in the banking and financial services sector; and

• the Communications Authority as the authority responsible for regulating some service providers in the communications and broadcasting sector.

Code of practice and other sector-specific guidelines

The Commissioner’s Office will be empowered under the Bill to issues a code of practice (“CoP”), to set out the proposed standards based on statutory requirements, such as the relevant professional qualifications that an independent computer system security auditor should possess, the scope of the audit, the internationally recognised methodologies and standards that can be referred to, and the details of the report and rectification plan. Designated authorities may also issue relevant guidelines for the institutions they regulate.

Moving forward

• After the discussion of the Bill by the LegCo Panel on Security on 2 July 2024, there was a consultation period which ended on 1 August. The views received will be considered and adopted in the drafting of the Bill, which is currently underway. The Government’s plan is to introduce the Bill into the LegCo for consideration by the end of 2024, and that is when we expect to have visibility of the actual text of the Bill.

• Upon the passage of the proposed legislation, the Government aims to set up the Commissioner’s Office within one year, after which to bring the proposed legislation into force within half a year’s time. By that time, the Commissioner’s Office will review the situations of operators in different CI sectors, including their level of readiness and the impact of its services on society, etc., to designate CIOs and CCSs in a progressive and phased manner.

Key takeaways

• Organisations which have been consulted on the Bill as potential CIOs are likely to fall within scope, and they should revisit their existing information / cyber security program to ensure that they are aligned with existing international and industry best practices. Such preparation in advance may prove invaluable in achieving compliance with the proposed legislative requirements under the Bill.

• It is worth noting the extra-territorial elements under the Bill. Requirements of the proposed legislation will apply to all CCSs, regardless of whether they are physically located in Hong Kong or not; furthermore, CIOs must submit relevant information upon request by the Commissioner’s Office in the course of investigation, even if such information is located outside Hong Kong.

• The following is worth highlighting in the event of a computer system security incident:

  • While there are currently no mandatory breach notification requirements in Hong Kong, in the near future CIOs may have to observe such requirements under both cybersecurity and data protection regimes. The Bill introduces mandatory notification requirements for computer system security incidents; likewise, the Privacy Commissioner of Personal Data is working with the Government to comprehensively review the Personal Data (Privacy) Ordinance (“PDPO”) PDPO, and introduce a mandatory data breach notification mechanism as part of the proposed amendments.

  • For CIOs regulated by designated authorities, when reporting an incident to the designated authorities, they must also report to the Commissioner’s Office, which will address the incident together with the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and provide assistance after the incident.

  • The Commissioner’s Office is proposed to be given broad powers to investigate and respond to security incidents. In addition to powers to request for information and documents, the Commissioner’s Office can apply for a magistrate’s warrant to enter premises to check systems and take possession of documents, direct any person in control of the CCS to take remedial actions or assist in the investigation, or even connect equipment to or install program in the CCS. While there are concerns raised by stakeholders in the technology industry that the latter power constituted an unprecedented level of direct intervention, the Government has responded by clarifying that it would only seek a court warrant to connect to computer systems or install programs if CIOs were unwilling or unable to respond to cyber incidents.

Authored by Tommy Liu and Kenneth Cheung.