Last review date: 31 December 2024

Yes.

• appropriate technical, physical and/or organizational security controls
• reasonable security controls
• general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

The PDPO requires data users to take all practicable steps to ensure that any personal data held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use.

Last review date: 31 December 2024

• financial services requirements
• providers of critical infrastructure (upon the CI Bill entering into force)
• other

Under the CI Bill, CIOs are subject to a number of organizational and preventative obligations to protect the security of their CCSs, for example:

• setting up a computer-system security management unit to manage the security of CCSs;
• formulating and implementing a computer-system security management plan; and
• conducting regular computer-system risk assessments and audits.

The precise compliance obligations applicable to a particular CIO will be set out in a Code of Practice to be issued the CI Commissioner and/or any of the Designated Authorities, as the case may be.

See also examples of sector-specific requirements below.

Financial Institutions - Various regulatory guidelines and circulars issued by the HKMA require institutions authorized by the HKMA such as licensed banks, restricted license banks and deposit-taking companies (collectively known as "authorized institutions" or "AIs") to comply with comprehensive technology risk management requirements, including the performance of an independent quality assurance review for major technology-related projects. See, for example, the recently released Module TM-C-1 “Supervisory Approach on Cyber Risk Management” of the HKMA's Supervisory Policy Manual and Module TM-G-1 "General Principles for Technology Risk Management" of the HKMA's Supervisory Policy Manual. In addition, the HKMA has launched a "cybersecurity fortification initiative," which has introduced, among other things, a cyber-resilience assessment framework against which AIs are generally expected to assess their cyber resilience.

Financial Intermediaries - There are general requirements under the SFC Code of Conduct and the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission, which include requirements such as having internal control procedures and financial and operational capabilities which can be reasonably expected to protect their operations and their clients and other licensed or registered persons from financial loss arising from theft, fraud, and other dishonest acts, professional misconduct or omissions. From time to time, the SFC also issues guidance relating to cyberattacks that may apply to specific businesses (like internet trading) or situations (like remote office arrangements) (for example, the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading).

Insurance - The Guideline on Cybersecurity (GL 20) issued by the Insurance Authority of Hong Kong (IA) sets out the minimum standards for cybersecurity that authorized insurers are expected to have in place to protect their business data and the personal data of their existing and potential policyholders and to ensure continuity of their business operations including a resilient cybersecurity strategy and framework tailored to mitigate relevant cyber risks that are commensurate with the nature, size and complexity of their business. Similar requirements relating to cyber security are also set out in the Guideline on Corporate Governance (GL 10) issued by the IA as part of an effective corporate governance of authorized insurers to manage cyber security risks.

• Data privacy
• Securities or public company
• health
• financial services

Last review date: 31 December 2024

No

However, the PCPD issued non-binding Guidance on Data Breach Handling and Data Breach Notifications in June 2023, which provides a comprehensive guide to preventing, handling and reporting data breaches.

Last updated date: 31 December 2024

N/A

Last updated date: 31 December 2024

N/A

Last review date: 31 December 2024

Yes

Financial Institutions - Various regulatory guidelines and circulars issued by the HKMA, Hong Kong's banking regulator, require AIs to promptly report any significant/material incidents (e.g., security breaches, data leakage, etc.) to the HKMA and/or other authorities or customers. Similar requirements apply to other HKMA-regulated entities, for example, HKMA-licensed stored value facility issuers.

Financial Intermediaries - Various regulatory guidelines and circulars issued by the SFC require financial intermediaries which are licensed or registered with the SFC to promptly report any significant/material incidents to the SFC and/or other authorities or customers.

Insurance - The IA has issued a Guideline on Cybersecurity (GL 20), which requires that upon detection of a cybersecurity incident, an authorized insurer should report the incident with the related information to the IA as soon as practicable and in any event, no later than 72 hours from detection.

CIOs – Under the CI Bill, CIOs are required to report computer-system security incidents in respect of a CCS of a CI operated by the CIO to the CI Commissioner as soon as practicable and in any event within the following time limits:

• If the incident has disrupted, is disrupting or is likely to disrupt the core function of the CI concerned: 12 hours after the CIO concerned becomes aware of the incident
• In any other case: 48 hours after the CIO concerned becomes aware of the incident

• cybersecurity authorities
• financial services requirements
• providers of critical infrastructure