Second Reading of Government Bills: PROTECTION OF CRITICAL INFRASTRUCTURES (COMPUTER SYSTEMS) BILL
Deputy President, with the acceleration of digitalization and the interconnection of critical infrastructures (“CIs”), there has been an upsurge in the number of malicious incidents (such as ransomware attacks and data theft). A hospital in Hong Kong also came under ransomware attack by hackers. Last year, a total of 12 536 security incidents were handled by the Hong Kong Computer Emergency Response Team Coordination Centre, and these incidents have brought serious threats and losses to both businesses and individuals.
CIs, such as those in the sectors of energy, land transport, maritime transport, air transport, banks and hospitals, are all vulnerable to attacks. If the computer systems of such CIs are being disrupted, it will not only affect the operation of the infrastructures themselves, but also impact seriously on our society as a whole. Cybersecurity of CIs has hence become particularly important. The Regulation on the Security Protection of Critical Information Infrastructure has already been enacted in the Mainland as early as in 2021 to protect the security of critical information infrastructures and safeguard network security. As Mr Martin LIAO has just mentioned, other places such as Australia, the European Union, the United Kingdom and Singapore have also enacted relevant legislation for the purpose. The SAR Government has stipulated the cybersecurity responsibilities of CI operators by way of legislation, thereby strengthening the security capability of CIs and reducing the risk of essential services being disrupted and sabotaged due to cyberattacks. I am very supportive of the idea.
As a member of the Bills Committee, I have put forward a number of views and suggestions on the contents of the Bill during its clause-by-clause examination, including the refinement of legal provisions, improvement of the implementation details and consideration of potential impacts. I am pleased to see that after listening to members’ views, the Government has accepted most of the suggestions and would propose relevant amendments to the Bill. I would like to take this opportunity to thank the relevant colleagues of the Security Bureau and the Department of Justice for their hard work during the scrutiny of the Bill.
As Hong Kong is an international financial centre, the operation of banks and financial institutions is not only related to the settlement of local funds, people’s savings and deposits, etc., but also financial services supporting cross-border transfers of funds and data exchanges, which are the core pillars supporting the local economy and international capital flows. Local banks have always strictly complied with the Banking Ordinance and the Code of Banking Practice. The industry generally supports strengthening the protection of CIs through legislation, but considers it necessary to avoid putting excessive compliance burden on the industry.
As a representative of the industry, I have the following views and suggestions on the Bill and the amendments.
As regards incident reporting, financial institutions are currently required to notify the Hong Kong Monetary Authority (“HKMA”) immediately once they become aware of the occurrence of any incident. On the other hand, the Bill also provides for the reporting of computer-system security incidents to the Commissioner. During the scrutiny of the Bill, the Administration has made it clear that reporting to both sides is indeed required for the same incident. The industry is concerned that after the passage of the Bill, dual reporting to the Commissioner and HKMA is required for incidents of any magnitude, thereby making relevant work more onerous and complicated than before.
The Administration has explained that there are different purposes of reporting. For instance, HKMA may be more concerned about ensuring the maintenance of existing services and not affecting banking services provided to the general public, while the focus of the Bill is to intervene as soon as possible after the occurrence of an incident to prevent proliferation and provide assistance. As the two types of reporting serve different purposes, they have different routings. While expressing understanding of the rationale, the industry hopes that the requirements for incident reporting will be broadly the same as those currently applied by HKMA, so as to avoid putting additional reporting pressure on financial institutions. With the two sides playing their respective roles, it is believed that such a change will not cause too much concern within the industry.
In addition, clause 25 of the Bill provides for the obligation to arrange to carry out computer-system security audits. The industry has all along had similar requirements for system security audits, and it is the usual practice to engage professional organizations to carry out these independent audits. Regarding the qualification requirements of the auditing unit, the Administration has indicated that the audits can be carried out by external specialized auditing firms or internal independent auditing unit of the organization so long as the audits can meet the relevant professional requirements and there is a firewall to ensure independence. The requirements will be further set out in detail in the codes of practice (“the CoPs”) in due course. The industry hopes that the requirements of this audit will follow the established practice of HKMA and existing regulations, in order to reduce additional compliance burden on the financial institutions.
Clause 26 of the Bill sets out the requirement for CI operators to participate in computer-system security drills conducted by the Commissioner after reasonable notice in writing has been given. HKMA has all along required banks to conduct regular drills on their own, so as to ensure that their business can maintain operation under special circumstances, thereby minimizing the impact on customers and the public. The industry has become quite familiar with such drills. If the Commissioner is to conduct drills for CIs specifically in the future, the authorities should ensure proper communication with the industry well in advance and issue detailed guidelines to the participating organizations before the drills so that the industry can understand the theme and scope of the drills and make preparations accordingly to minimize impact on their daily operation while ensuring that the drills achieve the intended purpose.
In the course of scrutiny, a number of members have made specific suggestions and requested the Administration to clearly set out the various functions and actual operational details. The Administration has responded that comprehensive guidelines will be provided through the CoPs to delineate various functions and set out the standards in details, such as specifying the scale of the dedicated computer-security management units, the qualification and experience requirements of persons responsible for supervising the units, and providing detailed guidance and examples on what constitutes an incident and the circumstances under which notification is required to be made to the Commissioner, so as to facilitate better understanding and implementation by the relevant personnel. Considering that the myriad of complicated matters to be covered by the CoPs, I hope that when drafting and revising the same, the authorities must fully consult the industry and take on board the views and suggestions of various parties, so that the CoPs will better cater to actual operation to ensure that the requirements so formulated can be practically implemented and accepted by all parties concerned.
Deputy President, I support the Bill and all the amendments.
I so submit.