Proposed legislation to make significant step in strengthening Hong Kong's cybersecurity framework for critical infrastructure
The Hong Kong government has initiated the development of a legislative framework aimed at enhancing the cybersecurity of critical infrastructure. This move is in response to an alarming rise in cyberattacks that pose significant challenges to the security of vital systems.
The proposed legislation will impose legal obligations on operators of essential services, which encompass a wide range of sectors, including energy, information technology, banking, finance, transportation, healthcare, and communication. These operators will be held accountable for the security of their computer systems, ensuring that they take proactive measures to protect against potential cyber threats.
Key Requirements for Operators
One of the central components of the legislation is the requirement for operators to develop and implement comprehensive security plans for their core computer systems. This includes conducting regular security risk assessments at least once a year and undergoing independent security audits every two years. The operators must also engage in security drills organized by a newly established office under the Security Bureau, which will be responsible for oversight and compliance monitoring.
According to the latest announcement by HKSAR Security Bureau, in the event of a security incident, operators are required to report severe incidents within 12 hours. As for other incidents, It was relaxed from 24 hours to 48 hours. A spokesman for the Security Bureau said that it understands that if an accident occurs, the operator will be busy handling it.
A crucial aspect of the proposal is the establishment of a dedicated supervisory office under the Security Bureau. This office will play a pivotal role in overseeing compliance with the new regulations. It will provide guidance on the measures that critical infrastructure operators should implement, monitor cybersecurity threats, and coordinate with various government departments and cybersecurity experts. Additionally, the office will investigate any violations of the law and ensure that operators adhere to their legal responsibilities.
There could be “Penalties for Non-Compliance”
To enforce compliance, the legislation stipulates that operators who fail to meet their obligations could face substantial fines ranging from HKD 500,000 to HKD 5 million. In cases of ongoing violations, operators may incur additional daily fines. Notably, operators will remain responsible for any violations, even if they involve third-party service providers.
Impact on Small Enterprises
The proposed legislation primarily targets larger organizations, indicating that small and medium-sized enterprises (SMEs) and the general public will not be significantly impacted. The focus is strictly on the security of critical computer systems, which means personal data and business content will not fall under the new regulations.
Overall, the proposed legislation marks a significant step in strengthening Hong Kong's cybersecurity framework for critical infrastructure. By imposing legal responsibilities on operators and creating a dedicated supervisory body, the government aims to bolster the resilience of essential services against growing cyber threats while ensuring the privacy and freedoms of its citizens are protected. This proactive approach underscores the government’s commitment to maintaining a secure and stable digital environment for all.