Cyber-security requirements in the Special Administrative Region will be brought into line with other jurisdictions in the region, including Mainland China, Singapore and Australia, with implications for ‘critical infrastructure operators’.
The China Special Administrative Region (SAR) of Hong Kong is considering a law which will impose new requirements on operators of high-level and significant technology infrastructure.
Currently being considered by the Legislative Council (LegCo), the semi-autonomous unicameral legislature for the territory, the draft ‘Critical Infrastructure Protection (Computer Systems) Bill’ has been “prepared jointly by the Security Bureau, Office of the Government Chief Information Officer and Hong Kong Police Force,” explains former tech-sector in-house senior legal counsel Wilfred Ng, who is now a technology and data protection partner at Bird & Bird Hong Kong. “It is a much-needed nod and expected move to address the increasingly prevalent cyber-security risks manifested in a number of high-profile ransomware and cyber-attacks in the city.”
Norton Rose Fulbright (NRF) Hong Kong litigator and contentious regulatory partner Daniel Ng and senior associate Charlton Lin point out in an e-mail to CDR: “Currently there is no legislation specifically governing cyber-security in Hong Kong. The proposed bill will impose statutory obligations on critical infrastructure operators on computer systems from an organisation level, preventive measures, and on incident reporting and response.”
Eversheds Sutherland Hong Kong partner and technology practice lead for Asia Rhys McWhirter says the Bill is no surprise to him, since it fills a notable gap in the legislation and brings it into line with other jurisdictions: “When you look at the major markets around the world and especially in the Asia-Pacific region, Australia, Singapore and [Mainland] China have their own legislation, so in that respect Hong Kong is a bit behind the curve in cyber-security, with Singapore’s law existing since 2018, for example.”
A 47-page briefing paper prepared for debate on 2 July by the LegCo Panel on Security stated the purpose of the Bill was to create a “framework for enhancing protection of computer systems of critical infrastructures”, and further defines critical infrastructures as “facilities that are necessary for the maintenance of normal functioning of the Hong Kong society and the normal life of the people, [which if] disrupted or sabotaged […] may have a rippling effect affecting the entire society, seriously jeopardising the economy, people’s livelihood, public safety and even national security”.
THE PROPOSALS
A total of eight sectors have been identified as delivering essential services in the territory, which are: energy, IT, banking and financial services, land transport, air transport, maritime, health care, and communications and broadcasting. Organisations under these categories may be designated as ‘critical infrastructure operators’ (CIOs), which means they will be affected by the new law, potentially omitting small and medium enterprises (SMEs) from the proposed legislation’s scope.
This is not the whole story however, since it is envisaged that other infrastructures may be brought into the purview of the new law, including “major sports and performance venues, research and development parks” and similar entities, according to paragraph 15 of the briefing paper.
The law is set to operate at an organisational level – meaning it will not be imposed on individuals – and will focus on the CIOs’ critical computer systems (CCSs) only, stipulating a number of conditions and minimum standards across organisation, preventative action and incident response.
CIOs’ organisational obligations include the mandate to maintain a local address in Hong Kong, report changes to ownership and operation of critical infrastructure, and set up a dedicated cyber-security unit. To prevent incidents occurring, CIOs must report major changes to their CCSs, draw up and submit a cyber-security plan, as well as perform a cyber-risk assessment annually and an independent cyber-audit every two years.
The law will also require CIOs to take part in a publicly organised two-yearly security drill, put together an emergency response procedure, and notify the authorities of incidents within a tight timeframe after occurrence. “The Hong Kong Bill positions itself at the more ‘pointy’ end of timeframes – it is a 24-hour limit for security incidents, but for very serious security incidents it is [only] two hours,” Eversheds Sutherland’s McWhirter highlights, contrasting this with the far more generous 72-hour maximum allowed by the EU’s General Data Protection Regulation (GDPR).
A new regulator, the Commissioner’s Office, will be set up to implement the new provisions, act as point of contact, receive the relevant documents and investigate suspected regulatory breaches.
ONE FINE DAY
To encourage CIOs to comply, the new law provides for courts to impose fines of between HKD 500,000 and HKD 5 million (USD 64,000 and USD 640,000).
In a departure from other regional cyber-regimes, the Bill also permits a fine of HKD 50,000 to HKD 100,000 (USD 6,400 to USD 12,800) to be levied for each day of non-compliance, a sanction McWhirter considers likely to be reserved for the most egregious examples of “ongoing wilful non-compliance”.
CRITIQUE, CONSULTATION, AND GETTING READY
Bird & Bird’s Ng emphasises that the Bill is hardly controversial, and should reduce cyber-risk by finally harmonising Hong Kong’s regulations with neighbouring jurisdictions: “This is [being] enacted against the backdrop of the existing cybersecurity framework in Mainland China, including the Cybersecurity Law 2016 and Regulation for Safe Protection of Critical Information Infrastructure 2021.”
Eversheds Sutherland’s McWhirter agrees that the law should be positive for the territory overall: “It brings Hong Kong into line with how markets are responding to cyber-security and infrastructural risk – we are in an important period globally at the moment, more than half of humanity is voting in elections this year, which strays into critical infrastructure – so a financial hub needs a law of this ilk to bring it into line with other major markets.”
The Bill is now at the public consultation stage and, once the entire LegCo procedure has been completed, the Bill is expected to come into force within the next six to nine months following receipt of assent by the SAR Chief Executive, meaning it could become an ordinance (as acts are known under Hong Kong law) as early as next year. So what, if anything, should companies do now to prepare?
“Companies should conduct an overall review of their cybersecurity measures currently in place, be aware of their potential statutory obligations and set up a computer system security management unit as soon as possible to ensure compliance with the Bill,” recommend NRF’s Ng and Lin.
Bird & Bird’s Ng agrees that potentially affected companies should get their plans in place now: “Whilst the Government intends to designate CIOs and their computer systems in a progressive and phased manner upon the proposed legislation [entering into effect], organisations should leverage on [their] existing information security and cyber-security framework to prepare for compliance in advance, particularly if they have already been consulted as a potential organisation to be designated as [a] CIO.”
In May lawyers and funders spoke to CDR about the role of Hong Kong’s champerty laws in severely restricting the funding of litigation in the territory.
This post was originally published on the 3rd party site mentioned in the title of this this site