What You Need to Know About Hong Kong’s Protection of Critical Infrastructure Bill
As new cybersecurity legislation continues to roll out across the globe, Hong Kong is set to introduce its Protection of Critical Infrastructure Bill—the first of its kind for the region and a significant step in its efforts to strengthen its cyber resilience. Being such a milestone, it’s important that the critical infrastructure operators (CIOs) under the Bill’s purview understand its mandates regarding risk assessments, incident reporting, and preventative measures.
As long-time cybersecurity experts, we’re well-equipped to help these organizations more easily grasp the adjustments they’ll need to make. In this article, we’ll provide an overview of the Protection of Critical Infrastructure Bill’s key components so that CIOs can assess where they stand and prepare for full compliance by the time the regulation comes into effect.
Hong Kong’s Protection of Critical Infrastructure Bill – Why Now?
One of the questions likely on top of mind is, why now? Why has Hong Kong moved now, in 2024, to implement its first landmark cybersecurity law? There are likely several contributory factors.
Along with growing more sophisticated, cyberattacks have surged worldwide, with critical infrastructure becoming a prime target for hackers—that uptick in attacks, coupled with global events such as the pandemic, has revealed vulnerabilities in infrastructure that no one can ignore.
That, plus Hong Kong’s position as a major financial and logistics hub—and the related potential devastation of a successful breach—means the conditions are ripe for the region to enhance its cyber resilience.
The Protection of Critical Infrastructure Bill aims to do just that—through its structured framework, Hong Kong will better safeguard its vital infrastructure from cyber threats, as the Bill defines new cybersecurity responsibilities of CIOs managing Critical Information Infrastructure (CII), which includes organizations operating in the following sectors:
- Energy
- Information technology
- Banking and financial services
- Land transport
- Air transport
- Maritime
- Healthcare services
- Communications and broadcasting
In placing cybersecurity obligations on these organizations, Hong Kong aligns itself more with similar legislative moves in the region, including mainland China’s 2017 Cybersecurity Law and Singapore’s Cybersecurity Act that passed in May 2024.
Altogether, these moves signify a commitment to greater global cybersecurity collaboration, with Hong Kong being the latest region to ensure the continued safety and prosperity of the economy and citizens against escalating threats through legislation.
5 Key Components of Hong Kong’s Protection of Critical Infrastructure Bill
So how does Hong Kong’s Protection of Critical Infrastructure Bill seek to do that, more specifically?
While pertinent organizations will need to review the Bill’s context in full to get a complete grasp of their obligations, here are four key aspects you need to know about as the legislation moves toward an effective date.
1. New Organizational Obligations
First and foremost, Hong Kong wants to ensure that providers and supporters of its critical infrastructure take an organized approach to cybersecurity, and the Bill mandates that must begin with a physical presence in Hong Kong—CIOs must maintain an office there.
Not only that, but you must also establish a computer system security management unit that is supervised by a dedicated security officer. (You do have the option to outsource this unit instead of keeping it in-house.)
2. Government Oversight and Enforcement
Speaking of supervision, the Bill proposes the establishment of a Commissioner's Office to oversee the implementation and enforcement of its specific regulations.
Under the Security Bureau of the Hong Kong SAR Government, the new Commissioner’s Office will be tasked with issuing and enforcing the cybersecurity standards CIOs must follow, as well as reviewing the required submissions to its office that we’ll soon specify.
3. Required Cybersecurity Measures
In regard to those specific safeguards the regulation calls for and that the Commissioner’s Office will enforce, CIOs will be required to:
- Conduct annual risk assessments to identify potential cyber threats and vulnerabilities and use the results to influence the development and implementation of a cybersecurity management system to address said risks—these systems should include:
- Monitoring and detection systems; and
- Safeguards to mitigate potential damage from cyberattacks.
- Develop, implement, and maintain a computer system security management plan and submit this plan to the Commissioner’s Office.
- Complete independent audits every two years and submit the audit reports to the Commissioner’s Office.
- Participate in cybersecurity drills at least once every two years.
- Ensure that third-party providers also comply with the Bill’s cybersecurity standards.
- Inform the Commissioner’s Office regarding any significant modifications to the design, security, and operations of their Critical Computer Systems (CCS).
4. Incident Reporting
Among these other requirements, the proposed legislation also puts a heavy emphasis on incident reporting. Not only are CIOs mandated to develop, maintain, and submit their emergency response plan to the Commissioner’s Office, but should an incident occur, CIOs are also bound to :
- For security issues deemed serious—i.e., those that disrupt essential services or lead to major data breaches—CIOs have a two-hour reporting window to report these issues to the Commissioner’s Office.
- For all other (less severe) security incidents, CIOs must report them within 24 hours and document them.
While these timelines are tight, they signify how much Hong Kong has elevated the importance of securing critical infrastructure and ensuring that CIOs work together to prevent widespread damage.
5. Penalties for Non-Compliance
Another indication of Hong Kong’s new stance regarding the seriousness of cybersecurity involves the introduction of penalties for non-compliance with the Protection of Critical Infrastructure Bill.
These penalties are anticipated to include hefty fines—ranging from HK$500,000 to HK$5 million—as well as potential sanctions for CIOs. In some cases, individual officers of organizations may also face criminal responsibility—especially if their violations involve fraud.
Get Ready for Hong Kong’s New Cybersecurity Bill
Given these details (among all the others not listed here), Hong Kong’s Protection of Critical Infrastructure Bill represents what will be a huge shift for businesses in the region currently operating its critical infrastructure—and with huge shifts, almost certainly come challenges. Of course, now that you understand some of the base requirements that are being introduced, organizations subject to those mandates can begin to make the investments that may be necessary to satisfy them.
If that’s you, know that you have a little time to prepare. While the law is expected to be finalized by the end of 2024, there’s generally also a bit of a grace period for compliance where new regulation is concerned. That said, being proactive and preparing for the requirements will be key to ensuring your organization avoids the related penalties and remains safe against escalating cyber threats.
And if you’re not sure where to start, don’t worry. Schellman’s team of experts can help you better understand the specifics of your current cybersecurity posture stance and what it’ll take to comply with Hong Kong’s Protection of Critical Infrastructure Bill—contact us today!
About Kate Weber
Kate Weber is a Senior Manager over New Services with Schellman based in Chicago, IL. Prior to joining Schellman in 2023, Kate worked in consulting for 5+ years in the IT security and data analytics spaces. While focused on IT security, Kate specialized in Sarbanes-Oxley (SOX) 404 internal audits, ISO 27001 internal audits, HITRUST readiness, and SOC reporting. Kate is a Certified Information Systems Auditor (CISA), ISO 27001 Lead Implementer, and ISO 9001 Lead Implementer. She also previously held the HITRUST Certified CSF Practitioner (CCSFP) and Certified HITRUST Quality Professional (CHQP) certifications.