Operators of critical infrastructure in Hong Kong will have longer to notify authorities on any serious lapse in security after the government extended the time frame following a consultation exercise on a proposed law aimed at improving protection.
Advertisement
A Security Bureau spokesman on Wednesday also addressed concerns over the powers of a commissioner’s office to be set up to oversee the implementation of the new law, saying it would only link devices or install programs on the operator’s systems in “exceptional circumstances”.
In a consultation report sent to the Legislative Council, the bureau stated providers would have 12 hours to report serious cybersecurity incidents, instead of the two earlier suggested.
“We have considered the practical difficulties and made references to other jurisdictions,” the spokesman said. “We think we can extend the time limit to 12 hours.”
Many submissions received during the consultation period raised concerns that two hours was not long enough to contact authorities while employees were simultaneously trying to resolve the security issue, he added.
Advertisement
The bureau concluded its month-long consultation exercise for the Protection of Critical Infrastructure (Computer System) Bill in August and received 53 submissions.