“Referencing how other places have handled the matter, we will disclose the sectors, but not the names, of the companies as they might become terrorist targets,” Tang said.
The proposal requires infrastructure operators to formulate and carry out computer system security management plans, which must be submitted to a commissioner’s office to be created under the Security Bureau.
The bill defines such infrastructure as areas crucial to the regular functioning of society, broken down into eight categories – energy, information technology, banking, communications, maritime, healthcare services, as well as land and air transport.
Authorities have also proposed including other infrastructure operators, such as those overseeing major sports and performance venues, and research and development parks under the bill.
The government said it aimed to forward the proposal to lawmakers by the end of the year after a consultation period this month.
The bill will also require companies to maintain an office in Hong Kong for a cybersecurity department, conduct risk assessments at least once a year and report their findings to the bureau’s own specialist office.
Organisations that fail to comply with the requirements could be fined up to HK$5 million (US$640,100).
But lawmaker Chan Siu-hung said he was worried whether small or medium-sized operators would get enough government support to set up cybersecurity departments or when they conducted the required checks.
Tang said that the bill would mostly target larger companies, but authorities would publish practical guidelines to help operators prepare for the legislation.
Businesses could also get support from the city’s Innovation and Technology Commission and the Hong Kong Internet Registration Corporation, he added.
Legislators Ma Fung-kwok and Maggie Chan Man-ki also questioned how responsibility would be carved up between operators and their contractors.
Chan said some contractors may have more control over certain infrastructure than the operators.
Tang told lawmakers that companies would still be liable for any security loopholes even if they outsourced part of their operations to third-party contractors.
“Its services might have been outsourced, but the responsibility lies with the critical infrastructure operator. Outsourcing applies to tasks, but not responsibilities,” he said.
Tang added the government had no plans to expand the scope of critical infrastructure outlined in the bill beyond the previous proposal after lawmaker Chow Man-kong’s suggested the list should also cover research-focused tertiary institutions.
The Post earlier contacted more than 10 private companies and statutory bodies covered under the list for comment on their preparedness and to canvass concerns about the bill’s requirements.
The seven organisations that replied all said they already had cybersecurity systems and other such measures in place.
