Hong Kong Security Bureau's Response to Stakeholder Submissions on Proposed Legal Framework for Regulating Critical Infrastructure
In early July 2024, the Hong Kong SAR Government released a proposal for the regulation of Critical Infrastructure Operators (CIOs) and Critical Computer Systems (CCS) (Proposed Framework) for consultation (see our Legal Update). The consultation period ended on 1 August 2024.
In October 2024, the Security Bureau released an information paper to the Legislative Council Panel on Security, reporting on the findings of the consultation and outlining a proposal for implementing the Proposed Framework (Consultation Report).
The Consultation Report is informed by the views and concerns of stakeholders who made submissions during the Consultation Period, resulting in adjustments to the Proposed Framework to address them.
However, not all submissions made by stakeholders were taken into account and some areas of the Proposed Framework remain contentious or unclear – in particular in relation to the information technology (IT) sector.
Key Takeaway
In essence, the key changes to the Proposed Framework to be seriously considered by the Security Bureau include:
- Removal of the term “interconnected” from the factors of consideration for Critical Computer Systems (CSSs). (See discussion below under “Which Entities Should be Regulated”)
- Removal of the requirement for CIOs to report changes in ownership of their critical infrastructures (CIs).
- Relaxation of the time frame for reporting serious computer system security incidents from two hours to 12 hours after becoming aware of the incident, and from 24 hours to 48 hours after becoming aware of other incidents.
Consultation Details
The Security Bureau organised five consultation sessions during the consultation period that ended on 1 August 2024. These were attended by nearly 200 stakeholders, including potential Critical Infrastructure Operators (CIOs), cybersecurity service providers, and audit firms.
Representatives from the Hong Kong Monetary Authority and the Communications Authority – as designated responsible authorities for the finance and communications sectors respectively – also participated in two of these sessions.
During the consultation period, the Security Bureau received a total of 53 written submissions, with the majority from organisations that can potentially be designated as CIOs (more than 50% of the submissions), followed by submissions from sectoral professional bodies, professional institutions and chambers of commerce.
Key Submissions on Scope of Regulation
Some stakeholders called for a clearer and narrower definition of the IT sector and suggested an expansion of the scope of CIOs to include other sectors such as tertiary education, emergency services and public key infrastructures.
As we noted in our earlier legal update, it is not clear which organisations will come within the IT sector, which could include data processors, data centres and cloud providers that provide services to CIOs.
A number of submissions suggested there should be clearer criteria to establish whether individual operators fall into the IT sector. In response, the Security Bureau maintained its position that it was appropriate to categorise IT as one of the CI categories – but clarified it would maintain close communication with potential CIOs before making a decision on their designation.
The Security Bureau also clarified that the Proposed Framework does not have extraterritorial effect and the Commissioner’s Office will ensure it only requests information that is accessible to CIOs with offices set up in Hong Kong. As the Security Bureau has now stated the Proposed Framework will not have extraterritorial reach, this requirement will have to be further fine-tuned to clarify that only 'Hong Kong resident data" will be in scope, given that entities connected to a multinational group will be able to access non-Hong Kong resident data as well.
Which Entities Should Be Regulated?
Some stakeholders emphasised the need for clear definitions and conditions for designating CIs, CIOs and CCSs. Other stakeholders thought the Proposed Framework indicated systems which are “interconnected” to the system providing essential services might be a factor of consideration on whether a system should be designated as a CCS.
There were queries over the definition of “interconnected”. Specifically, some queried whether “interconnected” includes systems such as security information and event management (SIEM), middleware (such as web servers and database connectors) and loading application software (e.g., Microsoft Active Directory and Office 365), as the disruption to these services may affect the provision of services by the CCS.
The Security Bureau clarified the Commissioner’s Office will designate CIOs and CCSs on a definition basis and ensure suitability of designation through mutual communication and understanding with CIOs. It is encouraging to note however that the Security Bureau acknowledged the notions of “interconnected” may not accurately reflect the factors that need to be taken into consideration when designating CCS, and that they are potentially considering deleting the term. Given the interconnectedness of all computer systems, the proposed deletion would remove a lot of uncertainty for the starting blocks of the Proposed Framework.
Obligations of CIOs
Organisational Obligations:
Concerns were raised about the practical difficulties in reporting changes in ownership of CIs, especially for listed companies where there may be frequent changes in ownership. The Security Bureau acknowledged the practical difficulties that CIOs may encounter and is now considering removing this requirement.
Preventive Obligations:
A number of stakeholders requested clearer criteria for reporting changes to CCSs and concerns were raised over the need to disclose sensitive information to the Commissioner’s Office. The Security Bureau clarified that such requests for information would not include personal data or commercial confidential information resident in the CIO’s computer systems but would focus on information demonstrating that operators properly fulfilled their obligations in protecting their CCSs – enabling the Commissioner’s Office to effectively assess the severity of incidents to society and threats to other CIOs.
Incident Reporting and Response:
Quite a few submissions regarded the tight time frames for reporting incidents. In our discussions with various CIOs, this was highlighted as a major concern; and we noted in our earlier legal update that the original proposed incident reporting timeline was too short to be meaningful.
It is encouraging to see that the Security Bureau stated they will consider extending the reporting time frame for serious incidents from two hours to 12 hours and for other incidents from 24 hours to 48 hours.
A lot of submissions also requested clarification on the types of reportable incidents.
The Security Bureau has now clarified that a computer system security incident refers to “an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computers system”. It further promised that the Codes of Practice (CoP) will provide details on the types of incidents that need to be reported and provide examples.
Commissioner’s Office
Stakeholders expressed concerns about the confidentiality of data handled by the Commissioner’s Office. The Security Bureau has provided assurances that data will be handled in accordance with relevant legislation and internal guidelines. The Commissioner’s Office will establish an internal confidential system to ensure security in the transmission and storage of data.
Some stakeholders suggested that a mechanism should be put in place to avoid duplication of efforts in reporting a computer system incident to both the Office of the Privacy Commissioner for Personal Data (PCPD) and the Commissioner’s Office.
The Security Bureau clarified that while the PCPD focuses on the protection of personal data, the Commissioner’s Office will focus on identifying the reasons for data leakage and the remediation of security gaps.
Therefore, CIOs should have a system in place to determine the specific circumstances that would trigger notifications to the appropriate regulators.
Designated Authorities
There were suggestions that sector-specific authorities should be designated in order to avoid duplication of compliance work. The Security Bureau clarified that the CIOs of designated sectors should discharge their organisational and preventive statutory obligations by complying with the guidelines issued by their designated authorities.
Also, so far, only the Hong Kong Monetary Authority and the Communications Authority have been proposed as designated authorities.
Based on the Consultation Report, it can be reasonably understood that the CoP will include “baseline requirements” applicable to all sectors as well as standards and methodologies applicable to CIOs in specific sectors.
Offences and Penalties
Concerns were raised about potential legal liabilities for non-compliance by third-party service providers. The Security Bureau provided assurance that it will articulate guidelines on “due diligence” and “reasonable endeavour” in the CoP to help CIOs in drafting and enforcing contracts with third-party service providers.
While some stakeholders expected a grace period would be provided to allow industries to prepare for the new legislation, the Security Bureau’s view was that CIOs should have ample preparation time as the Hong Kong Government aims to set up the Commissioner’s Office within one year of passage of legislation introducing the Proposed Framework, which will subsequently come into force within another six months.
It is worth noting the Security Bureau emphasised that deadlines for complying with statutory obligations such as risk assessment, independent audit and submission of relevant reports will be calculated from the time of designation.
Investigation Powers of Commissioner’s Office
Stakeholders were concerned about the potential impact of the Commissioner’s Office’s investigation powers on the normal operation of CCSs. In particular, its power to apply to Court for a warrant to connect equipment to or install programmes in CCSs.
The Security Bureau clarified that such powers would only be exercised when a CIO is unwilling or unable to respond to a serious incident on its own, citing similar powers exist for relevant regulators in other jurisdictions such as Australia and Singapore.
Appeal Mechanism
A number of queries were raised about the formation and procedures of the appeal board.
The Security Bureau clarified that the appeal board will comprise about 15 experts from the industry, cybersecurity and legal professions – and board members will be independent of the Commissioner’s Office. Each appeal hearing will be conducted by three board members.
Practical Preparatory Steps for Potential CIOs
Even though the Proposed Framework is at least a year and a half away, there are a number of preparatory steps that companies can take now to be ready for when the legislation is finally in force:
- Understand the definitions and identify essential services: CIOs should familiarise themselves with the definitions of CIs, CIOs and CCSs to assess potential implications of the Proposed Framework. It is equally important for CIOs to have a clear understanding of the underlying technology infrastructures that support the provision of all their essential services.
- Allocation of sufficient resources and funding: Given the various compliance obligations under the Proposed Framework, potential CIOs may need to review and seek additional budgets in preparation for the proposed bill which may be passed next year. There is no question that the Proposed Framework will bring about increased costs to businesses. For example, it will require hiring new staff, some restructuring and increased reporting obligations. CIOs will also be required to conduct security drills and conduct an independent computer system security audit at least once every two years. Such costs will be significant for companies having a number of business units that will potentially be designated as CIOs in more than one sector. CIOs with a large number of operating subsidiaries may wish to consider centralising their compliance effort in order to obtain better value for money on their compliance investments, as well as ensuring consistent implementation across the group.
- Develop a computer system security management plan: CIOs will only have three months upon designation to submit a computer system security management plan to the Commissioner’s Office. The plan will need to cover key elements stipulated in the Summary of Main Content of CoP. While this will depend on specific standards and requirements to be included in the CoP, potential CIOs with complex computer systems should start reviewing and consolidating their existing procedures and policies to ensure they are in a good position to formulate and implement a computer system security management plan once they receive their designation.
- Prepare for incident reporting: As highlighted above, CIOs may need to file notifications of the same incidents to different regulators. CIOs should establish clear procedures for timely reporting of computer system security incidents and ensure compliance with the specified time frames. Developing templates for incident notifications and reactive statements and obtaining pre-approvals from relevant internal stakeholders can ensure CIOs can swiftly respond to incidents when they occur. CIOs may also develop and/or review their cyber incident response playbooks to ensure they comply with specific requirements under the Proposed Framework.
- Engage with third-party providers: CIOs should ensure contracts with third-party service providers include clauses that mandate compliance with requirements under the Proposed Framework and CoP.
- Stay informed: CIOs should keep abreast of updates to development of the legislation and the CoP. CIOs providing essential services in multiple sectors should also take note of guidelines issued by the Commissioner’s Office as well as the designated authorities.