In response to an increase in cyberattacks, Hong Kong is taking its first steps to introduce comprehensive cybersecurity legislation. The government recently unveiled a proposed framework for regulating Critical Infrastructure Operators (CIOs) and Critical Computer Systems (CCS).
The proposal comes amid a wave of cybersecurity developments across Asia, including new regulations in Thailand and Singapore. Hong Kong’s proposal would align with other jurisdictions that regulate critical infrastructure, such as mainland China, Australia, and the United States.
The proposed framework is designed to ensure that CIOs and CCS operate in a secure and reliable manner. A new Commissioner’s Office, to be set up under the Security Bureau, will oversee the implementation of these regulations.
This office will have the power to investigate incidents, issue guidelines, and conduct inspections. The key elements of the framework include:
Scope of Application: The framework applies to CIOs and CCS, which are defined as organizations that own, control, or use critical computer systems. The initial eight Designated Sectors include energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting.
Obligations: CIOs will be required to maintain an address and office in Hong Kong, establish a dedicated cybersecurity team, update the Commissioner’s Office on material changes to CCS, and conduct regular security audits and risk assessments. They will also be required to participate in security drills and submit emergency response plans.
CIOs will face three main categories of obligations: