US firms have warned that parts of a proposed cyber law could grant the Hong Kong government unusual access to their computer systems, highlighting the latest challenge to Western tech giants in the city.
The Asia Internet Coalition, which includes Amazon.com Inc., Alphabet Inc.’s Google and Meta Platforms Inc., is among the bodies that have in recent weeks sought changes to parts of the legislation that officials say are designed to protect critical infrastructure from cyberattacks. The government, in response to the Bloomberg story, saidBloomberg Terminal 52 of the 53 submissions it received about the legislation, including from the coalition, “supported the legislation and made constructive suggestions.”
A Closer Look at the Proposed Legislation
Hong Kong’s proposed legislation is a response to the growing threat of cyberattacks, and it draws inspiration from similar laws implemented in other jurisdictions, such as Mainland China, Singapore, and the UK. The legislation’s primary aim is to enhance the security of Hong Kong’s critical infrastructures (CIs) by minimizing the risk of disruption or compromise by cyberattacks.
Who is Impacted by the Proposed Legislation?
The proposed legislation would regulate only critical infrastructure operators (CIOs) in respect of their critical computer systems (CCSs). Both CIOs and CCSs will be designated by a new Commissioner’s Office, which aims to eliminate uncertainty regarding the scope of the law. However, until these designations are made, organizations may experience uncertainty, particularly technology companies.
Designation of CIOs
An organization will be designated as a CIO if it is deemed responsible for operating an infrastructure the Commissioner’s Office determines to be a CI, taking into account the organization’s level of control over the infrastructure. CIs cover two categories:
- Essential Service Sectors: These are sectors deemed critical to the functioning of Hong Kong society, including energy, information technology, banking and financial services, land transport, air transport, maritime, communications and broadcasting, and healthcare services.
- Other Infrastructures: This category encompasses any other infrastructure deemed critical by the Commissioner’s Office.
When deciding whether an infrastructure constitutes a CI, the Commissioner’s Office will consider:
- The level of dependence on information technology.
- The importance of the data controlled.
- The degree of control on the critical infrastructure.
While the government insists that CIOs will primarily be large organizations, the potential impact on technology companies remains a key concern. The list of designated CIOs will not be made public to prevent CIs from becoming targets of cyberattacks.
Designation of CCSs
The proposed legislation only requires CIOs to take responsibility for securing designated CCSs. Systems operated by CIOs that are not designated as CCSs will not be subject to the regulations.
The Commissioner’s Office will designate as CCSs the computer systems that:
- Are essential for the operation of the CIs.
- Could significantly impact the functioning of CIs if they are disrupted or compromised.
- Could lead to significant public safety and security risks if disrupted or compromised.
Importantly, computer systems physically located outside of Hong Kong may also be designated as CCSs.
Transparency and Appeals
Before making CIO or CCS designations, the Commissioner’s Office will communicate with organizations that are likely to be designated, with the aim of reaching a consensus. However, operators who disagree with a designation can appeal before a board comprising computer and information security professionals and legal professionals.
Statutory Obligations and Penalties
Statutory obligations proposed to be imposed on CIOs under the proposed legislation are classified into three categories:
- Organizational and Preventive Obligations: These include conducting security risk assessments, developing security policies and procedures, implementing security controls, and conducting security drills.
- Incident Reporting and Response Obligations: This category requires CIOs to report security incidents to the Commissioner’s Office, including non-serious incidents, within 24 hours of becoming aware of them. It also mandates that they take steps to contain and mitigate the impact of security incidents.
- Information Sharing Obligations: CIOs are required to share information with the Commissioner’s Office, including information on security incidents, security vulnerabilities, and security practices.
The offences under the proposed legislation include CIOs’ non-compliance with:
- Organizational and Preventive Obligations
- Incident Reporting and Response Obligations
- Information Sharing Obligations
Penalties for these offences would consist exclusively of fines, with maximum fines ranging from HK$500,000 to HK$5 million. Persistent non-compliance could result in additional daily fines.
The Role of Service Providers
The proposed legislation recognizes the importance of service providers in the cybersecurity landscape. A CIO will be held liable for non-compliance with its statutory obligations even if the non-compliance is caused by a third-party service provider. This implies that service providers must consider the potential impact of the new regulations on their customer base. They may need to revisit their customer contracts and ensure they are prepared to meet the higher standards expected by CIOs in the context of the new regulations.
Enforcement and Oversight
The proposed legislation establishes a Commissioner’s Office under the Security Bureau to implement the law. The Commissioner’s Office will have significant powers, including the ability to:
- Designate CIOs and CCSs
- Investigate security incidents
- Conduct inspections
- Issue directions to CIOs
The Commissioner’s Office will also have investigative powers in respect of offences. These powers will likely extend from CIOs to their service providers through contractual arrangements.
Designated Authorities
Existing regulators of certain Essential Service Sectors, such as the financial services and telecoms sectors, may be designated as Designated Authorities under the proposed legislation. They will be responsible for designating CIOs (and CCSs) among the groups of organizations under their supervision and for monitoring their compliance with the organizational and preventive obligations. The Commissioner’s Office, however, will remain responsible for overseeing the incident reporting and response obligations of such CIOs and will retain the power to issue written directions.
International Comparisons and Concerns
The government has drawn inspiration from the legislation of other jurisdictions, such as the UK, Australia, the US, the EU, Singapore, Mainland China, and Macao SAR. The designation-based framework mirrors Australia’s approach to systems of national significance, and many obligations imposed on CIOs find parallels in the cybersecurity legislation of Mainland China and Singapore.
However, there are also technical nuances between the proposed legislation and existing laws in other jurisdictions. For instance, the proposed legislation requires organizations to report non-serious security incidents within 24 hours of becoming aware of them, providing greater flexibility compared to Singapore’s requirement of reporting all security incidents affecting critical information infrastructure within two hours of awareness.
The Way Forward
The proposed legislation is expected to be tabled in the Legislative Council by the end of 2024. Once passed, the law will come into effect around six months after the Commissioner’s Office is established, which is expected within a year of the law’s passage. This gives organizations a critical planning period until mid-2026.
Key Issues Requiring Resolution
There are key issues that require resolution as the proposed legislation progresses through the legislative process. These include:
- The scope of the Essential Service Sectors, particularly the information technology sector.
- The specific criteria to distinguish CIs among the Essential Service Sectors.
- The threshold for “serious” security incidents.
Preparing for the Future
Organizations should closely monitor the development of the proposed legislation, develop an internal position on their designation (or their customers’ designation, in the case of service providers, as a CIIO and systems as CCS, and prepare to advocate/lobby for their position once the designation communications commence, and monitor and update their cybersecurity measures and procedures and contracts.
US Tech Giants Voice Concerns
US firms have voiced concerns about the potential impact of the proposed legislation. They worry that it could grant the Hong Kong government “unusual access” to their computer systems, potentially affecting their operations and impacting the integrity of their service providers. These concerns reflect a broader apprehension about the balance between national security and business operations in the context of cybersecurity regulations.
A Balancing Act
The proposed cybersecurity legislation in Hong Kong represents a balancing act between the need to protect critical infrastructure from cyberattacks and the need to safeguard the privacy and autonomy of businesses. The debate surrounding the legislation underscores the complexity of cybersecurity regulations and the importance of striking the right balance to ensure national security without stifling innovation and economic growth.
The Future of Hong Kong's Digital Landscape
The outcome of the proposed cybersecurity legislation will have a significant impact on the future of Hong Kong’s digital landscape. The legislation’s implementation will shape the relationship between the government, businesses, and citizens in the digital realm. It will be crucial to monitor the development of the legislation and its implementation to assess its effectiveness in achieving its objectives while ensuring that it does not undermine the city’s digital economy and the rights of individuals.
