Gabriela Kennedy, Partner, Mayer Brown Hong Kong LLP, and Pokit Lok, Principal of Risk Advisory Services, BDO Hong Kong, shared their thoughts with CGj on how Hong Kong’s upcoming critical infrastructure legislation is challenging governance professionals to strengthen oversight, crisis planning and organisational resilience.

Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (2025) marks a turning point in the city’s approach to cybersecurity. Long treated as a matter of internal IT policy or voluntary compliance, cybersecurity will, for the first time, be subject to binding statutory obligations for organisations designated as critical infrastructure operators (CIOs).

The Ordinance, which was gazetted on 28 March 2025 and which will come into effect on 1 January 2026, responds to rising global concerns about cyberattacks targeting energy grids, transportation networks, telecommunications and other essential services. Through certain regulating authorities, the government is also expected to issue detailed codes of practice and guidelines in due course to assist CIOs with compliance.

The Ordinance defines two categories of critical infrastructure. The first covers infrastructures essential to the continuous provision of services in eight designated sectors – energy, IT, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting. The second category, to be designated later by the government, includes other infrastructures whose damage, loss of functionality or data leakage could substantially disrupt Hong Kong’s societal or economic activities.

From best practice to legal duty

For boards and governance professionals, the law signals a new era. Until now, many Hong Kong companies treated cybersecurity through voluntary frameworks or as part of enterprise risk management. Directors would receive periodic reports from IT teams, commission an audit after a breach and rely heavily on technical staff to assure resilience.

The Ordinance changes the dynamic, explained Gabriela Kennedy, Partner, Mayer Brown Hong Kong LLP. Once a company is designated as a CIO, it is required to maintain an office in Hong Kong, establish and maintain a dedicated computer-system security management unit, and appoint a qualified individual to oversee it. A CIO must also ensure the timely preparation and submission of a comprehensive computer-system security management plan, conduct annual cybersecurity risk assessments, arrange for computer-system security audits every two years, and/or as requested by the regulator, and develop and file detailed emergency response plans. In addition, the Ordinance imposes strict incident notification requirements, mandating that computer-system security incidents be reported to the Commissioner of Critical Infrastructure (Computer-system Security) within the prescribed period. Failure to comply exposes organisations to fines of up to HK$5 million and potential criminal liability for the entity.

‘The Ordinance essentially elevates many cybersecurity measures that were previously regarded as best practice to mandatory obligations for designated CIOs,’ said Ms Kennedy.

For boards, this means a fundamental shift in oversight responsibilities. ‘While the Ordinance does not impose direct personal liability on directors or officers, the scale of potential penalties, the risk of operational disruption and the reputational consequences of enforcement actions significantly increase the board’s obligations in relation to cybersecurity oversight,’ Ms Kennedy warned.

Rethinking the board’s role

Under the new Ordinance, boards can no longer treat cybersecurity purely as a technical matter. Cybersecurity must now be woven into governance structures, strategy and fiduciary duties.

Pokit Lok, Principal of Risk Advisory Services, BDO Hong Kong, recommends structural reforms at the board level. ‘Boards should embed cybersecurity oversight in governance by establishing explicit accountability mechanisms, such as by forming a cybersecurity committee or appointing a chief information security officer with direct reporting lines. This aligns with the Ordinance’s requirement for CIOs to designate responsible personnel and maintain robust cybersecurity governance.’

Mr Lok also emphasised the need for continuous monitoring of cyberthreats and integration of cybersecurity metrics into enterprise risk management. ‘Boards should oversee the development of dashboards that track threat levels, response times and system vulnerabilities,’ he suggested.

Ms Kennedy added that cyber risks should sit alongside other principal risks in board reporting. ‘Boards should require management to regularly assess, monitor and report on cyber risks alongside other principal risks, and should also understand the company’s most critical assets, the potential business impact of cyber incidents, and the effectiveness of controls in place,’ she said.

For boards lacking technical expertise, Ms Kennedy stressed the importance of capacity building. ‘Given the complexity and evolving nature of cyberthreats, boards should assess whether they possess sufficient collective knowledge to provide effective oversight. This may involve recruiting independent non-executive directors with direct experience in cybersecurity, information technology or risk management,’ she said.

The Ordinance also introduces mandatory security drills, but both Ms Kennedy and Mr Lok believe boards should go further. ‘Boards should require management to conduct periodic drills or tabletop exercises to test readiness, as well as to clarify roles and responsibilities in the event of a cyber incident. CIOs are required to submit and implement an emergency response plan and report a computer-system security incident to the Commissioner as soon as practicable – and in any event within the specified timeframe,’ said Ms Kennedy.

Technical compliance, however, is only part of the puzzle. Ms Kennedy and Mr Lok agreed on the essential need for cultural change. ‘Boards play a critical role in setting the tone from the top and fostering a culture of cybersecurity readiness throughout the company. This involves supporting ongoing employee training and awareness programmes, and ensuring that cybersecurity considerations are embedded in business decision-making at all levels,’ Ms Kennedy explained.

Mr Lok echoed this view, citing the emphasis placed on computer-system security training and training programmes for all relevant personnel in the proposed outline for a code of practice included in the brief to the Legislative Council in relation to the Ordinance. ‘Boards play a key role in fostering a cybersecurity-aware culture. This includes supporting training programs and awareness initiatives to ensure staff understand their responsibilities in protecting critical computer systems,’ he said. ‘By embedding cybersecurity in governance structures, boards not only meet legal obligations but also strengthen resilience, stakeholder trust and long-term value protection.’

‘In short, the Ordinance raises the bar for board accountability in cybersecurity, making it a core governance responsibility with legal and reputational consequences,’ Mr Lok said.

The role of governance professionals

Ultimately, directors cannot manage cybersecurity alone. Governance professionals will play a critical role in translating regulatory obligations into actionable practices. ‘Governance professionals are responsible for developing, reviewing and updating cybersecurity policies and procedures, ensuring these are coherently communicated and consistently understood throughout the organisation,’ Ms Kennedy stated. ‘They also foster a culture of cyber awareness and accountability by supporting staff training, encouraging prompt incident reporting, and embedding cybersecurity considerations into daily business operations and decision-making.’

Mr Lok elaborated on this theme, pointing out that governance professionals translate complex statutory obligations into clear internal policies, track compliance timelines and maintain audit trails, advise directors on emerging risks and oversee third-party providers to ensure adherence to security standards. In the event of an incident, they coordinate reporting and liaise with both the company’s computer-system security management unit and the relevant authorities. This multifaceted role is essential to ensuring that boards are able to discharge their statutory duties while maintaining operational resilience.

Governance blind spots

Despite the Ordinance’s detailed requirements, both Ms Kennedy and Mr Lok warned that boards could still overlook critical vulnerabilities. Ms Kennedy flagged up overreliance on internal controls. ‘A common blind spot is the board’s tendency to assume that implementing technical controls alone equates with genuine resilience, while overlooking the importance of governance processes that transform these controls into ongoing and sustainable organisational practice,’ she said.

Ms Kennedy also strongly advised against ignoring third-party risks. ‘Organisations should proactively manage vendors’ risks by conducting regular assessments of vendor security practices, establishing specific incident reporting protocols, setting expectations through robust contracts and integrating third-party risks into the organisation’s overall risk management framework. Tabletop exercises that involve third-party suppliers can be a good way to test responses in the event of a third-party breach,’ she said.

Mr Lok identified additional operational blind spots, particularly in the area of operational technology. ‘Boards often prioritise IT systems over operational technology, neglecting vulnerabilities in legacy industrial control systems such as programmable logic controllers. These systems, common in the energy, transport and utilities sectors, are often not designed with modern cybersecurity in mind, yet are integral to critical infrastructure operations,’ he explained.

Mr Lok also called attention to the dangers inherent in any failure to appropriately escalate issues, cautioning that boards may lack predefined escalation criteria to distinguish between routine issues and reportable breaches, risking delayed reporting and non-compliance.

Strengthening crisis preparedness and backup resilience

Both Mr Lok and Ms Kennedy agreed that boards must approach crisis planning and backup services as a core governance responsibility. Mr Lok emphasised that this responsibility now has a dual dimension. ‘Boards must ensure crisis planning and backup services align with both legal obligations under the Ordinance and their fiduciary duties to safeguard operational resilience and stakeholder interests,’ he said. He highlighted the Ordinance’s requirement for emergency response plans under Section 27 and stressed that these should be ‘regularly reviewed and tested through drills and simulations’. Mr Lok also pointed out that backup systems and data recovery protocols should be secure, geographically diversified, and aligned with risk assessments and recovery objectives, with compliance closely monitored against the forthcoming codes of practice.

Ms Kennedy similarly affirmed the importance of going beyond paper compliance. ‘Boards should require that crisis response and backup systems are properly documented and independently tested on a regular basis. This means going beyond internal reviews or checklists to include security audits and realistic simulations such as tabletop exercises and live security drills,’ she said. Ms Kennedy explained that the results of such exercises should be reported directly to the board, with clear recommendations and action plans for addressing any identified weaknesses or gaps. She further urged boards to regularly review the adequacy of cyber insurance coverage to confirm it aligns with the organisation’s risk profile and to ensure robust contractual terms with third-party providers, together with comprehensive communication protocols for transparent engagement during a crisis.