Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 1 month ago
Hong Kong does not have statutory requirements on critical infrastructure cybersecurity. However, critical infrastructure around the world is at risk of cyberattacks and the repercussions of such malevolent actions can be extremely severe.
In recent years, legislation to protect the security of computer systems of critical infrastructure has been enacted in mainland China, Australia, the UK and the EU. Following in these footsteps, Hong Kong proposes to enact a new legislation tentatively titled the Protection of Critical Infrastructure (Computer System) Bill.
Regulation targets
The proposed legislation seeks to regulate the operators of critical infrastructure that are necessary for:
The new law will regulate only computer systems that are related to the normal functioning of critical infrastructure, regardless of their physical location, but not the operators’ other systems.
The legislation will not apply to essential services operated by the government – like water supply, drainage and emergency relief – as the government already has comprehensive internal information technology security policies and guidelines. Consequently, government departments will continue to be regulated by the existing administrative framework.
Administration
A new commissioner’s office will be established under the Security Bureau, to implement the proposed legislation, including the performance of the following duties: designating critical infrastructure operators (CIOs) and critical computer systems (CCSs); establishing code of practice and giving advice on the measures to be adopted by CIOs; monitoring security threats against CCSs; assisting CIOs in responding to computer system security incidents; investigating and following up on non-compliance and offences committed by the CIOs; coordinating with various government departments in formulating policies and guidelines and handling incidents; and issuing written instructions to CIOs addressing potential security loopholes.
Designation
Whether a piece of infrastructure is designated as a critical infrastructure will depend on factors such as whether it provides essential services or maintains important societal and economic activities in Hong Kong, its reliance on information technology, and the severity of societal impact in the event of damage, loss of functionality or data leakage.
Operators
The commissioner’s office will expressly designate certain operators as CIOs. These operators will mostly be large organisations but the list of designated CIOs will not be made public to protect their critical infrastructure from potential cyberattacks.
CIOs’ obligations
Designated CIOs will be required to fulfil three types of obligations:
Upon request by the commissioner’s office in the course of investigating an incident or offence related to the three types of obligations above, CIOs must submit relevant information available to the commissioner’s office, even if such information is located outside Hong Kong.
Sector regulators
Certain essential service sectors are already comprehensively regulated by statutory sector regulators. These regulators can monitor the discharging of CIOs’ organisational and preventive obligations. At this stage, it is proposed that:
Nevertheless, the commissioner’s office will fully grasp any incident and the response arrangements of all CIOs to co-ordinate, investigate and prevent incidents from spreading to other CIOs.
Penalties for non-compliance
CIOs are expected to adhere to the statutory obligations under the proposed legislation and written directions and requests issued by the commissioner’s office. Failure to do so may constitute an offence and result in fines ranging from HK$500,000 to HK$5 million. If an organisation continues to disregard certain compliance obligations, additional daily fines may be imposed. …READ FULL ARTICLE
By: Rossana Chu and Beverly Fu at YYC Legal LLP
Note: This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please contact us for specific advice.
posted 16 hours ago
posted 24 hours ago
posted 1 day ago
posted 1 day ago
No results available
ResetSign up for the latest advisory briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.