Hong Kong’s new cybersecurity law: What businesses need to know
Summary
TLDRIn this episode of the Privacy Rules Privacy Espresso series, Pri Wash from Hong Kong-based law firm Tanner De Wit discusses Hong Kong's new cybersecurity legislation aimed at protecting critical infrastructure and computer systems. This law is a significant step forward for the region, marking the first horizontal legislation of its kind. Pri explains who the law targets, its implications for large organizations, and how it differs from personal data protection laws. The conversation also touches on the role of legal professionals in managing cybersecurity incidents and navigating the regulatory framework effectively.
Takeaways
- 😀 The new cybersecurity legislation in Hong Kong aims to enhance the protection of critical infrastructure and computer systems across various sectors.
- 😀 The legislation was introduced as part of the Chief Executive's 2022 policy address and represents Hong Kong’s first piece of horizontal cybersecurity law.
- 😀 Targeted organizations are primarily large businesses, particularly in sectors like energy, IT, transport, banking, healthcare, and telecommunications.
- 😀 Small companies and government entities are excluded from the scope of this law, which focuses on larger critical infrastructure operators.
- 😀 The new law does not overlap with the Personal Data Protection Ordinance (PDPO); it focuses on the protection of computer systems and infrastructure, not personal data.
- 😀 The legislation introduces three key obligations for affected organizations: organizational obligations, preventive obligations, and incident reporting obligations.
- 😀 Organizational obligations include having a designated office in Hong Kong and contact points for regulators.
- 😀 Preventive obligations require organizations to conduct annual risk assessments and biannual independent security assessments.
- 😀 Incident reporting is crucial, with obligations to report serious incidents within 24 hours, and others within 48 hours of awareness.
- 😀 The bill is in its second reading with the Legislative Council and is expected to be enacted by the end of 2025, with compliance guidelines to follow shortly after.
- 😀 Legal professionals play a key role in managing incident responses, offering legal privileges that protect communications and help navigate investigations by regulators.
Q & A
What is the main focus of the new cybersecurity legislation in Hong Kong?
-The main focus of the new legislation is to protect critical infrastructure and enhance cybersecurity across various sectors in Hong Kong. It aims to establish baseline standards for the protection of critical systems, addressing both organizational and technical security measures.
Which sectors are primarily targeted by the new cybersecurity law in Hong Kong?
-The law targets large organizations in eight designated sectors: energy, information technology, transport (land, air, marine), banking and financial services, healthcare services, telecommunications, and broadcasting services.
What is the difference between this new cybersecurity legislation and Hong Kong's personal data protection laws?
-The new cybersecurity law focuses on the protection of critical computer systems and infrastructure, while personal data protection laws are concerned with the handling and processing of personal data. The two laws do not overlap, though they may have some operational coordination.
How will the government designate critical infrastructure operators under the new law?
-The government will designate critical infrastructure operators within the targeted sectors through a process managed by the Security Bureau, and specifically by the commissioner appointed under the legislation. There is also a second category for infrastructure related to critical societal or economic activities.
Are small and medium-sized enterprises (SMEs) included in the scope of the new cybersecurity law?
-No, the new cybersecurity law is primarily directed at large organizations. Small and medium-sized enterprises (SMEs) are generally not the target, as the law focuses on organizations that can tolerate and comply with the required cybersecurity procedures.
Why is legal expertise important in complying with the new cybersecurity legislation?
-Legal experts are crucial for managing compliance with the law, especially in incident reporting and investigations. Legal advice ensures that responses to regulatory inquiries are protected under legal professional privilege, providing more control and flexibility during the investigation process.
What are the three categories of obligations for organizations under the new legislation?
-The three categories of obligations are: (1) organizational obligations, such as maintaining an office in Hong Kong and designating contact persons; (2) preventive obligations, including annual risk assessments and independent security assessments; (3) incident reporting obligations, including reporting serious incidents within 24 hours and conducting simulations.
What are the reporting requirements for organizations when a cybersecurity incident occurs?
-Organizations must report serious cybersecurity incidents to the commissioner within 24 hours of occurrence. For other incidents that meet specific thresholds, reports must be made within 48 hours of becoming aware of the incident.
What is the legislative timeline for the new cybersecurity law in Hong Kong?
-The law is currently undergoing its second reading in the Legislative Council. It is expected to be enacted by the end of the year, most likely before the summer, with a grace period for compliance. Codes of practice and guidelines will also be issued shortly after the law is enacted.
What should companies do to prepare for the new cybersecurity legislation in Hong Kong?
-Companies should begin assessing their current cybersecurity posture, ensuring that they meet the legislative requirements, such as conducting regular risk assessments, preparing incident response plans, and designating appropriate contacts. Preparing in advance will help ensure smooth compliance once the law is enacted.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
大律師公會前主席夏博義,首次披露接受國安處警誡會面後離港原因|Paul Harris reveals for the first time the reason for leaving HK.
Building your city's climate resilience, now | Natalie Chung | TEDxTinHauWomen
CCP National Security Law destroys Hong Kong. The US House legislates to address current situation.
Keynote Address | Eddie Yue | Hong Kong FinTech Week 2024
China’s Most Powerful Weapon Is NOT What You Think
China is erasing its border with Hong Kong
5.0 / 5 (0 votes)
