Hong Kong | Analysis of proposed new cybersecurity bill

• The government plans to pass the Protection of Critical Infrastructure Bill by the end of the year
• But it is unlikely that the authorities would use this to access the sensitive data of firms operating there

Clients have asked us how a proposed new critical infrastructure cybersecurity law in Hong Kong will impact data security for firms operating there. The bill is highly likely to pass in the coming months, and rights and tech groups have criticised it on grounds of data privacy. But in our assessment, it is unlikely to raise the already-severe risk of surveillance there in the coming years. The main impact of the bill will probably be more stringent and consistent cybersecurity requirements across sectors. These are currently governed by several sector-specific regulations.

Stronger reporting requirements for critical sectors

The current version of the Protection of Critical Infrastructure (Computer System) Bill sets out several obligations for organisations that operate them. It also establishes a Commissioner’s Office under the Security Bureau with the powers to investigate cybersecurity or noncompliance incidents. Provisions of the bill include requirements for firms to:

• Conduct computer system security risk assessments once a year and audits once every two years, to be submitted to the Office
• Report cybersecurity incidents to the Office within a specific timeframe; within two hours for ‘serious’ security incidents, and 24 hours for others
• Submit relevant information during an investigation regarding an incident or offence, even if the information is located outside Hong Kong
• Face potential fines of up to HK$5m for noncompliance

Cybersecurity teams in large firms in energy, IT and banking will probably be most affected by the law, based on the current draft. It would apply to certain large critical infrastructure firms, and only to computer systems that are essential for key services. The government said that it would decide on which systems are affected in consultation with affected firms. It also said that it will not publicly name these firms to ‘prevent [them] from becoming targets of cyberattack’, but did not specify how or when these firms will be contacted. Based on the draft bill, the new rules will apply to firms in the following sectors:

• Energy
• Information technology
• Banking and financial services
• Land and air transport
• Maritime
• Healthcare services
• Communications and broadcasting
• Other organisations ‘necessary for maintaining important societal and economic activities’, such as major venues and research institutions

Concerns over privacy and surveillance

The bill has faced criticism from some rights groups, such as Article 19, an advocacy group that covers digital rights globally. It said that the proposed bill ‘poses [a threat] to further deteriorating freedom of expression online, including independent media, and to the protection of personal data’. And organisations, including the Asia Internet Coalition, which consists of several major tech firms, have submitted recommendations on the bill. These have included concerns over the inclusion of systems outside of Hong Kong and potential state access to proprietary information.

Threat of surveillance stemming from bill exaggerated

In our view, these concerns are overstated. They seem to stem from broader mistrust of the authorities in Hong Kong amid Beijing’s efforts to exert more political control over the territory, as well as intensifying US-China competition. But we doubt the Hong Kong authorities would overtly and arbitrarily access data systems of international companies operating there without permission. This would probably further reduce the attractiveness of doing business in Hong Kong, amid existing concerns about the increasing political influence of Beijing.

The Hong Kong authorities can electronically surveil individuals and businesses anyway. Our personal cyber risk rating is severe. A new law came into force in March, which expands the scope of what is considered a national security threat. But this seems to be mainly to target local dissidents; on 16 September, the first person was convicted for sedition under the law. Given the recent expansion of surveillance and censorship powers, it is unlikely that the cybersecurity bill will be used for this.

Government concerned about cybercrime

The authorities said that the cybersecurity bill stems from government concern over cybercrime and the resilience of critical computer systems. This is highly plausible. Earlier this year, three government departments reported data breach incidents within a week. And Hong Kong’s cyber response agency said in June it had recorded 5,161 incidents during the first half of 2024, a 31% increase on the second half of 2023. They did not mention a specific reason for this increase, but we suspect financially-motivated cybercriminals were behind most cases. In light of this, we are raising our cyber threat exposure level for Hong Kong from low to moderate.

Based on our reading of the current version of the bill, the Hong Kong authorities are also making an effort to align with international standards for securing critical infrastructure. Hong Kong does not currently have a single comprehensive law covering critical infrastructure. Several other countries – such as Singapore and Australia, as well as mainland China – have legislation that sets out cybersecurity requirements for operators of critical infrastructure. The introduction of these laws does not seem to have had a disruptive impact on businesses, as far as we can tell.

The passing of the bill would almost certainly lead to more onerous compliance and declaration requirements for cybersecurity teams at firms that manage critical infrastructure in the next few years. The government said in the draft that it plans to pass the bill by the end of this year. But based on the draft proposal, it would not come fully into force for up to a year and a half after the passing of the law.