Hong Kong’s Secretary for Security, Chris Tang Ping-keung, has sought to clarify concerns surrounding the newly proposed Hong Kong cybersecurity bill, particularly its impact on US businesses operating in the region. Tang’s reassurances come in response to queries raised by the American Chamber of Commerce in Hong Kong regarding the bill’s scope and implications for privacy.
The bill in question, known as the Protection of Critical Infrastructure (Computer System) Bill, aims to bolster cybersecurity measures for essential infrastructures across eight key sectors. These sectors include energy, information technology, banking, communications, maritime, healthcare services, and land and air transport.
If operators in these sectors fail to maintain up-to-date security for their critical computer systems, they could face fines of up to HK$5 million (approximately US$640,200), reported South China Morning Post.
The Controversy Surrounding Hong Kong Cybersecurity Bill
During a recent radio program, Tang addressed the concerns of the American Chamber of Commerce, which had submitted feedback during the one-month consultation period for the bill. Out of the 53 submissions received, only one—a UK-based human rights organization—voiced opposition. Tang emphasized that the purpose of the bill is not to infringe on the privacy of businesses but to ensure the security of critical infrastructures.
“We are not interested in the personal information or operational details of these businesses. Our sole focus is on ensuring that their systems are secure,” Tang asserted. “If anyone suggests that the bill aims to monitor personal information, they are trying to mislead or alarm you,” he cautioned.
The American Chamber of Commerce had expressed concerns about the broad inclusion of the information technology sector, suggesting it might inadvertently capture a wide range of technology companies not directly involved in managing critical infrastructure.
They also requested clarity that the legislation would only apply to critical infrastructures and computer systems for Hong Kong cybersecurity, cautioning that any extraterritorial implications could impose excessive compliance costs and deter multinational investments.
In response, Tang argued that the inclusion of the information technology sector is crucial. He pointed out that many countries, including the United States, Australia, and Singapore, have similar regulations that encompass information technology due to its integral role in daily operations and cybersecurity.
“The IT sector’s involvement is essential to achieving the bill’s goals. Omitting it could undermine the legislative intent and leave significant gaps in our cybersecurity framework,” Tang explained.
Concerns for Hong Kong Cybersecurity
Furthermore, Tang addressed concerns about the new Hong Kong cybersecurity legislation, including the new office’s investigative powers. He assured that the office, which will be established under the Security Bureau, will focus solely on critical infrastructure and will not extend its reach to small and medium-sized enterprises or individual operators.
In the event of a severe security incident, operators will be required to notify the new office within two hours. For less urgent issues, the timeframe for reporting is 24 hours. Failure to comply or neglecting to conduct required risk assessments could result in the substantial fines mentioned earlier.
Tang also revealed that the government plans to keep the list of companies affected by the bill confidential to prevent potential threats or targeting. The bill is expected to be forwarded to lawmakers by the end of the year, with the government aiming to address any lingering concerns and finalize the legislation.
In summary, Hong Kong’s cybersecurity bill, designed to enhance the Protection of Critical Infrastructure, seeks to establish rigorous standards for securing essential systems without infringing on individual privacy. The focus remains firmly on safeguarding critical infrastructures against cyber threats, with safeguards in place to ensure the bill does not inadvertently impact smaller enterprises or private data.
