Cyber Risk Mitigation: What’s Changing Under New Legislation for Hong Kong

Download PDF

In March 2025, the Hong Kong Legislative Council passed the Protection of Critical Infrastructures (Computer Systems) Bill. This change in legislation and regulatory oversight for Critical Infrastructure Operators (CIOs) promises to introduce a new level of scrutiny and accountability for companies in industries such as telecommunications and financial services. While the Bill doesn’t encompass protection of personal data specifically, it will have implications for cyber security governance, policies and practices for organisations who act as, or provide services to, CIOs. The Bill is expected to take effect on 1 January 2026.

A Step Towards Tighter Cyber Security Controls

 

As a territory with a strong focus on fostering a business-friendly environment, the Hong Kong government has generally taken a more measured approach to introducing comprehensive cyber security policies, with significant enhancements only emerging in recent years. As Sabba Manyara, Director of Cyber Solutions for Aon in Asia points out, their recent legislative reform on data privacy had been focused on anti-doxxing laws in the wake of protests and civil unrest in 2019 and 2020. “At the time when a lot of countries in the Asia started developing or strengthening privacy regulations to match GDPR and other trends globally, Hong Kong were compelled to make anti-doxxing laws their priority,” she says.

With this new legislation, Hong Kong is once again seeking to serve the public interest by introducing protections for critical infrastructure (CI) across two categories:

Category 1: Infrastructure for delivering essential services in Hong Kong - e.g. banks, financial institutions, telecommunications service providers, electricity supply facilities, railway systems.

Category 2: Other infrastructure for maintaining important societal and economic activities - e.g. major sports and performance venues, research and development parks.

Under the legislation, CIOs responsible for these types of infrastructure will be held to new standards for their computer systems, including taking part in regular security drills and audits and submitting risk assessments at least once a year to the Security Bureau. Organisations could face fines of up to HK$5 million for failing to maintain the required cyber security safeguards. There are also new requirements for notifying a security breach – 12 hours for a serious breach and 48 hours for all other incidents.

How New Standards Compare

 

For some companies operating in Hong Kong, meeting these standards will be less of an effort. Financial services businesses, for example, are likely to have suitable systems, processes and resources in place due to cyber security requirements in other jurisdictions. “For companies transacting outside of Hong Kong, as we would expect many to be doing, they will already have adapted to strict legislative controls and regulatory scrutiny,” says Naureen Rasul, Director, Financial Services and Professions Group and Head of Growth for Aon in Hong Kong.

This is particularly the case for those Hong Kong entities who come under this legislation and have exposure to China’s Personal Information Protection Laws (PIPL). “Companies have done a lot of work on their cyber security resilience and data governance to ensure they comply with the Personal Information Protection Laws (PIPL) in China,” says Manyara. “However, the new standards in Hong Kong pay attention more to risk exposures and incident notifications for infrastructure rather than personal data or privacy. Therefore, companies should still review their current cyber security responsibilities, governance and provisions through the lens of these new legislative requirements.”

While larger firms with international operations may find the transition to these new standards relatively smooth, smaller companies, or those in sectors with historically lower cyber security maturity, such as healthcare or utilities, may face greater challenges. Hong Kong’s focus on real-time incident reporting and critical infrastructure risk management will require organisations to adjust their cyber security frameworks to meet these specific demands, even if they already comply with global privacy laws like the PIPL or GDPR.

Steps to Support Compliance and Mitigate Risks

 

There are three areas for organisations to pay attention to in their review of cyber security capabilities:

Talent and Capability

“While the new measures and existing privacy laws in Hong Kong may not be as stringent as we’ve seen with PIPL or the General Data Protection Regulation (GDPR) in Europe, they’re only going to become stricter over time,” says Rasul. “Now is the time to be making sure you have a capable Chief Information Security Officer and team on board to ensure your company can keep leveling up their cyber security policies and protections.”

Aligning with AI Initiatives

Under the new legislation companies will be required to report material changes in their computer system infrastructure. This may have important implications for innovations that involve new technologies, for example use of AI for predictive maintenance. Executive leaders and technology teams will need to consider this regulatory framework as they take up these opportunities.

Insurance Cover

Reviewing policy wording and exploring potential for new insurance solutions can help companies transfer risks and mitigate future losses from a cyber security incident or non-compliance. Some areas that are particularly important to look at include:

• Cyber incident response, inciuding legal expenses, IT forensics costs etc.
• Regulatory defense and penalties cover tailored to respond to general cyber security regulation, not just privacy-specific regulations
• Directors and Officers (D&O) cover

With this renewed regulatory scrutiny, companies operating critical infrastructure in Hong Kong – and their suppliers – will need to review their cyber security and risk management strategies. While companies with cross border and global operations may have already met strict cyber security requirements, the nuances of the new legislation demand careful attention. By investing in cyber security expertise that can grasp both the risks and opportunities of evolving technologies, companies can stay one step ahead in an increasingly complex operating and legislative environment.

Aon is here to help you understand, quantify and manage your cyber risk. Talk to our specialists today.