“Referencing how other places have handled the matter, we will disclose the sectors, but not the names of the companies, as they might become terrorist targets,” he said.
The proposal requires infrastructure operators to formulate and carry out computer system security management plans, which must be submitted to a commissioner’s office to be created under the Security Bureau.
The bill defines such infrastructure as areas crucial to the regular functioning of society, breaking the concept down into eight categories that comprises energy, information technology, banking, communications, maritime, healthcare services, as well as land and air transport.
Authorities have also proposed including other infrastructure operators, such as those overseeing major sports and performance venues, and research and development parks under the bill.
The government aims to forward the proposal to lawmakers by the end of the year after holding a consultation this month.
The bill also requires companies to maintain an office in Hong Kong for a dedicated cybersecurity department, conduct risk assessments at least once a year and report their findings to the bureau’s dedicated office.
Organisations that fail to comply with the requirements could be fined up to HK$5 million (US$640,100).
But lawmaker Chan Siu-hung expressed concerns over whether small or medium-sized operators would receive enough government support to set up their cybersecurity departments or when they conducted the required checks.
Security minister Tang said that while the bill would mostly target larger companies, authorities would publish practical guidelines to help operators prepare for the legislation.
Businesses could also get support from the city’s Innovation and Technology Commission and the Hong Kong Internet Registration Corporation, he added.
Legislators Ma Fung-kwok and Maggie Chan Man-ki also questioned how responsibility would be carved up between operators and their contractors, with the latter saying some contractors may have more control over certain infrastructure than the relevant operators.
Tang said companies would still be liable for any security loopholes even if they outsourced part of their operations to third-party contractors.
“Its services might have been outsourced, but the responsibility lies with the critical infrastructure operator. Outsourcing applies to tasks, but not responsibilities,” he said.
The security chief also said the government had no plans to expand the scope of critical infrastructure outlined in the bill beyond the previous proposal, after lawmaker Chow Man-kong’s suggested having the list cover research-focused tertiary institutions.
The Post earlier contacted more than 10 private companies and statutory bodies covered under the list for comment on their preparedness and any concerns about the bill’s requirements.
The seven organisations that replied all said they already had cybersecurity systems and other such measures in place.
This post was originally published on the 3rd party site mentioned in the title of this this site