Hong Kong’s Secretary for Security, Chris Tang Ping-keung, has provided clarification in response to concerns raised by the American Chamber of Commerce in Hong Kong regarding the newly proposed Hong Kong cybersecurity bill. The bill, officially known as the Protection of Critical Infrastructure (Computer System) Bill, aims to enhance cybersecurity measures for key sectors including energy, information technology, banking, communications, maritime, healthcare services, and land and air transport.
Under the provisions of this bill, operators within these sectors must ensure that their critical computer systems are adequately secured. Failure to maintain proper security measures could lead to fines of up to HK$5 million (approximately US$640,200), as reported by the South China Morning Post.
During a recent radio program, Tang addressed the concerns raised by the American Chamber of Commerce, emphasizing that the primary objective of the bill is to safeguard critical infrastructures and not to intrude on the privacy of businesses. He refuted claims that the bill aims to monitor personal information, stating that its focus is solely on ensuring the security of critical systems.
The American Chamber of Commerce had expressed reservations about the broad inclusion of the information technology sector in the bill, fearing that it could inadvertently encompass a wide range of technology companies not directly involved in managing critical infrastructure. They also raised concerns about potential extraterritorial implications that could impose excessive compliance costs and deter multinational investments.
In response, Tang defended the inclusion of the information technology sector, citing similar regulations in countries like the United States, Australia, and Singapore. He argued that the IT sector plays a crucial role in daily operations and cybersecurity, and omitting it from the bill could undermine its purpose and create gaps in Hong Kong’s cybersecurity framework.
Tang also addressed concerns about the investigative powers of the new office that will be established under the Security Bureau to oversee the cybersecurity legislation. He reassured that the office’s focus would be limited to critical infrastructure and would not extend to small and medium-sized enterprises or individual operators. Operators would be required to report severe security incidents to the office within two hours, with a 24-hour reporting timeframe for less urgent issues. Failure to comply or conduct necessary risk assessments could result in significant fines.
The government plans to keep the list of companies affected by the bill confidential to prevent potential threats or targeting. The bill is expected to be presented to lawmakers by the end of the year, with the government intending to address any remaining concerns and finalize the legislation.
In essence, Hong Kong’s cybersecurity bill aims to establish stringent standards for securing critical infrastructures while safeguarding individual privacy. The primary objective remains to protect essential systems against cyber threats, with measures in place to prevent unintended consequences for smaller enterprises and private data.