The Protection of Critical Infrastructure Computer System Bill Hong Kongâs first specific cybersecurity legislation
p
Hogan Lovells 2024 Election Impact and Congressional Outlook Report
pp
ppIn late June 2024 the Security Bureau of the Hong Kong SAR Government the Government proposed the first specific cybersecurity legislation in Hong Kong tentatively entitled the Protection of Critical Infrastructure Computer System Bill the Bill to strengthen the security of the computer systems of critical infrastructure CI and minimise the chance of essential services being disrupted or compromised due to cyberattacksppA paper on the Bill was submitted by the administration for the discussion of the Legislative Council LegCo Panel on Security on 2 July 2024 The proposed legislation seeks to regulate operators of CI that are necessary forppAs such the Bill will capture CI operators CIO which are large organisations while small and medium enterprises and the general public will most likely fall out of scopeppA new Commissioners Office to be set up under the Security Bureau is also proposed under the Bill for the implementation of the proposed legislationppTwo categories of infrastructure as set out below will be covered under the Bill as CIppInfrastructures for delivering essential services in Hong Kong covering the following eight sectorsppenergyppinformation technologyppbanking and financial servicesppland transportppair transportppmaritimepphealthcare services andppcommunications and broadcastingppwhere information technology has significant implications on such infrastructures operations and where essential services and important societal and economic activities in Hong Kong could be impacted if there was damage loss of functionality or data leakage in such infrastructuresppOther infrastructures for maintaining important societal and economic activities such as major sports and performance venues research and development parks etc which could seriously impact important societal and economic activities in Hong Kong if there was damage loss of functionality or data leakage in such infrastructures especially if important data is controlled by such infrastructuresppOnly CIOs expressly designated by the Commissioners Office will be subject to the proposed legislation however the Bill will only refer to the essential service sectors mentioned above The list of designated CIOs will not be made public to prevent the CIs from being targets of cyberattacks but the designation will likely be disclosed only to the organisation ppThe Government is explicitly excluded from the operation of the Bill and Government departments will continue to be regulated under the existing internal Government information technology security policy and guidelinesppIt is proposed that the Bill will only regulate expressly designated CIOs and their Critical Computer Systems ie computer systems that are relevant to the CIs provision of essential service or the core functions of computer systems and those systems which if interrupted or damaged will seriously impact the normal functioning of the CIs CCS The Commissioners Office will consult with CIOs on what systems are essential to their operations and consider if any of their systems should be designated as CCS other computer systems of CIOs will not be designated as a CCS and thus are not subject to the Bill In addition obligations imposed on CIOs under the Bill will relate only to securing CCS and will not involve the personal data and business information thereinppTo ensure that CIOs will put in place a sound management structure for protecting the security of CCS implement the necessary measures to prevent cyberattacks on computer systems of the CIs and promptly respond to and recover 9 the affected systems in the event of computer system security incidents CIOs will need to fulfil three types of obligations as set out belowppOrganisationalppmaintain an address and office in Hong Kongppreport changes in the ownership and operatorship of critical infrastructureppset up a computer system security management unit with professional knowledge inhouse or outsourced supervised by a dedicated supervisor of the CIOppPreventiveppinform the Commissioners Office of material changes to their CCS in relation to its design configuration security operation etcppformulate and implement a computer system security management plan and submit the same to the Commissioners Officeppconduct a computer system security risk assessment at least once every year and submit a report to the Commissioners Officeppconduct an independent computer system security audit at least once every two years and submit a report to the Commissioners Officeppadopt measures to ensure that their third party services providers are in compliance with the relevant statutory obligationsppIncident Reporting and Responseppparticipate in a computer system security drill organized by the Commissioners Office at least once every two yearsppformulate an emergency response plan and submit a report to the Commissioners Officeppnotify the Commissioners Office of the occurrence of computer system security incidents in respect of CCS which are activities carried out without lawful authority on or through a computer system that jeopardises or adversely affects its computer system security within the following time frameppwithin 2 hours after becoming aware of serious computer system security incidents ie incidents that have or about to have a major impact on the continuity of essential services and normal operating of CIs or lead to a largescale leakage of personal information and other datappwithin 24 hours after becoming aware of other computer system security incidentsppOffences under the Bill include CIOs noncompliance with statutory obligations Commissioners Offices written directions statutory power of investigation or requests to provide relevant informationppOrganisations will be fined for violations with maximum fines ranging from HK500000 to HK5 million However if the relevant violations involve breach of some existing criminal legislation such as making false statements using false instruments or other fraudrelated offences the officers involved may be held personally criminally responsibleppAs some of the essential service sectors to be regulated are already comprehensively regulated by statutory sector regulators it is proposed under the Bill that certain sector regulators as designated authorities to monitor the discharging of organisational and preventive obligations at this stageppthe Monetary Authority as the authority responsible for regulating some service providers in the banking and financial services sector andppthe Communications Authority as the authority responsible for regulating some service providers in the communications and broadcasting sectorppThe Commissioners Office will be empowered under the Bill to issues a code of practice CoP to set out the proposed standards based on statutory requirements such as the relevant professional qualifications that an independent computer system security auditor should possess the scope of the audit the internationally recognised methodologies and standards that can be referred to and the details of the report and rectification plan Designated authorities may also issue relevant guidelines for the institutions they regulateppAfter the discussion of the Bill by the LegCo Panel on Security on 2 July 2024 there was a consultation period which ended on 1 August The views received will be considered and adopted in the drafting of the Bill which is currently underway The Governments plan is to introduce the Bill into the LegCo for consideration by the end of 2024 and that is when we expect to have visibility of the actual text of the BillppUpon the passage of the proposed legislation the Government aims to set up the Commissioners Office within one year after which to bring the proposed legislation into force within half a years time By that time the Commissioners Office will review the situations of operators in different CI sectors including their level of readiness and the impact of its services on society etc to designate CIOs and CCSs in a progressive and phased mannerppOrganisations which have been consulted on the Bill as potential CIOs are likely to fall within scope and they should revisit their existing information cyber security program to ensure that they are aligned with existing international and industry best practices Such preparation in advance may prove invaluable in achieving compliance with the proposed legislative requirements under the BillppIt is worth noting the extraterritorial elements under the Bill Requirements of the proposed legislation will apply to all CCSs regardless of whether they are physically located in Hong Kong or not furthermore CIOs must submit relevant information upon request by the Commissioners Office in the course of investigation even if such information is located outside Hong KongppThe following is worth highlighting in the event of a computer system security incidentppWhile there are currently no mandatory breach notification requirements in Hong Kong in the near future CIOs may have to observe such requirements under both cybersecurity and data protection regimes The Bill introduces mandatory notification requirements for computer system security incidents likewise the Privacy Commissioner of Personal Data is working with the Government to comprehensively review the Personal Data Privacy Ordinance PDPO PDPO and introduce a mandatory data breach notification mechanism as part of the proposed amendmentsppFor CIOs regulated by designated authorities when reporting an incident to the designated authorities they must also report to the Commissioners Office which will address the incident together with the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and provide assistance after the incidentppThe Commissioners Office is proposed to be given broad powers to investigate and respond to security incidents In addition to powers to request for information and documents the Commissioners Office can apply for a magistrates warrant to enter premises to check systems and take possession of documents direct any person in control of the CCS to take remedial actions or assist in the investigation or even connect equipment to or install program in the CCS While there are concerns raised by stakeholders in the technology industry that the latter power constituted an unprecedented level of direct intervention the Government has responded by clarifying that it would only seek a court warrant to connect to computer systems or install programs if CIOs were unwilling or unable to respond to cyber incidentspp pp ppAuthored by Tommy Liu and Kenneth Cheungpp
Tommy Liu
pp
Hong Kong
pp
Email me
pp
Kenneth Cheung
pp
Hong Kong
pp
Email me
ppView moreppRegister now to receive personalized content and morepp pp 2024 Hogan Lovells All rights reserved Hogan Lovells or the firm refers to the international legal practice that comprises Hogan Lovells International LLP Hogan Lovells US LLP and their affiliated businesses each of which is a separate legal entity Attorney advertising Prior results do not guarantee a similar outcomep
Hogan Lovells 2024 Election Impact and Congressional Outlook Report
pp
ppIn late June 2024 the Security Bureau of the Hong Kong SAR Government the Government proposed the first specific cybersecurity legislation in Hong Kong tentatively entitled the Protection of Critical Infrastructure Computer System Bill the Bill to strengthen the security of the computer systems of critical infrastructure CI and minimise the chance of essential services being disrupted or compromised due to cyberattacksppA paper on the Bill was submitted by the administration for the discussion of the Legislative Council LegCo Panel on Security on 2 July 2024 The proposed legislation seeks to regulate operators of CI that are necessary forppAs such the Bill will capture CI operators CIO which are large organisations while small and medium enterprises and the general public will most likely fall out of scopeppA new Commissioners Office to be set up under the Security Bureau is also proposed under the Bill for the implementation of the proposed legislationppTwo categories of infrastructure as set out below will be covered under the Bill as CIppInfrastructures for delivering essential services in Hong Kong covering the following eight sectorsppenergyppinformation technologyppbanking and financial servicesppland transportppair transportppmaritimepphealthcare services andppcommunications and broadcastingppwhere information technology has significant implications on such infrastructures operations and where essential services and important societal and economic activities in Hong Kong could be impacted if there was damage loss of functionality or data leakage in such infrastructuresppOther infrastructures for maintaining important societal and economic activities such as major sports and performance venues research and development parks etc which could seriously impact important societal and economic activities in Hong Kong if there was damage loss of functionality or data leakage in such infrastructures especially if important data is controlled by such infrastructuresppOnly CIOs expressly designated by the Commissioners Office will be subject to the proposed legislation however the Bill will only refer to the essential service sectors mentioned above The list of designated CIOs will not be made public to prevent the CIs from being targets of cyberattacks but the designation will likely be disclosed only to the organisation ppThe Government is explicitly excluded from the operation of the Bill and Government departments will continue to be regulated under the existing internal Government information technology security policy and guidelinesppIt is proposed that the Bill will only regulate expressly designated CIOs and their Critical Computer Systems ie computer systems that are relevant to the CIs provision of essential service or the core functions of computer systems and those systems which if interrupted or damaged will seriously impact the normal functioning of the CIs CCS The Commissioners Office will consult with CIOs on what systems are essential to their operations and consider if any of their systems should be designated as CCS other computer systems of CIOs will not be designated as a CCS and thus are not subject to the Bill In addition obligations imposed on CIOs under the Bill will relate only to securing CCS and will not involve the personal data and business information thereinppTo ensure that CIOs will put in place a sound management structure for protecting the security of CCS implement the necessary measures to prevent cyberattacks on computer systems of the CIs and promptly respond to and recover 9 the affected systems in the event of computer system security incidents CIOs will need to fulfil three types of obligations as set out belowppOrganisationalppmaintain an address and office in Hong Kongppreport changes in the ownership and operatorship of critical infrastructureppset up a computer system security management unit with professional knowledge inhouse or outsourced supervised by a dedicated supervisor of the CIOppPreventiveppinform the Commissioners Office of material changes to their CCS in relation to its design configuration security operation etcppformulate and implement a computer system security management plan and submit the same to the Commissioners Officeppconduct a computer system security risk assessment at least once every year and submit a report to the Commissioners Officeppconduct an independent computer system security audit at least once every two years and submit a report to the Commissioners Officeppadopt measures to ensure that their third party services providers are in compliance with the relevant statutory obligationsppIncident Reporting and Responseppparticipate in a computer system security drill organized by the Commissioners Office at least once every two yearsppformulate an emergency response plan and submit a report to the Commissioners Officeppnotify the Commissioners Office of the occurrence of computer system security incidents in respect of CCS which are activities carried out without lawful authority on or through a computer system that jeopardises or adversely affects its computer system security within the following time frameppwithin 2 hours after becoming aware of serious computer system security incidents ie incidents that have or about to have a major impact on the continuity of essential services and normal operating of CIs or lead to a largescale leakage of personal information and other datappwithin 24 hours after becoming aware of other computer system security incidentsppOffences under the Bill include CIOs noncompliance with statutory obligations Commissioners Offices written directions statutory power of investigation or requests to provide relevant informationppOrganisations will be fined for violations with maximum fines ranging from HK500000 to HK5 million However if the relevant violations involve breach of some existing criminal legislation such as making false statements using false instruments or other fraudrelated offences the officers involved may be held personally criminally responsibleppAs some of the essential service sectors to be regulated are already comprehensively regulated by statutory sector regulators it is proposed under the Bill that certain sector regulators as designated authorities to monitor the discharging of organisational and preventive obligations at this stageppthe Monetary Authority as the authority responsible for regulating some service providers in the banking and financial services sector andppthe Communications Authority as the authority responsible for regulating some service providers in the communications and broadcasting sectorppThe Commissioners Office will be empowered under the Bill to issues a code of practice CoP to set out the proposed standards based on statutory requirements such as the relevant professional qualifications that an independent computer system security auditor should possess the scope of the audit the internationally recognised methodologies and standards that can be referred to and the details of the report and rectification plan Designated authorities may also issue relevant guidelines for the institutions they regulateppAfter the discussion of the Bill by the LegCo Panel on Security on 2 July 2024 there was a consultation period which ended on 1 August The views received will be considered and adopted in the drafting of the Bill which is currently underway The Governments plan is to introduce the Bill into the LegCo for consideration by the end of 2024 and that is when we expect to have visibility of the actual text of the BillppUpon the passage of the proposed legislation the Government aims to set up the Commissioners Office within one year after which to bring the proposed legislation into force within half a years time By that time the Commissioners Office will review the situations of operators in different CI sectors including their level of readiness and the impact of its services on society etc to designate CIOs and CCSs in a progressive and phased mannerppOrganisations which have been consulted on the Bill as potential CIOs are likely to fall within scope and they should revisit their existing information cyber security program to ensure that they are aligned with existing international and industry best practices Such preparation in advance may prove invaluable in achieving compliance with the proposed legislative requirements under the BillppIt is worth noting the extraterritorial elements under the Bill Requirements of the proposed legislation will apply to all CCSs regardless of whether they are physically located in Hong Kong or not furthermore CIOs must submit relevant information upon request by the Commissioners Office in the course of investigation even if such information is located outside Hong KongppThe following is worth highlighting in the event of a computer system security incidentppWhile there are currently no mandatory breach notification requirements in Hong Kong in the near future CIOs may have to observe such requirements under both cybersecurity and data protection regimes The Bill introduces mandatory notification requirements for computer system security incidents likewise the Privacy Commissioner of Personal Data is working with the Government to comprehensively review the Personal Data Privacy Ordinance PDPO PDPO and introduce a mandatory data breach notification mechanism as part of the proposed amendmentsppFor CIOs regulated by designated authorities when reporting an incident to the designated authorities they must also report to the Commissioners Office which will address the incident together with the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and provide assistance after the incidentppThe Commissioners Office is proposed to be given broad powers to investigate and respond to security incidents In addition to powers to request for information and documents the Commissioners Office can apply for a magistrates warrant to enter premises to check systems and take possession of documents direct any person in control of the CCS to take remedial actions or assist in the investigation or even connect equipment to or install program in the CCS While there are concerns raised by stakeholders in the technology industry that the latter power constituted an unprecedented level of direct intervention the Government has responded by clarifying that it would only seek a court warrant to connect to computer systems or install programs if CIOs were unwilling or unable to respond to cyber incidentspp pp ppAuthored by Tommy Liu and Kenneth Cheungpp
Tommy Liu
pp
Hong Kong
pp
Email me
pp
Kenneth Cheung
pp
Hong Kong
pp
Email me
ppView moreppRegister now to receive personalized content and morepp pp 2024 Hogan Lovells All rights reserved Hogan Lovells or the firm refers to the international legal practice that comprises Hogan Lovells International LLP Hogan Lovells US LLP and their affiliated businesses each of which is a separate legal entity Attorney advertising Prior results do not guarantee a similar outcomep
