This site uses cookies to personalise and improve your browsing experience. By continuing browsing, you accept and agree to our cookie policy and to our use of cookies.

Phishing Alert

Be extra alert to phishing emails or text messages, as they may contain fake hyperlinks or fraudulent emails intended to deceive you into clicking and disclosing personal information. We strongly recommend that you carefully verify the authenticity and accuracy of the message content, including the account name, account number, subscribed services and HKBNES contact information provided. If you are in doubt, please do not reply, click on any links, download attachments, or disclose your personal information on uncertain websites. For inquiries, please contact the HKBN Enterprise Solutions Customer Service hotline at 128-180 or email corpinfo@hkbnes.net for assistance.

Collaboration Between Enterprises, Vendors, and Government to Proactively Address IT Compliance Challenges

Share:
Download PDF

Wilson Tang

Co-Owner & Chief Information Security Officer, HKBN Group

With over 20 years of experience in the industry, Wilson leads a team of professionals dedicated to proactively combating cybersecurity threats and achieving excellence.

As a seasoned security expert, Wilson emphasizes the importance of understanding technology, applying best practices, leveraging quantitative measurement, managing stakeholders effectively, and maintaining a realistic approach as key success factors.

Wilson holds a Bachelor’s Degree in Computing Science from the University of New England (Australia) and was recognized as CISO of the Year at the Revive Tech Asia Awards 2023.

Get in touch with Wilson's

The recent proposal by the Security Bureau, “Proposed Legislative Framework to Enhance Protection of the Computer Systems of Critical Infrastructure (Proposed Framework)”, has sparked intense discussion within the industry. The Bureau expects to submit the related draft legislation to the Legislative Council by the end of 2024, with an anticipated effective date in early 2026. As a member of the industry, I would like to leverage my experience to share insights on this subject, helping all stakeholders to be fully prepared for the forthcoming opportunities and challenges.
Striking a Balance between Service Continuity and National Security
The implementation of this proposed legislation is imperative. I believe that regardless of the scale and mode of operation of enterprises, all operators of critical infrastructures for delivering essential services in Hong Kong (eight sectors, i.e. energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting) or other infrastructures for maintaining important societal and economic activities (e.g. major sports and performance venues, research and development parks, etc.) must prepare for the new compliance landscape. One primary objective of this proposed legislation is to maintain the continuity of critical services while meeting compliance requirements. For example, the uninterrupted operation of local community and livelihood matters is crucial, as is ensuring robust connectivity with Mainland government and business entities to prevent large-scale disruptions.
System Perfection is Not Required, But Resilience Is Essential
Another important aspect of securing critical infrastructure computer systems is allowing these systems to be susceptible to attacks- while maintaining resilience. IT management departments and teams must exhibit a comprehensive procedural framework, including tracking network attacks or system failures, handling incidents, and ensuring timely recovery and transparency in external communications.
Moreover, it is essential to understand that this legislation should not be perceived as an overwhelming threat. The government recognizes that no system can be perfectly secure and aims to promote a safer and more reliable digital economy. After receiving 53 submissions during the consultation period, the Security Bureau proposed to extend the severe incident reporting deadline from two hours to 12 hours, and other incidents to up to 48 hours, demonstrating a gesture of goodwill.
Enhancing Professionalism and Constructive Interactions with Regulatory Bodies
By the time the final legislative framework is officially enacted in 2026, regardless of any modifications, it is expected to enhance the IT industry’s ecosystem and the collaborative spirit among peers. Traditionally, some IT teams may be accustomed to managing daily operations through ad-hoc methods. However, as operational complexities and compliance requirements increase, there is a need for regulated processes and professionalization. IT teams must also strive for continuous improvement, such as obtaining certifications such as ISO27001 for information security, and ISO9001 to maintain consistent quality services.

In addition, businesses must not only ensure robust system security but also continuously understand and improve compliance-related operations. Establishing a positive relationship with regulatory bodies is crucial for fostering a proactive attitude that benefits enterprises, vendors, and the government alike, creating a “win-win-win” scenario. If you have any questions about the future direction of these issues, feel free to contact our team. Together, we can successfully navigate this inevitable digital transformation.

View Other Thought Leadership Articles:

Get in Touch
Contact our experts today to schedule a consultation
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.