Proposed legislative framework to enhance protection of the computer systems of critical infrastructure
FAQs
Question 1:What is the purpose of the proposed legislation? What are the benefits?
The purpose of the proposed legislation is to strengthen the security of the computer systems of critical infrastructure and minimise the chance of essential services being disrupted or compromised due to cyberattacks, thereby enhancing the overall computer system security in Hong Kong.
The proposed legislation is conducive to promoting the establishment of good preventive management systems by operators of CI and securing the operation of their computer systems, enabling the smooth operation of essential services and consolidating Hong Kong’s favourable business environment and status as an international financial centre.
Question 2:What is regulated by the proposed legislation? Does it affect me?
The proposed legislation seeks to regulate operators of crucial infrastructure that are necessary for (i) the continuous delivery of essential services or (ii) maintaining important societal and economic activities in Hong Kong.
Operators to be regulated will mostly be large organisations. Small and medium enterprises and the general public will not be affected.
Question 3:Will the Government obtain my personal information through operators of critical infrastructure?
The proposed legislation will only require operators of critical infrastructure to bear the responsibility for securing their critical computer systems, in no way will it involve the personal data therein.
Question 4:What is critical infrastructure?
There are two categories of critical infrastructure under the proposed legislation: (i) Infrastructures for delivering essential services in Hong Kong, covering the following eight sectors: (a) Energy; (b) Information Technology; (c) Banking and Financial Services; (d) Land Transport; (e) Air Transport; (f) Maritime; (g) Healthcare Services; and (h) Communications and Broadcasting; or
(ii) Other infrastructures for maintaining important societal and economic activities (such as major sports and performance venues, research and development parks, etc.).
It does not cover the Government: The Government has already put in place a set of detailed internal Government Information Technology Security Policy and Guidelines ("Policy and Guidelines"), which are reviewed and updated regularly with reference to the latest international standards and industry best practices. As the level of requirements in the Policy and Guidelines is comparable to the statutory requirements under the proposed legislation, we propose to continue to regulate Government departments with the existing administrative approach.
Question 5:What are the obligations of operators of critical infrastructure under the proposed legislation?
Designated operators of critical infrastructure ("CIO") will need to fulfill three types of obligations as set out below: I. Organisational
- maintain an address and office in Hong Kong
- report changes in the ownership and operatorship of critical infrastructure
- set up a computer system security management unit with professional knowledge (may be outsourced) supervised by a dedicated supervisor of the CIO
II. Preventive
- inform the Commissioner’s Office of material changes to their critical computer systems (e.g. design, configuration, security, operation)
- formulate and implement a computer system security management plan
- conduct a computer system security risk assessment (at least once every year)
- conduct a computer system security audit (at least once every two years)
- adopt measures to ensure that their third party services providers are in compliance with the relevant statutory obligations
III. Incident Reporting and Response
- participate in a computer system security drill (at least once every two years)
- formulate an emergency response plan
- notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of critical computer systems
Question 6:What kind of incidents do operators of critical infrastructure need to report? What is the time frame?
Under the proposed legislation, operators of critical infrastructure will need to report to the Commissioner’s Office computer system security incidents (i.e. activities carried out without lawful authority on or through a computer system that jeopardises or adversely affects its computer system security) so that the Commissioner may instruct timely response as needed. The relevant reporting categories and time frame are as follows -
Serious computer system security incidents (referring to incidents that have or about to have a major impact on the continuity of essential services and normal operating of CIs, or lead to a large-scale leakage of personal information and other data): report shall be made within 2 hours after becoming aware of the incident;
Other computer system security incidents: report shall be made within 24 hours after becoming aware of the incident.
Question 7:What is the consequences if an operator of critical infrastructure violates the law?
The legislative intent is to cause operators of critical infrastructure to enhance protection of the security of their computer systems, not to punish them. Organisations will be fined for violations, with maximum fines ranging from HK$500,000 to HK$5 million.
However, if the relevant violations involve breach of some existing criminal legislation, such as making false statements, using false instruments or other fraud-related offences, as is the current situation, the officers involved may be held personally criminally responsible.
Question 8:Why certain statutory regulators are to be designated to be responsible for specific sectors?
Some of the essential service sectors to be regulated are already comprehensively regulated by statutory sector regulators. We propose to designate certain sector regulators as designated authorities to monitor the discharging of organisational and preventive obligations by these essential services sectors.
This approach allows the designated authorities to establish sets of standards and requirements, on organisational and preventive obligations, under their existing regulatory regimes that best suit the sectors’ needs. Operators of critical infrastructure in these sectors will not need to fulfill additional requirements of the Commissioner’s Office in relation to these two types of obligations.
At this stage, we propose to designate (1) the Monetary Authority as the authority responsible for regulating some service providers in the banking and financial services sector, and (2) the Communications Authority as the authority responsible for regulating some service providers in the communications and broadcasting sector.
Question 9:Have reference been made to relevant legislation in other jurisdictions?
In recent years, laws and regulations protecting the security of computer systems of critical infrastructures have become increasingly common in other jurisdictions.
We have made reference to the legislative direction of other jurisdictions (including Mainland China, Macao Special Administrative Region, Australia, the European Union, Singapore, the United Kingdom and the United States) in formulating a regulatory regime that is suitable for Hong Kong.
Question 10:Is there a consultation?
Since 2023, we have consulted over 110 stakeholders, including organisations that may be designated as CIOs, cybersecurity service providers and audit companies, sector regulators, etc., on the preliminary proposed framework of the legislation.
The stakeholders unanimously agreed that it is the responsibility of all sectors of the community to safeguard the security of computer systems and supported the legislation in principle.
We have issued letters to consult relevant stakeholders again. You are welcome to submit your views for our consideration via the following means on or before 1 August 2024.
By Email: Protection_CI@sb.gov.hk
By post:Security Bureau [Attn: E Division], 10/F, East Wing, Central Government Offices, 2 Tim Mei Avenue, Tamar, Hong Kong
By fax: 2810 7702 [Attn: E Division, Security Bureau]
Disclaimer:
Submissions received will be treated as public information and the content of the submissions may be reproduced and published in whole or in part for the purposes of this consultation exercise and related purposes without seeking the permission of or providing acknowledgement to the respondents.
All personal data collected in the submissions will be used for the purposes of this consultation exercise and any directly related purposes. Unless specific requests for confidentiality are made, the Security Bureau may quote the identity or organisation name of respondents for the purposes of this consultation exercise and related purposes. If you do not wish to disclose your identity or name, please state so when submitting your views.
