11 Key Things about the Proposed Legislative Framework to Enhance Protection of the Computer Systems of Critical Infrastructure

1. Why does the Government introduce the Proposed Legislation?

Legislating to enhance cybersecurity of CIs is not a new idea. Various jurisdictions already had enacted their own cybersecurity laws to protect CIs, for example the Regulation for Safe Protection of Critical Information Infrastructure in Mainland China, the Security of Critical Infrastructure Act in Australia, the Network and Information Systems Regulations 2018 in the UK and the Cybersecurity Act 2018 in Singapore.  

Introducing the CI cybersecurity law is one of the items on the Chief Executive’s 2023 Policy Address. ^[3] Essentially, the purpose is to protect Hong Kong’s business environment through securing operations of the CIs delivering essential services, so as to consolidate the status of Hong Kong as an international financial centre.
 

2. What does the Proposed Legislation intend to regulate?

The targets of the Proposed Legislation are the operators who operate critical infrastructures (the “CIOs”) which (i) deliver essential services or (ii) maintain important societal and economic activities in Hong Kong. Only large-scale CIOs will be regulated, small and medium-sized enterprises or individuals will not be impacted by the Proposed Legislation.

Infrastructures for delivering essential services refer to infrastructures which deliver services that are vital for people’s everyday life and that there will be significant impact on the everyday life and functioning of the society once disrupted, compromised or rendered unavailable. Eight sectors will fall under this category, namely:

• Energy;
• Information technology;
• Banking and financial services;
• Land transport;
• Air transport;
• Maritime;
• Healthcare services; and
• Communications and broadcasting.

Unlike other jurisdictions such as Australia and the US which published sets of sector-specific plans as supplementary guidance, currently the Proposed Legislation does not provide a comprehensive list of what businesses and goods or services providers within each category be considered as a CIO. To answer the stakeholders’ questions about criteria / definition of the designated sectors, the Security Bureau will maintain close communication with the relevant sectors before making a decision on the definition.

Infrastructures for maintaining important societal and economic activities means those, if interrupted or damaged, may bring about implications on important societal and economic activities. Examples of CIs under this category include major sports and performance venues, research and development parks.
 

3. How to determine if an infrastructure falls under the regulated categories?

To decide whether an infrastructure is a CI caught under the Proposed Legislation, the following factors will be considered:

• Its implications on essential services and important societal and economic activities in Hong Kong if there was damage, loss of functionality or data leakage.
• Level of dependence on the information technology of the infrastructure concerned.
• Specifically with respect to infrastructures for maintaining important societal and economic activities, importance of the data controlled by the infrastructures concerned.
   

4. Who will be the regulator?

It is proposed that a new Commissioner’s Office will be established under the Security Bureau to implement the Proposed Legislation.

For industries which have already been within regulatory control of statutory sector regulators, the sector regulators will be designated to monitor the discharging of organisational and preventive obligations by the relevant regulated entities to avoid duplicate regulatory work. For instance, the Hong Kong Monetary Authority will be overseeing the banking and financial industry whereas the Communications Authority will be regulating the communications and broadcasting sector. CIOs of these sectors should continue observing the guidelines on information technology security in place to discharge their sector-specific obligations.
 

5. What data are to be governed by the Proposed Legislation?

The Proposed Legislation only concerns data in relation to critical computer systems (the “CCSs”) of the CIs, i.e., the computer systems that are related to the normal functioning of the CIs. The Security Bureau explicitly stated that the provisions would not apply to personal data and business operational / commercial confidential information.

The Commissioner’s Office will only request information necessary for the assessment of severity of incident to the society and threats to other operators when a cybersecurity incident arises.
 

6. What are the obligations to be imposed on the CIOs?

Obligations imposed on the CIOs are divided into 3 aspects, namely, (i) organisational, (ii) preventive and (iii) incident reporting and response.
 

• Organisational obligations: Organisational obligations are, generally speaking, to keep the Commissioner’s Office informed and updated of the particulars of the CIOs and to maintain a computer system security risk management mechanism.
  • Providing to the Commissioner’s Office Hong Kong office address and maintaining the address and office in Hong Kong;
  • Reporting change in ownership and operatorship of CIs to the Commissioner’s Office within the stipulated time frame; and
  • Setting up a computer system security management unit, either in-house or outsourced, with professional knowledge to be supervised by a dedicated supervisor of the CIO.
     
• Preventive obligations: Obligations under this category are to prevent significant but unwanted impacts brought by the disruptions to the CCSs.
  • Informing the Commissioner’s Office of the material changes to their CCSs;
  • Formulating and implementing computer security management plan;
  • Conducting computer system security risk assessment;
  • Conducting independent computer system security audit; and
  • Ensuring compliance of third-party service providers with the obligations.
     
• Incident reporting and response obligations: This category of obligations is addressing and minimising the impacts brought by disruptions to the CCSs in the event of cyberattacks.
  • Participating in computer system security drills at least once every two years;
  • Formulating an emergency response plan for responding to computer system security incidents; and
  • Reporting computer system security incidents in respect of CCSs to the Commissioner’s Office within the stipulated time frame.

Given the practical difficulties, the Security Bureau will consider removing some of the proposed obligations, such as reporting changes in ownership, from the list.
 

7. Are CIOs required to report each and every computer system security incident?

Yes, CIOs are required to report to the Commissioner’s Office of any CCS computer system security incident. Depending on severity of the incidents, the reporting time frames are different.

• Report shall be made within 2 hours after becoming aware of the incident in case of serious computer system security incidents, i.e., incident which have or may have a major impact on the continuity of essential services and normal operation of the CIs, or leading to a large-scale leakage of personal information or other data.
• Report has to be made within 24 hours after becoming aware of the incident for other computer system security incidents.

“Becoming aware of” means having a reasonable degree of certainty that a computer systems security event has caused harm to the confidentiality, integrity or availability of the CCSs, or has compromised their operations.

As a recommended practice, initial report can be made by email, telephone or text message covering, at least, nature of the incident, the system(s) affected and the impacts. Following the initial report made by telephone and text message, the CIO will have to submit a written report to the Commissioner’s Office with 48 hours.

Within 14 days becoming aware of the incident, the CIO should submit written report using the specified form to provide the Commissioner’s Office with further details.

Noting the difficulties brought by the proposed time frame for reporting incidents to the Commissioner’s Office, the Security Bureau will consider relaxing the time frame for reporting serious computer system security incidents from 2 hours to 12 hours and that for other incidents from 24 hours to 48 hours.
 

8. Does physical location matter?

The Consultation Report clarified that the Proposed Legislation does not have extraterritorial effect. The Commissioner’s Office will only request information which is accessible by operators with offices set up in Hong Kong.
 

9. When is the timeline for passing the Proposed Legislation?

The Security Bureau expects to finalise and introduce the bill to the Legislative Council within this year and it will come into force 6 months later. Therefore at the earliest it will take effect in mid- to late-2025.
 

10. If the Proposed Legislation does not concern personal data, does it mean organisations are not obliged to notify the Office of the Privacy Commissioner for Personal Data (the “PCPD”) in case of cyberattack involving personal data?

As explained above, the Proposed Legislation will not involve personal data. However, in reality, it is unavoidable that personal data would be leaked in the event of cyber-attacks against the CIs and the CCSs, especially when CIOs are usually organisations holding vast amount of Hong Kong residents’ personal data. The Consultation Report denies the existence of the possible duplication in reporting obligations, given that the purposes and the details for reporting an incident to the Commissioner’s Office and the PCPD are different. It is clarified in the Consultation Report that CIOs are required to report the incident to both the Commissioner’s Office and the PCPD in case of a computer system attack incident leading to the leakage of personal data.

Despite the PCPD’s plan to introduce mandatory notification regime for data breach incident, the timeline for introducing such amendments to the current Personal Data (Privacy) Ordinance remains unclear. As the Proposed Legislation may become law in mid- or late-2025 at the earliest, data breach notification to the PCPD may still remain to be on a voluntary basis by that time. In the event of a cyber breach, it would therefore only be mandatory for the affected CIO to file a notification of the breach to the Commissioner’s Office. That said, it is observed that the PCPD is adopting an increasingly strict attitude towards data breach notification. The PCPD recent frequent naming and shaming shows that the regulator is expecting organisations, particularly those providing public services, to proactively report data breach incidents to the PCPD. Hence, in practice, it is recommended that CIOs should also be prepared to observe two sets of notification requirements. 
 

11. Are there any further details to be clarified after the publication of the Consultation Report?

In order to provide detailed guidance to the CIOs, the Security Bureau will be addressing the following in the Codes of Practices: -

• Eligible qualification requirements for computer system security personnel;
• Eligible qualification requirements for security audit staff;
• Coverage of “incidents required to be reported” and examples;
• Applicable standards and methodologies to CIOs of different sectors for discharging organisational and preventive statutory obligations;
• Guidelines on “due diligence” performance and “reasonable endeavour” as reference for CIOs when drawing up and enforcing third-party service contracts; and
• The requirements and scope of computer system security training and relevant training information for reference.
   

Be Prepared for the Proposed Legislation

As the Proposed Legislation will soon be introduced to the Legislative Council, organisations should now take actions and get ready for the new cybersecurity obligations. Below are a few measures an organisation may take in advance:

1. Assess how critical each computer system is to its operation and business continuity, what information is being processed by each computer system, how dependent its operation is on the integrity of each computer system. Prepare a robust cybersecurity management plan accordingly.
    
2. Formulate a comprehensive cyber incident response plan that would address and minimise disruption to the CCS resulting in loss and damage to the organisation in the event of cyber incident.
    
3. Conduct comprehensive due diligence and audit on the third-party service providers’ cybersecurity capability. Ensure the third-party services providers are capable of complying with the Proposed Legislation with secured information technology system and optimal level of response readiness.
    
4. Include the organisation’s right to conduct regular and ongoing cybersecurity monitoring into the service contract with third-party service providers, and mandate the third-party service providers to notify the organisation immediately of any suspected or actual cyber incidents.
    
5. Provide training tailored to staff members of different levels and functions so that they are equipped with sufficient knowledge and skills to effectively discharge their respective roles and responsibilities in handling cybers-attacks.
    
6. Have well-thought through communication process and strategy in place which enables the organisation to react swiftly and communicate effectively with different stakeholders in case of cyber-attacks.
    

We will continue to monitor the development of the Proposed Legislation in Hong Kong. If you have any questions or require legal services and / or advice in relation to any information set out in this newsletter, please get in touch with Joyce Chan or your usual Clyde & Co contact.