In response to an increase in cyberattacks, Hong Kong is taking its first steps to introduce comprehensive cybersecurity legislation. The government recently unveiled a proposed framework for regulating Critical Infrastructure Operators (CIOs) and Critical Computer Systems (CCS).
The proposal comes amid a wave of cybersecurity developments across Asia, including new regulations in Thailand and Singapore. Hong Kong’s proposal would align with other jurisdictions that regulate critical infrastructure, such as mainland China, Australia, and the United States.
Key Elements of the Proposed Hong Kong Cybersecurity Framework
The proposed framework is designed to ensure that CIOs and CCS operate in a secure and reliable manner. A new Commissioner’s Office, to be set up under the Security Bureau, will oversee the implementation of these regulations.
This office will have the power to investigate incidents, issue guidelines, and conduct inspections. The key elements of the framework include:
Scope of Application: The framework applies to CIOs and CCS, which are defined as organizations that own, control, or use critical computer systems. The initial eight Designated Sectors include energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting.
Obligations: CIOs will be required to maintain an address and office in Hong Kong, establish a dedicated cybersecurity team, update the Commissioner’s Office on material changes to CCS, and conduct regular security audits and risk assessments. They will also be required to participate in security drills and submit emergency response plans.
CIOs will face three main categories of obligations:
- Organizational: Maintain a Hong Kong office and establish a dedicated cybersecurity team.
- Preventive: Submit security management plans and conduct regular risk assessments and audits.
- Incident Reporting and Response: Participate in security drills and notify authorities of incidents within specified timeframes.
Comparison with Other Jurisdictions
The proposed framework shares similarities with existing cybersecurity regulations in Singapore and China. For instance, both jurisdictions require CIOs to conduct regular security risk assessments and audits. However, there are also some key differences, such as the frequency and timing of security drills and incident reporting.
Challenges, Uncertainties and Unresolved Questions
While the proposed framework provides a comprehensive approach to cybersecurity, there are still some unresolved issues, and many questions have been raised about the new legislation:
Compliance Timeline: Organizations may have only six months to implement required measures after being designated as CIOs or CCSs. This could prove challenging, especially for larger entities that require more time for organizational changes.
Sector Definitions: There’s uncertainty about which organizations will fall under certain designated sectors, particularly the “information technology” category.
Third-Party Providers: The framework’s impact on service providers to CIOs remains unclear, as some may themselves be designated as critical infrastructure operators.
Talent Shortage: Stakeholders have expressed concerns about the difficulty of hiring competent cybersecurity personnel to meet the new requirements.
The government plans to introduce a bill by the end of 2024, with the legislation expected to come into force in late 2025 or mid-2026 at the latest. As Hong Kong moves forward with this initiative, balancing security needs with operational feasibility will be crucial for its success.
