Hong Kong recently announced its new cybersecurity law in a bid to protect computer systems of infrastructures that are deemed to be critical. The purpose of the Protection of Critical Infrastructure (Computer System) Bill is to safeguard online systems in the country and prevent disruption in essential services because of cyberattacks. The government plans to fully implement it in 2026. 

In today’s world, since everything is online, the possibility of people and companies becoming victims of cyber-attacks is greater. Since Hong Kong is one of the leading financial centers, it wants to safeguard its digital economy. It is, therefore, necessary that all the firms and organizations operating in Hong Kong should go into the minute details of its cybersecurity law so that they can act for compliance to avoid possible cyberattacks. 

In this article, we will talk about different aspects of mastering cybersecurity laws in Hong Kong and how you and your business can stay ahead of the East Asian country’s regulatory maze. Let’s begin! 

Major Cybersecurity Laws

Overview of Major Cybersecurity Laws in Hong Kong 

Over the years, Hong Kong has enacted several cybersecurity laws to protect data, network security, and critical infrastructure. Some of these include: 

Personal Data (Privacy) Ordinance (PDPO) 

The Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995 and came into force on 20 December 1996. It is one of the major laws that govern data protection in Hong Kong by establishing data subject rights and requiring certain obligations from data controllers. Through six data protection principles, the PDPO also regulates the collection, holding, processing, and use of personal data. 

There aren’t any direct obligations for data protection officers or data processors in the PDPO’s current form. This cybersecurity law has been amended twice, in 2012 and 2021. The amendments proposed in 2012 mostly related to regulating the provision and use of personal data in direct marketing. Whereas the 2021 amendments focused on the acts of leaking personal data without the concerned person’s consent. 

The Office of the Privacy Commissioner for Personal Data (PCPD) is the regulatory authority that oversees the implementation and compliance with the PDPO. The regulatory body has issued several codes, practices, and guidelines since the PDPO came into effect. In 2020, the PCPD and LegCo announced they were planning to make several amendments relating to processor requirements and breach notifications. 

Cybersecurity Fortification Initiative (CFI) 

Hong Kong has always been ahead of the curve in addressing cybersecurity threats through appropriate legislation. This is why when SWIFT, the messaging system used by banks and financial institutions, announced considerable losses because of an increasing number of cyberattacks, Hong Kong launched new regulations to protect its digital economy.

In 2016, the Hong Kong Monetary Authority (HKMA) announced that it was launching the Cybersecurity Fortification Initiative (CFI) during the Cyber Security Summit. The CFI is a long-term approach to improving cybersecurity for the country’s local banks. 

The CFI is a three-pronged plan that is aimed at protecting all the registered financial institutions in Hong Kong. These three pillars include: 

  1. Cyber Resilience Assessment Plan

The CFI requires each bank to deploy this framework so the HKMA can get a comprehensive overview of the readiness of financial institutions and the entire sector against potential cybersecurity threats. This framework has the following three steps:

  1. Risk Assessment: In this step of the CFI, there is an evaluation of how prone a bank is to cyber risks. The risk levels are categorized as Low, Medium, and High.
  2. Maturity Assessment: This is an overview of how mature an institution is in dealing with cyber-attacks.
  3. iCAST: The banks having Medium or High-risk levels will need to undergo Intelligence-led Cyber Attack Simulation Testing, so they are better prepared to deal with cyberattacks.
  1. Professional Development Program 

This program is designed to improve the skills and abilities of cybersecurity experts at Hong Kong’s financial institutions to fight potential cyberattacks. The professionals are given training according to the following three levels:

  1. Foundation
  2. Practitioner
  3. Expert
  1. Cyber Intelligence Sharing Platform 

Threat intelligence plays an important role in the current digital world. While each bank can have its own ways to combat cyber threats, success depends on sharing information with each other to be better equipped. The HKMA launched a platform that could be accessed by all the authorized banks of the country. The purpose of this platform was to have a reliable system for data sharing.

Digital 21 Strategy 

First released in 1998, the Digital 21 strategy was a comprehensive plan to develop information and communication technology (ICT) in Hong Kong in 2021. It is updated every three years to take into account the advancement in technology, opportunities, and new challenges so the country can prepare itself accordingly.  

The Digital 21 strategy aimed to establish neutral and liberal tech policies to encourage healthy competition and provide the institutional and legal infrastructure for ICT development. The government of Hong Kong brings relevant stakeholders together to consult on key issues related to ICT and its applications. 

Proposed Cybersecurity Laws in Hong Kong

Hong Kong’s Proposed Cyber Laws 

Apart from some already enacted laws, Hong Kong is also working on bringing in new laws to combat the latest cybersecurity threats. Protection of Critical Infrastructure (Computer System) Bill is one such legislation that was submitted by the government to the LegCo of Hong for debate on 2 July 2024.  

Objectives 

The purpose of this proposed legislation is to further improve the security of the computer systems of the country’s CIs. Before moving further, it is important to understand what critical infrastructure means. The government of Hong Kong has defined critical infrastructure in the form of two categories: 

  1. The first category includes the infrastructure that plays an integral part in delivering essential services in the country. These services are from the following eight sectors: 
  1. Information Technology
  2. Land Transport
  3. Energy
  4. Communication and Broadcasting
  5. Air Transport
  6. Banking and Financial Services
  7. Healthcare Services
  8. Maritime
  1. The second category includes infrastructures that are required to maintain important economic and societal activities, such as research and development parks, sports, and performance venues, etc. 

The Protection of Critical Infrastructure (Computer System) Bill by Hong Kong is the result of the global trends of increased number of cybersecurity legislations by countries like Australia, Malaysia, Macao, Mainland China, and Thailand to protect their critical infrastructures. The United States, Canada, the UK, and other European countries have also enacted laws to regulate operators of CIs to enhance overall computer system security.

Scope of the Proposed Legislation 

Hong Kong’s government also announced that it will be regulating only designated critical infrastructure operators (CIOs) and critical computer systems (CCSs) under the newly proposed law.

A new Commissioner’s Office will be established that will be responsible for appointing CIOs and CCSs. These organizations’ list will not be published to protect them from cybersecurity threats. 

Other countries, such as China and Singapore, also have a similar approach in place. Let’s now have a brief look at CIOs and CCSs! 

Critical Infrastructure Operators (CIOs) 

If the Commissioner’s Office deems that an organization in Hong Kong is operating a critical infrastructure, it will be designated as a CIO. However, the Commissioner’s Office will also consider how much control the organization has over the CI. The newly proposed legislation will mainly target large enterprises in Hong Kong instead of small or medium organizations. 

The proposed legislation will not involve any personal data or business information and will only require the designated critical infrastructure operators to be responsible for safeguarding their CCSs.

Critical Computer Systems (CCSs)

If the computer systems are “relevant to the provision of essential service or the core functions of computer systems, and those systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIs,” they will be designated as CCSs. This means systems other than the designated CCSs will not come under the umbrella of this newly proposed law.

Just like Singapore’s cybersecurity law mandates, the proposed legislation in Hong Kong also says that the CCSs that are physically located outside the country might also be regulated.

Best Practices for Staying Ahead

Best Practices for Staying Ahead in Hong Kong’s Regulatory Maze

The old and newly proposed cybersecurity laws in Hong Kong give a good idea about how complex the cybersecurity landscape of the East Asian country is. Therefore, it is crucial for businesses and organizations to adopt a proactive approach to ensure their system’s security and compliance with the regulations. Some of these practices include the following:

Conduct Regular Risk Assessments

Primarily, you should regularly conduct risk assessments of your critical infrastructure because cybersecurity is an ever-evolving field with new threats emerging daily. Regular risk assessments will help you identify vulnerabilities in your systems, network, and data. Make sure all your assessments are in line with the rules and regulations set by the Hong Kong government.

Stay Updated on Regulatory and Statutory Changes

As discussed above, Hong Kong is continuously changing its cybersecurity rules and regulations. This means you will only be able to stay ahead of the curve if you are fully aware of which of the already enacted laws are being amended and which new bills related to cybersecurity laws are being passed. Regularly engage with legal experts and bodies to ensure your organization fully complies with the latest requirements.

Implement Strong Data Governance Policies

Data breaches have become a common phenomenon, and businesses are constantly prone to safety from their sensitive information being leaked. That is why establishing robust data governance policies is crucial. This means having policies related to encryption, access control, and data retention. In this way, the risk of losing data and unauthorized access to your systems will be brought to a minimum.

Use Third-party Risk Management

There are a number of different third-party service providers available in the market that offer cloud storage, payment processing, and IT support. If you think your critical infrastructure will be safe in the hands of a third-party cybersecurity company, then you should hire one to efficiently manage cyber risk to your systems. You can find numerous service providers in the market related to cloud storage, payment processing, and IT support. These cybersecurity companies will efficiently manage cyber risks to your systems.

Invest in Cybersecurity Training

Human error is the most common reason for data breaches. Therefore, training your personnel on cybersecurity is important. They should also know how to safeguard critical infrastructure in the event of a potential attack. For instance, employees should be trained on identifying cyber risks; for example, suspicious email or messages that contain links.

They should also be taught about the channels for reporting any suspected cyber threat to authorities. In fact, employee training can greatly help reduce or even prevent human error from happening and also increase your company’s online safety.

Engage with Regulatory Authorities

As already discussed, the government of Hong Kong has different regulatory bodies to monitor compliance with the country’s cybersecurity law. For staying updated on policy updates and gaining a better understanding of compliance requirements, and learning essential knowledge of cybersecurity risk management, it is highly recommended that you frequently communicate with regulatory authorities such as the PCPD and HKMA.

Mastering Hong Kong Cyber Laws

Conclusion

Hong Kong’s cybersecurity landscape is complicated. Over the years, the country has introduced several policies, and several various laws have been promulgated in the interest of personal data protection and to enable the organizations to fight against cyberattacks. Some of the regulations that Hong Kong has enforced in the past few decades are the PDPO, CFI, and strategy Digital 21. 

Apart from these rules and regulations, the East Asian country has also established different governing bodies that regulate the imposition of laws and support organizations in building the required infrastructure so that they can combat any potential cyber threat. Since incidents of cyberattacks are a regular affair nowadays, it is essential for organizations operating in Hong Kong to remain updated about regulatory changes to avoid the imposition of penalties and to deal with cyber threats. 

As Hong Kong tightens its cybersecurity laws, your business needs to be a step ahead. That’s where FunctionEight Hong Kong comes in. With extensive expertise in IT managed services, we help businesses navigate complex regulatory frameworks while safeguarding their critical infrastructure. From regular risk assessments to proactive cybersecurity strategies, FunctionEight Hong Kong ensures your organization remains compliant and secure. 

Don’t wait for a cyber threat to strike—get in touch with us for a free consultation today!