Cybersecurity & Data Privacy for Hong Kong

Hey there,

This week’s theme is about:

• ✍️ Cybersecurity Market Outlook for Hong Kong.

• ↪️ Upcoming Cyber Act in Hong Kong - Critical Infrastructure Act.

• 📘 12 core elements of Maturing or Reviewing Data Privacy Program.

• ‼️ Weekly list of resources (tools, reads, watch, listen & training).

This edition provides executives (CX0s), security and compliance professionals working for international and local businesses operating in Hong Kong (as potential sectors to be classified as critical infrastructure operators (CIOs) and asset owners), with essential knowledge on the upcoming critical infrastructure bill, the 12 core elements of a Data Privacy Program - calling them Data Privacy Dozen (DPD), along with key principles of the Hong Kong Personal Data Privacy Ordinance (PDPO) to ensure they are well-prepared for current and future regulatory requirements.

Yours truly.

— Yousuf.

But before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care or liked and keep me motivated to publish more. Thanks!

Together with:

Learn how to make AI work for you

AI won’t take your job, but a person using AI might. That’s why 1,000,000+ professionals read The Rundown AI – the free newsletter that keeps you updated on the latest AI news and teaches you how to use it in just 5 minutes a day.

Sign up to start learning.

Hong Kong - Market Insights

Cybersecurity Market Landscape

For many years, Hong Kong was an attractive market and major financial hub for global businesses due to its business-friendly environment, serving as an Asian hub for both Western and Eastern countries and a gateway for China market for many year, until in last decade or more, the regional market shift in terms of competition and geopolitical challenges.

Outlook for the Hong Kong Cybersecurity Market is expected to register a CAGR of 13.43% during the forecast period (2025-2040, according to Mordor Intelligence.

While according to Statistica, Hong Kong cybersecurity market is projected to reach US$852.65m by 2025, with Security Services leading at US$484.04m. The market is expected to grow at 7.64% annually from 2025 to 2029, reaching US$1.14bn. The average spend per employee is anticipated to be US$230.33 in 2025, indicating strong and sustained growth.

Insights on Cybersecurity Threats

HKCERT released the "Hong Kong Cyber Security Outlook 2025" with hey concerns include supply chain security and AI-driven content hijacking, highlighting the need for increased vigilance across all sectors. Findings from the "IoT Security Study Report on Digital Signage," offering an overview of the city's 2024 cyber security landscape and forecasts for 2025 risks.

• Rising Risks from Third-Party

• Risks of Leakage and Data Poisoning in LLMs

• Cyber Attacks and Scams

• Increasing Cyber Attacks on Critical Infrastructure:

• Cyber Security Challenges of IoT.

Hong Kong - Critical Infrastructure Bill 2024

Overview

Finally, some progress in the right direction, the Protection of Critical Infrastructure (Computer Systems) Bill was gazetted on December 6, 2024, marking a significant step toward enhancing cybersecurity for essential services in Hong Kong.

This legislation aims to regulate critical infrastructure operators (CIOs) across various sectors, ensuring robust cybersecurity measures are in place to mitigate risks associated with cyber-attacks. In particular, the Chief Executive (in his 2023 Policy Address) announced:

"To address the increasing risks of cyber-attacks globally, the Government is working to enhance the cybersecurity of our critical infrastructure, including energy, telecommunications, transportation, financial institutions, etc. We will introduce a bill into the Legislative Council for this purpose in 2024."

Though way behind in terms of release and enforcement compared to other leading Asian economies; Hong Kong's critical infrastructure bill aligns with global trends, matching laws in Mainland China, Macao, Australia, Singapore, Malaysia, Thailand, the UK, the EU, the US, and Canada.

Key Dates and Timeline

• June 2024: Discussion draft prepared by the Security Bureau.

• October 2024: Public consultations held, receiving 53 written submissions.

• December 6, 2024: Bill gazetted.

• December 11, 2024: The CI Bill was introduced into the Legislative Council (LegCo) for first reading and second reading on December 11, 2024.

• Expected Passage: Date for the third reading yet to be announced.

Essential Definitions

• Critical Infrastructure Operators (CIOs): Organizations responsible for managing essential services such as energy, banking, healthcare, telecommunications, and transportation.

• Critical Computer Systems (CCS): Designated systems essential for the operation of CIOs that are accessible in or from Hong Kong.

Analysis and Insights

• The Bill aligns Hong Kong with global trends in cybersecurity regulation.

• Increased scrutiny on CIOs reflects a growing recognition of cyber threats.

• Flexibility in designating critical infrastructure allows for adaptive regulatory measures.

• Emphasis on third-party compliance highlights the interconnectedness of modern infrastructure.

• Regulatory bodies will play a crucial role in guiding CIOs through compliance processes.

• Potential for significant fines underscores the need for proactive measures.

• Training and awareness programs is essential for successful implementation.

• Collaboration between sectors can enhance overall resilience against cyber threats.

• Phased approach to designation will allow organizations time to prepare adequately.

• Ongoing dialogue with regulators will be vital for adapting to future challenges.

Potential Sectors

Under the Bill, critical infrastructure operators (CIOs) are likely to include organizations from several key sectors. While the exact list may evolve as regulations are finalized, sectors typically considered critical infrastructure include:

These sectors are crucial because disruptions to them could have significant impacts on public safety, health, economic stability, or national security.

Additional Considerations

The designation of specific CIOs will depend on the potential impact of a cyber incident on public safety or economic stability.

The regulatory framework may adjust over time with new technologies or evolving threats.

Note: For details on which organizations will be classified as CIOs, refer to official announcements from Hong Kong's Security Bureau or relevant legislative documents when available.

Hong Kong CI Bill 2024 Requirements & Fines

The CI Bill outlines several key obligations on Critical Infrastructure Operators (CIOs) to ensure robust cybersecurity measures are in place. These obligations are designed to protect critical systems from cyber threats and maintain public safety, economic stability, and national security.

Key Requirements / Obligations Imposed on CIOs

1. Organisational Requirements & Establishment of a Cybersecurity Team: CIOs are to maintain an address and office in Hong Kong and set up a dedicated team responsible for managing cybersecurity and be equipped with the necessary expertise and resources.

2. Security Management Plan: Develop and submit a comprehensive computer system security management plan. The plan should outline strategies for risk assessment, mitigation, incident response, and continuous monitoring.

3. Risk Assessment and Audit Requirements: Conduct annual risk assessments to identify potential vulnerabilities. Perform biennial audits to evaluate compliance with the submitted security management plan.

4. Incident Reporting: Report serious security incidents within 2 hours; other incidents within 24 hours. Submit detailed reports as required by regulatory authorities.

5. Third-Party Compliance: Ensure that all third-party service providers comply with the same cybersecurity standards as the CIO. Include these requirements in contracts with service providers.

6. Notification of Changes: Notify relevant authorities about changes in operations or ownership that could impact cybersecurity responsibilities.

7. Continuous Learning and Improvement: Stay updated on evolving cyber threats and best practices through ongoing training programs for staff involved in cybersecurity roles.

8. Compliance with Regulations: Adhere strictly to all regulations outlined under the Bill regarding data protection, system resilience, etc.

Implications for CIOs (Critical Infrastructure Operators)

• These obligations require significant investment in both human resources (cybersecurity teams) and technology (secure systems).

• Effective compliance involves not just meeting legal requirements but also fostering a culture of continuous improvement within organizations.

• Collaboration between sectors can enhance overall resilience against cyber threats by sharing best practices.

For detailed guidance on implementing these obligations effectively, it is advisable to consult official guidelines from Hong Kong's Security Bureau or engage with local cybersecurity experts familiar with regulatory specifics.

Example Checklist for Compliance Preparation

This checklist provides a starting point for ensuring readiness under the new legislation by addressing key areas where action is required from CIOs.

Fines and Penalties

The fines for non-compliance under Hong Kong's Protection of Critical Infrastructure (Computer Systems) Bill are substantial, with penalties ranging from HK$500,000 to HK$5 million. Daily fines may apply for ongoing violations. To understand how these compare to other jurisdictions, let's examine similar regulations globally:

Comparison with Other Jurisdictions

1. European Union (EU) - NIS2 Directive: The EU’s NIS2 Directive imposes fines up to €10 million or 2% of total worldwide turnover for severe breaches. This is significantly higher than Hong Kong’s maximum fine but reflects the EU's broader economic scale.

2. United States - CISA Regulations: In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) can impose penalties under various laws like the Federal Power Act or sector-specific regulations. Fines can vary widely depending on the specific regulation and severity of non-compliance but often reach into millions of dollars.

3. Singapore - Cybersecurity Act: Singapore imposes fines up to SGD 100,000 (approximately HK$570,000) for certain offenses related to critical information infrastructure. While lower than Hong Kong’s maximum fine, Singapore’s approach emphasizes strict compliance requirements.

4. Australia – Security of Critical Infrastructure Act 2018: Australia has a more complex regime with variable penalties depending on the type and severity of breaches. Fines can reach AUD 11 million for serious offenses against critical infrastructure entities.

Key Points

• The level of fines reflects both the jurisdiction's economic context and its regulatory stance on cybersecurity enforcement.

• Higher fines often correlate with stricter compliance standards and greater emphasis on national security concerns.

• The comparison highlights that while Hong Kong’s fines are significant within its own legal framework, they align closely with international practices aimed at ensuring robust cybersecurity measures across critical sectors.

Together with:

There’s a reason 400,000 professionals read this daily.

Join The AI Report, trusted by 400,000+ professionals at Google, Microsoft, and OpenAI. Get daily insights, tools, and strategies to master practical AI skills that drive results.

Sign up now for free and work smarter, not harder.

12 core elements for a Data Privacy Program.

Whether you are planning to establish, mature and or review your data privacy program, the following Data Privacy Dozen (12 areas) are the core elements for any Data Privacy Program efforts.

1. Privacy Framework, Program & Governance

2. Awareness and Training

3. Privacy Program Measurement

4. Regulatory Compliance

5. Privacy Notices & Information Collection

6. Privacy Impact Assessments (PIA / DPIA)

7. Data Security: Data Classification and Handling

8. Data Security: Data Retention & De-Identification

9. Third-Party Privacy Measurement

10. Cross Boarder Transfer Mechanisms / Contractual Clauses

11. Data Subject Access Requests (DSAR / DSR)

12. Data Breach Handling (DBH) & Notification.

Anything I missed? help make it complete. Hit reply and let me know. Thanks.

If interested, let me know by replying to this email and I’ll expand on the DPDs.

Hong Kong Data Privacy Regulations

Hong Kong was the first in Asia to introduce a privacy ordinance.

The Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong establishes six fundamental Data Protection Principles (DPPs) that govern the collection, use, and management of personal data. Below is an explanation of each principle:

1. Data Collection Principle (DPP1) Lawful and Fair Collection: Personal data must be collected in a lawful and fair manner. The purpose of collection should be directly related to a function or activity of the data user.

• Notification Requirement: Data subjects must be informed about the purpose for which their data is being collected and the types of persons to whom the data may be transferred.

• Necessity and Proportionality: The data collected should be necessary for the stated purpose and not excessive in relation to that purpose.

2. Accuracy & Retention Principle (DPP2) Accuracy Requirement: Data users must ensure that personal data is accurate, complete, and up-to-date. If there are doubts about the accuracy, the use of such data should cease immediately.

• Retention Limitation: Personal data should not be kept longer than necessary for fulfilling the purpose for which it was collected. Once the purpose is achieved, the data should be disposed of securely.

3. Data Use Principle (DPP3) Purpose Limitation: Personal data must only be used for the purpose for which it was collected or for a directly related purpose. This is unless explicit consent has been obtained from the data subject for a different use.

• Consent Requirement: The consent must be voluntary and informed, ensuring that data subjects are fully aware of how their information will be utilised.

4. Data Security Principle (DPP4) Security Measures: Data users are required to take all practicable steps to protect personal data from unauthorized or accidental access, processing, erasure, loss, or use.

• Considerations for Security: This includes evaluating the nature of the data, potential harm from breaches, physical security measures in place, and ensuring that personnel handling the data are competent and trustworthy.

5. Openness Principle (DPP5) Transparency Obligations: Data users must make their policies and practices regarding personal data known to the public. This includes informing individuals about what types of personal data are held and how it is used.

• Public Accessibility: The information should be readily accessible to ensure transparency in how personal data is managed.

6. Data Access & Correction Principle (DPP6) Access Rights: Data subjects have the right to access their personal data held by a data user. They can request information on whether their personal data is being processed.

• Correction Rights: If any personal data is found to be inaccurate, individuals have the right to request corrections. The ordinance stipulates how these requests should be handled and provides guidelines on refusal under specific circumstances.

These principles form a comprehensive framework aimed at safeguarding individuals' privacy rights in relation to their personal data while ensuring responsible handling by data users (/data controllers in GDPR terms) (organizations and individuals) who collect or process such information.

Non-compliance with the Personal Data (Privacy) Ordinance (PDPO) in Hong Kong can lead to significant penalties, including fines and imprisonment. Here are the key penalties associated with various violations:

• Failure to Comply with Enforcement Notices First Conviction: A maximum fine of HKD 50,000 (approximately USD 6,400) and imprisonment for up to 2 years.

• Continuing Offence: An additional daily fine of HKD 1,000 (approximately USD 130) for each day the offence continues after conviction.

• Subsequent Convictions: A maximum fine of HKD 100,000 (approximately USD 12,800) and imprisonment for up to 2 years, along with a daily fine of HKD 2,000 (approximately USD 260) for continuing offences.

• Direct Marketing Violations: If personal data is used for direct marketing without proper consent or notification, penalties can reach up to HKD 1 million (approximately USD 128,000) and imprisonment for up to 5 years, particularly if the data is transferred for gain.

• Anti-Doxxing Offences Violations: under the anti-doxxing provisions can also lead to severe penalties. For instance:

  • A person committing an offence under these provisions may face a fine of up to HKD 1 million and imprisonment for up to 5 years.

  • False Information: Providing false or misleading information in compliance with notices from the Privacy Commissioner can result in a fine of up to HKD 10,000 and imprisonment for up to 6 months.

  • General Compliance Failures: Other non-compliance issues can incur fines ranging from HKD 10,000 for minor infractions to significant penalties for more serious breaches involving unauthorized disclosure of personal data or failure to comply with data subject requests.

Summary

The HK PDPO establishes a robust framework for protecting personal data in Hong Kong, with strict penalties aimed at ensuring compliance. Organizations and individuals must be vigilant in adhering to these regulations to avoid substantial financial and legal repercussions.

Few Interesting Reads:

• Only pitch deck you’ll ever need - by Chris - in case you are in start-up industry, this is a great resource to keep bookmarked.

• The Weirdest Tech Products for CES 2025 - Some weird products from CES 2025, and some of these seems like a nightmare!

• Google Cloud Next 25 - Session library on google cloud and AI.

• Compliance and its Uses - Compliance is a strategic tool but not a security guarantee, as breaches in PCI-compliant firms show. This post advocates for tailored security strategies over strict compliance to better mitigate risks and enhance business outcomes.

• AI era is here and its moving fast - by Ruben, Small teams are future.

• Leadership in Cybersecurity: A Guide to Your First Role - Lawrence Munro talks about demand for leadership training in cybersecurity, noting that >70% of new leaders struggle due to lack of mentorship and unclear expectations.

My Recent Most Viewed Social Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

• ISA/IEC 62443 Standards - Part 4 - Covering updates to 62443-2-1:2024.

• Cybersecurity and AI Across the Industrial Automation Stack - Monthly Digest # 0. - Idea and poll around the subject.

• ISA/IEC 62443 Standards - Part 3 - series covering essentials of the standard.

• Tip to remember ISA/IEC 62443 Standards Group & Overview Part 2.

  Continue to be the most viewed post with more than 4.3K views at the time of writing this.

• 📢 📰 Secure by 3Ds (Demand | Design | Default) 📢 📰 ✅ The trifecta reshaping IT & OT cybersecurity industry!

• 📰 Unlocking 2025: Must-Know Cybersecurity Predictions for IT, OT, and Beyond! 📰 - outlining few predictions, just another list :-).

• The Digital Factory (Hub & Spoke) - UNS concept, Digital factory, 4.0, data/event driven architecture, industry conferences, and more.

• OT Security Visibility Solutions & Metrics -✅Lessons learned consulting on top OT Security Solutions, KPIs/ODMs, & more🚀.

• What the heck is ITDR - A crash course on Identity Threat Detection & Response.

• IT & OT/ICS Cybersecurity Policy(/ies) - Deciding on the Policy Route for your industrial environments.

Ways in which I can help?

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.