Authors from Herbert Smith Freehills examine Hong Kong’s proposed new cybersecurity legislation, formulated to enhance the protection of critical infrastructure computer systems, and provide a practical synopsis of the main points and obligations under this law.

On 25 June 2024, a new cybersecurity law was proposed to enhance the protection of computer systems of critical infrastructures (CIs) in Hong Kong. The proposed new law is tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill (Proposed Legislation) and the proposed legislative framework was set out in a paper (Paper) submitted by the Hong Kong Government to the Legislative Council (LegCo) for its discussion on 2 July 2024. The government plans to introduce the proposed Bill into LegCo by the end of 2024. The Proposed Legislation, once enacted, would likely be implemented in a staged approach, with full implementation by 2026.

The objectives of the Proposed Legislation are to strengthen the security of the computer systems of CIs, and to minimise the chance of essential services being disrupted or compromised due to cyberattacks.

These developments are part of a global trend for increased cybersecurity legislation, bringing Hong Kong into line with other key jurisdictions with similar cybersecurity laws regulating operators of CIs, including the Chinese mainland, Macau, Australia, Singapore, Malaysia and Thailand in the Asia Pacific region, and globally in the UK, the EU, the US and Canada.

The Proposed Legislation marks a significant step towards aligning Hong Kong with other jurisdictions to enhance the protection of both CIs and the overall computer system security in Hong Kong. Businesses should closely monitor the developments relating to the Proposed Legislation and review their existing cybersecurity measures (see ‘Key takeaways’).

Scope of the Proposed Legislation

Only expressly designated CIOs and CCSs will be regulated under the proposed framework.

CIOs and CCSs will be designated by a new Commissioner’s Office and the list of CIOs will not be publicly available. This is consistent with the approach adopted in other jurisdictions, such as the Chinese mainland and Singapore.

• CIOs: an organisation will be designated as a CIO if it operates an infrastructure deemed by the Commissioner’s Office to be a CI, taking into account the organisation’s level of control over the infrastructure.

1. It has been proposed that large organisations, rather than small and medium-sized enterprises, will be targeted by the Proposed Legislation.
2. The Proposed Legislation will only require CIOs to bear the responsibility for securing their CCSs, and it will not involve the personal data and business information contained in those systems.

• CIs: the government has proposed two major categories:

1. infrastructures for delivering essential services in Hong Kong in eight selected sectors, namely: (i) energy, (ii) information technology, (iii) banking and financial services, (iv) land transport, (v) air transport, (vi) maritime, (vii) healthcare services and (viii) communications and broadcasting, and
2. other infrastructures for maintaining important societal and economic activities including, amongst other things: (i) major sports and performance venues and (ii) research and development parks.

• CCSs: computer systems will be designated as CCSs if they are ‘relevant to the provision of essential services or the core functions of computer systems, and those systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIs’. This means that other computer systems that are not designated as CCSs will not be subject to the Proposed Legislation.

Similar to the scope of cybersecurity laws in Singapore, CCSs physically located outside Hong Kong may also be regulated by the Proposed Legislation.

The Commissioner’s Office will engage in discussion with the organisation to be designated as a CIO, and any designated CIO will have an opportunity to object to such designation and appeal to an independent board.

Obligations of critical infrastructure operators

An organisation-based approach will be adopted, which means the organisation responsible for operating a CI would be required to fulfil its obligation to safeguard the security of its computer systems. An organisation that has been designated as a CIO will need to fulfil three types of obligation.

1. Organisational obligations

• maintain an address and an office in Hong Kong (and keep the Commissioner’s Office updated on any subsequent changes)
• report changes in the ownership and operatorship of CIs (however, the government has recently indicated that it will seriously consider removing the requirement to report changes in ownership, given the practical difficulties raised by the stakeholders), and
• set up a computer system security management unit with professional knowledge (may be outsourced), supervised by a dedicated supervisor of the CIO.

2. Preventive obligations

• inform the Commissioner’s Office of material changes to their CCSs (for example, design, configuration, security and operation)
• formulate and implement a computer system security management plan and submit the plan to the Commissioner’s Office
• conduct a computer system security risk assessment (at least once every year) and submit the assessment report to the Commissioner’s Office
• conduct an independent computer system security audit (at least once every two years) and submit the audit report to the Commissioner’s Office, and
• adopt measures to ensure their CCSs’ compliance with the relevant statutory obligations, even when third-party service providers are employed.

3. Incident reporting and response obligations

• participate in a computer system security drill organised by the Commissioner’s Office (at least once every two years)
• formulate an emergency response plan and submit it to the Commissioner’s Office, and
• notify the Commissioner’s Office of the occurrence of any computer system security incident in respect of CCSs (Mandatory Incident Notification).

The Mandatory Incident Notification obligation means that CIOs will need to report any computer system security incident to the Commissioner’s Office, so that the Commissioner may instruct timely response as needed. Computer system security incidents refer to activities carried out without lawful authority on or through a computer system that jeopardises or adversely affects its computer system security.

The time frame for the Mandatory Incident Notification depends on the seriousness of the incident.

• Within two hours after becoming aware of the incident: report serious computer system security incidents, which refers to incidents that have or are about to have a major impact on the continuity of essential services and normal operating of CIs, or lead to a large-scale leakage of personal information and other data.
• Within 24 hours after becoming aware of the incident: report other computer system security incidents.

However, the government has recently indicated that it will seriously consider relaxing the above time frames to 12 hours and 48 hours, respectively, in light of feedback from stakeholders.

If the initial report is made by telephone or text message, the CIO will need to submit a written record within 48 hours after the initial report has been made. The Proposed Legislation also contemplates the submission of a subsequent written report within 14 days after becoming aware of an incident, providing further details of the incident (including the cause(s), impact and remedial measures).

Further detail on the proposed requirements is set out in Annex I of the Paper.

Commissioner’s Office and powers

A Commissioner’s Office will be established within the Security Bureau to enforce the Proposed Legislation. The Office will:

• designate CIOs and CCSs
• establish a Code of Practice
• monitor security threats
• assist CIOs in incident response
• investigate non-compliance of CIOs
• coordinate with other government departments in formulating policies and handling incidents, and
• issue written instructions to CIOs to plug potential security loopholes.

The Commissioner’s Office will have extensive powers to investigate (i) computer system security incidents and (ii) offences under the Proposed Legislation. This is consistent with cybersecurity laws elsewhere, for example in Singapore and Malaysia. Specifically, the Commissioner’s Office will have the power to request the CIOs to provide information (even if such information is located outside Hong Kong) and take remedial measures, and enter relevant premises for investigation with a magistrate’s warrant. In more serious cases (that is, where a CIO is unwilling or unable to respond to a cyber incident), the Commissioner’s Office can connect equipment to or install a program in the CCS with a magistrate’s warrant. Further detail is set out in Annex II of the Paper, while the extent of the Commissioner Office’s powers will become clearer once the Bill is published.

Sector regulators

Given that some of the CIs are already comprehensively overseen by statutory sector regulators, certain sector regulators will be designated as authorities to monitor the fulfilment of the organisational and preventive obligations by the relevant sectors. The Commissioner’s Office will monitor the compliance of the incident reporting and response obligations. This approach allows the designated authorities to establish standards and requirements under their existing regulatory regimes that best suit the sectors’ needs. CIOs in these sectors will not be subject to double regulation – they will not need to fulfil additional requirements of the Commissioner’s Office in relation to the organisational and preventive obligations.

Two sector regulators have been proposed at this stage, namely (i) the HKMA for the banking and financial services sector and (ii) the Communications Authority for the communications and broadcasting sector. Designated authorities may issue relevant guidelines for the institutions regulated.

It remains unclear if all financial institutions in Hong Kong will be covered. However, it has been proposed that the HKMA will be responsible for regulating ‘some’ service providers in the banking and financial services sector. We also note that the CIOs to be regulated will mostly be large organisations.

Legal consequences and penalties

The proposed offences under the Proposed Legislation include:

• CIOs’ non-compliance with statutory obligations
• CIOs’ non-compliance with written directions issued by the Commissioner’s Office
• non-compliance with requests of the Commissioner’s Office under the statutory power of investigation, and
• non-compliance with requests of the Commissioner’s Office to provide relevant information relating to a CI.

The Proposed Legislation only stipulates fines, as determined by the courts, as potential penalties. Offences and penalties will only be applicable to organisations – their individual officers or staff members will not be penalised at the individual level.

It is proposed that failure by the CIOs to comply with any of the above obligations will be publishable by fines ranging from HK$500,000 to HK$5 million. Additional daily fines could be imposed if there is persistent non-compliance.

If a CIO’s non-compliance with the statutory obligations results from a third-party service provider’s inadequate action, the CIO would still be held responsible for the non-compliance.

However, if non-compliance involves existing criminal legislation, such as making false statements or fraud-related crimes, the personnel involved may be held personally criminally liable.

By comparison, non-compliance can lead to criminal penalties including imprisonment in Singapore and Malaysia.

Next steps

The government plans to introduce the Proposed Legislation into LegCo by the end of 2024 and aims to set up the Commissioner’s Office within one year following the passage of the proposed Bill, after which the proposed Bill would come into force within six months.

It is proposed that the Secretary for Security will have the authority to specify or amend certain details through subsidiary legislation, including the type of essential services sectors that may be designated as a CI and the scope of security management plans and security audits.

Cameron Whittfield, Partner, Melbourne, Australia; Hannah Cassidy, Partner, Head of Financial Services Regulatory, Asia, Hong Kong; and Peggy Chow, Of Counsel, Singapore

Herbert Smith Freehills

©Copyright September 2024 Herbert Smith Freehills