Obligations for CI operators
Purpose: To ensure that operators have a sound management structure to implement necessary protection measures
- Maintain an office in Hong Kong to carry on business and provide the most updated address
- Notify operator changes
- Set up a computer-system security management unit and employ a head with adequate knowledge
Purpose: To ensure that operators take measures to prevent cyber attacks
- Notify material changes to critical computer systems
- Submit and implement a computer-system security management plan
- Conduct regular security risk assessments and submit a report
- Carry out regular independent security audits and submit a report
Purpose: To ensure that operators respond to incidents and recover the systems promptly
- Participate in a computer-system security drill no more than once every two years
- Submit and implement a computer-system security incident emergency response plan
- Notify computer-system security incidents
If the incident is classified as a serious incident*, the operator must notify the authority within 12 hours (or within 48 hours for other incidents) and submit a written report within 14 days after becoming aware of the incident.
*Serious incidents which have disrupted, are disrupting or will likely disrupt the core function of CIs
Time frames for CI operators' compliance with the obligations
| Category 1 – Organizational obligations | Time frame |
|---|---|
| Notify the authority of the office address in Hong Kong | Within 1 month after designation/within 1 month after the change occurs |
| Notify the authority of operator changes as soon as possible | Within 1 month |
| Set up a computer-system security management unit and appoint an employee with adequate knowledge as the head | Within 1 month after designation/within 1 month after the head changes |
| Category 2 – Preventive obligations | Time frame |
|---|---|
| Notify the authority of material changes to critical computer systems | Within 1 month |
| Submit a computer-system security management plan | Within 3 months after designation/within 1 month after revisions are made |
| Conduct regular computer-system security risk assessments | Within 12 months after designation/at least once every 12 months thereafter |
| Submit a report upon completion of the computer-system security risk assessment | Within 3 months after deadline of the assessment |
| Carry out regular computer-system security audits | Within 24 months after designation/at least once every 24 months thereafter |
| Submit a report upon completion of the computer-system security audit | Within 3 months after audit deadline |
| Category 3 – Incident reporting and response obligations | Time frame |
|---|---|
| Participate in a computer-system security drill organized by the Commissioner | As per written notice issued by the Commissioner |
| Submit a computer-system security incident emergency response plan | Within 3 months after designation/within 1 month after revisions are made |
| Notify the authority after becoming aware of the incidents: | |
|
Within 12 hours Within 48 hours |
| After becoming aware of an incident, the operator must notify the authority in the specified form and way if it is not done so | Within 48 hours after notifying the authority |
| Submit a written report of the incident | Within 14 days after becoming aware of the incident |
*Having disrupted, is disrupting, or is likely to disrupt the core functions of critical infrastructure