The government on Tuesday proposed new legislation to enhance cybersecurity of critical infrastructures such as banks, railway systems and electricity suppliers, with operators required to report cybersecurity incidents and those who fail to comply fined up to HK$5 million.
According to a paper submitted to the Legislative Council by the Security Bureau, critical infrastructures are "facilities that are necessary for the maintenance of normal functioning of the Hong Kong society".
There are two major categories of critical infrastructures. The first covers facilities delivering "essential services" in eight sectors, namely energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, as well as communications and broadcasting. The second includes "other infrastructures for maintaining important societal and economic activities", such as major sports and performance venues.
A new commissioner's office under the Security Bureau will be set up to monitor operators and follow up on non-compliance.
Under the proposed legislative framework, operators are required to set up a computer system security management unit, conduct a security risk assessment at least once every year and an independent security audit at least once every two years, and report serious security incidents within two hours.
Penalties ranging from HK$500,000 to HK$5 million will apply to organisations that fail to comply.
In a Facebook post, security minister Chris Tang said the proposal does not target individuals but large organisations, adding that it will not infringe people's freedom to use the internet.
Lawmakers will discuss the proposal in a security panel meeting on July 2, followed by a consultation period that will last for a month.
The Security Bureau said it hopes to table the bill to Legco by the end of this year.