Trending

Compliance & Regulations News

Lawmakers to Review New Cybersecurity Bill Imposing HK$5M Penalties on Infrastructure Operators

Lawmakers to Review New Cybersecurity Bill Imposing HK$5M Penalties on Infrastructure Operators
Listen to this article

The Protection of Critical Infrastructures (Computer Systems) Bill was officially gazetted on Friday and is set to be submitted to the Legislative Council (LegCo) for its first and second readings next Wednesday.

Legal Obligations for Critical Infrastructure Operators (CIOs)

  • The bill establishes stringent cybersecurity obligations for CIOs, including:
  • Conducting regular security audits.
  • Developing and maintaining contingency plans for cybersecurity incidents.
  • Reporting incidents to relevant authorities promptly.
  • The legislation also grants the government authority to:
  • Collect critical computer system designs and operational details from CIOs.
  • Investigate cybersecurity breaches.
  • Enter CIO premises with court-issued warrants.

Penalties for Non-Compliance

CIOs that fail to comply with the bill may face fines up to HK$5 million. For ongoing violations, an additional daily fine of HK$100,000 will apply. For offenders outside the CIO category, fines can reach up to HK$500,000. Notably, the bill does not propose imprisonment as a penalty.

Scope of Critical Infrastructure

The bill defines critical infrastructure as facilities involved in:

  • Energy, Information Technology, and Telecommunications.
  • Banking, Financial Services, and Healthcare.
  • Air, Land, and Maritime Transport.
  • Television and Telecommunications Services.

It also extends to any infrastructure where damage or data breaches could hinder critical societal or economic activities in Hong Kong.

Government Exemptions

Critical infrastructure managed by government departments, such as water supply, immigration, and tax services, is excluded from the bill. According to Security Chief Chris Tang, internal cybersecurity guidelines already govern these entities, and civil servants adhere to stricter ethical standards than private-sector employees. Tang argued that penalizing government entities would be illogical, as the government would essentially be fining itself.

CIO Anonymity for Security

The government will not disclose the list of CIOs regulated under the bill to prevent these entities from becoming potential targets for cyberattacks.

No Impact on SMEs or the Public

A government spokesperson emphasized that the bill targets large organizations and aims to protect critical computer systems essential to Hong Kong’s infrastructure. Small and medium-sized enterprises (SMEs) and the general public are not subject to its regulations. Additionally, the bill does not affect personal data or trade secrets.
Cyberkitera

Cyberkitera is a premier cybersecurity publishing platform dedicated to providing the latest insights, expert security tips, and news across all areas of cybersecurity. Our mission is to empower individuals and businesses with knowledge to prevent cyber threats, stay informed about emerging trends, and safeguard their digital assets. From industry updates to practical advice on protecting against cyber attacks, Cyberkitera is your trusted source for staying ahead in the ever-evolving world of cybersecurity.

view all posts

Related Posts

Post Comment

You May Have Missed