Bill proposed to strengthen critical infrastructure cyber security in Hong Kong SAR

The Protection of Critical Infrastructure (Computer Systems) Bill (115 pages/785 KB) is the first legislation in Hong Kong SAR to focus on cyber security. The new legislation will help minimise the likelihood of essential services being disrupted by cyber-attacks.

The Bill aims to regulate large organisations that operate critical infrastructure – known as critical infrastructure operators (CIOs) – across eight sectors: energy; information technology; banks and financial services; land transport; air transport; maritime transport; healthcare services; and telecommunications and broadcasting services. The Bill will also regulate other infrastructure to which damage, loss of functionality or data leakage may hinder or substantially affect the maintenance of critical societal or economic activities in Hong Kong. It is important for companies to assess whether they would fall within the scope of CIO and this legislation to be enacted.

CIOs will have new obligations which include setting up a computer system “security management unit” supervised by an employee of the CIO, conducting a computer system security risk assessment at least once every year and submitting a report, conducting a computer system security audit at least once every two years and submitting a report, and formulating and submitting an emergency response plan.

The Bill expands CIO designation criteria to include the “sensitivity of digital data controlled by the organization in respect of the infrastructure”. The regulating authority will consider this, alongside existing factors such as dependence on computer systems and control over infrastructure operation and management, when designating a CIO.

The Bill deletes the concept of “interconnected systems”, included in the proposed legislative framework, from its scope of critical computer systems (CCS) designation. As a result, an organisation can now be designated as a CCS as long as it is accessible by the operator in or from Hong Kong and is essential to the core function of a CIO.

A CIO is only required to report operatorship changes as opposed to both operatorship and ownership changes to the regulatory authority as previously suggested.

CIOs are required to conduct computer system security risk assessments and audits under the Bill. The description of their scope and standards will be detailed in a forthcoming code of practice, to be formulated after the Bill commences. The Security Bureau is expected to consider the latest technology and international standards when drafting the recommended standards. Additionally, it will consult the relevant stakeholders to ensure the standards provide sufficient guidance.

The Bill clearly permits CIOs to report to the “regulating authority”, defined as the commissioner or a designated authority, to fulfil their organisational and preventive obligations. A “commissioner’s office” will be set up within a year of the Bill being passed, and it is envisaged that CIOs will report to this office. For serious computer system security incidents, CIOs shall report to the commissioner within 12 hours of becoming aware of an incident that has disrupted, is disrupting or is likely to disrupt the core functions of the critical infrastructure. This is a sixfold increase from the original two-hour reporting window stated in the proposed legislative framework. CIOs shall report to the commissioner within 48 hours of becoming aware of any other computer system security incidents. This has doubled the original 24-hour reporting window stated in the proposed legislative framework.

The Bill expands the scope of the commissioner’s investigatory powers. As a result, the commissioner can now initiate “early investigation” if there is reasonable suspicion of a computer-system security threat or computer-system security incident that has or is likely to have an actual adverse effect on CCS. These powers can be exercised to identify the cause and existence of such event.

CIOs must submit and implement a computer-system security management plan. The latest code of practice (CoP) in legislative brief broadens the scope of recommended elements to be included in such plans. Amongst others, the most notable addition is the need to cover the measures devised, contractual or otherwise, for service provider engagement. This ensures that CIOs will exercise due diligence and reasonable endeavours in fulfilling their statutory obligations even when engaging third-party service providers. In practice, including this additional element to the plan will likely be highly beneficial. It may lend weight to arguments when one seeks to invoke the new statutory defences of “due diligence” concerning non-compliance with the organisational, preventive, and incident reporting and response obligations or written directions or “reasonable excuse” concerning other offences.

CIOs must also submit and implement an emergency response plan to fulfil their incident reporting and response obligations. The latest CoP in legislative brief expands the scope of this plan and recommends the inclusion of the number of contact points for communication with the commissioner on matters of computer system security and detailed timeframes, subject to those prescribed in the legislation, for reporting changes of contact points and other revisions to emergency response plan to the commissioner. This recommended scope is broader than the statutory requirement of the Bill.

The Bill now outlines the relevant factors for the regulating authority to consider when ascertaining whether infrastructure is critical – for instance, the kind of service provided, the implications if the infrastructure is damaged, loses functionality or suffers any data leakage, and any other matters the regulating authority considers relevant.

The regulatory authority does not have the power to conduct an extra-territorial investigation. As such, CIOs will only be requested to submit documents that are accessible to them in or from Hong Kong to the regulatory authority for investigation purposes and will be given reasonable time for compliance. 

Once the legislation takes effect, the penalty for CIOs failing to meet their new obligations could mean maximum level fines ranging from HK$500,000 (US$64,374) to HK$5 million (US$643,071), with additional daily fines for “persistent non-compliance”.

A commissioner’s office is expected to be established within Hong Kong SAR’s Security Bureau, to oversee the implementation of the legislation once it comes into effect. The first reading and commencement of second reading debate for the Bill took place on 11 December and we will be expecting further developments in the next few months.