What is the Protection of Critical Infrastructure (Computer Systems) Bill? 

The Protection of Critical Infrastructures (Computer Systems) Bill is Hong Kong's first comprehensive cybersecurity law specifically designed to protect Critical Information Infrastructure (CII). It aims to promote the establishment of robust cybersecurity management systems by CII operators and secure the operation of their computer systems, thereby minimising the chance of essential services being disrupted or compromised due to cyberattacks.  

The Bill establishes a new regulatory framework overseen by the Commissioner of Critical Infrastructure (Computer-system Security) and supported by other regulatory bodies like the Hong Kong Monetary Authority (HKMA) and the Communications Authority (CA). The Bill aims to ensure the security and resilience of critical infrastructure in Hong Kong by imposing a range of obligations on CII operators (CIOs). 

What Is the Latest Update? 

Since its proposal, the CI Bill has been introduced into the Legislative Council for the First Reading and Second Reading on 11 December, 2024, and is currently seeking public feedback following a meeting by the Bills Committee on 7 January 2025. This legislation marks a significant shift in the region's approach to cybersecurity, bringing it more in line with international standards and addressing the growing threat of cyberattacks on critical infrastructure. 

The primary goal of the legislation is to mitigate risks associated with cyber threats that could disrupt essential services. The government emphasises that this law will not target personal data or small businesses but will focus on large organisations that play a critical role in Hong Kong's infrastructure. 

In addition, during the First and Second Reading, it was revealed that a dedicated Commissioner’s Office will be established to oversee compliance and enforcement of the new regulations. This office is expected to be operational within a year after the bill's passage. CIIs within the Bill are also being clearly defined as infrastructure that are necessary for either maintaining essential societal functions be it within a specified sector or those with significant impact such as IT and financial services, healthcare, telecommunications and broadcasting or infrastructure that sustains Hong Kong’s key social and economic activities such as sports and performance venues.  

With regard to the extraterritorial effect, while the bill does provide authorities with the power to conduct extraterritorial investigations, the authorities can still request for information from service operators, even if that information is located outside Hong Kong. This means that even if a CIO's computer systems are located outside of Hong Kong, they are still subject to the Bill's requirements if they are deemed critical to the organisation's operations in Hong Kong.  

What Are the CIOs and What Are Their Key Obligations as Outlined by the Bill?

CIOs are organisations responsible for operating and maintaining CII. These companies play a vital role in Hong Kong's economy and society, and their computer systems are attractive targets for cyberattacks. The Bill expands CIOs' designation criteria to include the "sensitivity of digital data controlled by the organisation in respect of the infrastructure". Examples of CIOs in Hong Kong include: 

• Technology Companies: IBM Corporation, Digitpol, Rackspace Technology, Maximus, Edvance International Holdings Limited, Nexusguard, Ensign InfoSecurity Pte. Ltd., Dual Layer IT Solutions LTD., EIRE Systems K.K., and iSystems Security Ltd  
• Financial Institutions: Insurance companies, as well as banks, securities and futures firms, clearing and settlement houses
• Healthcare Providers: Hospitals, clinics, and emergency centres  
• Manufacturing Companies: Those involved in business operations, intelligent industry, control of dangerous goods, and high-risk facility operations  

It's important to note that this is not an exhaustive list, and any organisation operating infrastructure that falls under the definition of CII could be designated as a CIO  

Key Obligations for Critical Information Structure Companies 

The Bill outlines three categories of obligations for CIOs that are categorised under the organisational, preventative and incident reporting obligations. For instance, under organisation obligations, CIOs are to maintain an office in Hong Kong that is readily accessible by the regulatory authorities. For preventative obligations also known as Category 2 obligations, CIOs are required to conduct security risks assessments at least once a year and security audits at least once every two years. Category 3 obligations or preventive obligations will see CIOs having to submit and implement emergency response plans and to notify the authorities for security incidents within a stipulated timeframe.

The Bill also introduces penalties for non-compliance with the obligations as defined by the law. These penalties are financial, and organisations can be fined up to a maximum of HKD5 million. Additional daily fines of HKD50,000 or HKD100,000 may be imposed for recalcitrant offenders. It's important to note that these penalties apply to organisations, not individuals, unless the violation also constitutes a breach of existing criminal laws. CIOs are held responsible for non-compliance even if it's caused by a third-party service provider. 

Ensign InfoSecurity: Your Trusted Partner for Navigating Hong Kong's Cybersecurity Landscape 

The Protection of Critical Infrastructures (Computer Systems) Bill presents significant challenges and opportunities for Critical Information Infrastructure Operators (CIOs) in Hong Kong. Ensign InfoSecurity, Asia's largest pure-play cybersecurity service provider, is uniquely positioned to help your organisation navigate this evolving regulatory landscape and enhance your cybersecurity posture. 

Ensign InfoSecurity offers a comprehensive suite of services tailored to meet the specific requirements of the Bill: 

• Cyber Advisory: Our expert consultants can help you understand the Bill's implications for your organisation, conduct gap assessments, and develop a tailored compliance roadmap. We provide guidance on establishing a robust cybersecurity management framework, implementing security controls, and meeting the Bill's incident reporting obligations. 
• Systems Integration: We offer end-to-end systems integration services to help you design, implement, and validate advanced security controls that align with the Bill's requirements. Our expertise covers a wide range of security technologies, including threat detection and prevention, data loss prevention, and identity and access management. 
• Managed Security Services: Our 24/7 managed security services provide continuous monitoring, threat detection, and incident response capabilities to help you proactively defend against cyberattacks and meet the Bill's incident reporting timelines. Our threat intelligence-driven approach ensures that your organisation is protected against the latest threats. 
• Incident Response: Our incident response team is available 24/7 to help you effectively manage and recover from cybersecurity incidents. We provide rapid response, forensic analysis, and remediation services to minimise the impact of incidents and ensure compliance with the Bill's reporting requirements. 

Why Choose Ensign InfoSecurity? 

• Proven Track Record: With two decades of experience serving clients in the Asia Pacific region, Ensign InfoSecurity has a proven track record of delivering effective cybersecurity solutions. 
• Deep Expertise: Our team of close to 1000 cybersecurity professionals possesses deep expertise in a wide range of security domains, including threat intelligence, incident response, and compliance. 
• Tailored Solutions: We understand that every organisation has unique cybersecurity needs. We work closely with our clients to develop tailored solutions that address their specific requirements and challenges. 
• Commitment to Innovation: We are committed to staying ahead of the curve in the ever-evolving cybersecurity landscape. Our in-house research and development team continuously develops new solutions and services to address emerging threats. 

Contact Ensign InfoSecurity today to learn how we can help you achieve compliance with the Protection of Critical Infrastructures (Computer Systems) Bill and strengthen your cybersecurity posture.