{"id":32731,"date":"2026-04-16T06:16:18","date_gmt":"2026-04-16T06:16:18","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/?post_type=insight-and-news&#038;p=32731"},"modified":"2026-05-18T07:09:27","modified_gmt":"2026-05-18T07:09:27","slug":"what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-5","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hans\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-5\/","title":{"rendered":"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 5)"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hans\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 5)                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Apr<\/span>\n                        <span class=\"day\">16<\/span>\n                        <span class=\"year\">2026<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 5)\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\">\u00a0<\/div>\n<p id=\"ember60\" class=\"ember-view reader-text-block__paragraph\">The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key issues businesses and industries need to be aware of. Our previous articles in the series are available on <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-1\/\" target=\"_self\" data-test-app-aware-link=\"\">here<\/a>, <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-2\/\" target=\"_self\" data-test-app-aware-link=\"\">here<\/a>,\u00a0<a href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-3\/\">here<\/a>, and\u00a0<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-4\/\" target=\"_self\" data-test-app-aware-link=\"\" data-wplink-edit=\"true\">here<\/a><a href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-5\/\">.<\/a><\/p>\n<p id=\"ember61\" class=\"ember-view reader-text-block__paragraph\">In this article, <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\" target=\"_self\" data-test-app-aware-link=\"\">P\u00e1draig Walsh<\/a> from our <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/practice-areas\/cybersecurity\/\" target=\"_self\" data-test-app-aware-link=\"\">Cybersecurity<\/a> practice reviews the strict reporting and notification to the CICS Commissioner under PCICSO.<\/p>\n<p id=\"ember62\" class=\"ember-view reader-text-block__paragraph\">12. <strong>Incident Response Obligations: Incident notice and reporting obligations<\/strong><\/p>\n<p id=\"ember63\" class=\"ember-view reader-text-block__paragraph\">12.1 <strong>What is the basic obligation of the CI Operator in respect of notification and reporting of security incidents?<\/strong><\/p>\n<p id=\"ember64\" class=\"ember-view reader-text-block__paragraph\">The basic obligation of the CI Operator is to notify and report a computer system security incident to the CICS Commissioner if it becomes aware of the security incident.<\/p>\n<p id=\"ember65\" class=\"ember-view reader-text-block__paragraph\">12.2 <strong>What is the policy purpose of computer-system security incident notification?<\/strong><\/p>\n<p id=\"ember66\" class=\"ember-view reader-text-block__paragraph\">The policy purpose is to enable the CICS Commissioner to assess the overall consequences of the computer-system security incident. The CICS Commissioner will assess the consequences for the provision of essential services in different sectors, or for the maintenance of critical societal or economic activities in Hong Kong. The CICS Commissioner will then assess and take appropriate remedial measures to prevent the impact from spreading to other sectors.<\/p>\n<p id=\"ember67\" class=\"ember-view reader-text-block__paragraph\">12.3 <strong>What is a notifiable computer-system security incident?<\/strong><\/p>\n<p id=\"ember68\" class=\"ember-view reader-text-block__paragraph\">All computer-system security incidents are notifiable. A computer-system security incident is an event that:<\/p>\n<p id=\"ember69\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 involves unauthorised access to the CCS or any other unauthorised act on or through the CCS or another computer system; and<\/p>\n<p id=\"ember70\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 has an actual adverse effect on the computer-system security of the CCS.<\/p>\n<p id=\"ember71\" class=\"ember-view reader-text-block__paragraph\">12.4 <strong>What are examples of notifiable computer-system security incidents?<\/strong><\/p>\n<p id=\"ember72\" class=\"ember-view reader-text-block__paragraph\">Examples of notifiable computer-system security incidents are:<\/p>\n<p id=\"ember73\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 large-scale or volumetric distributed denial of service (\u201cDDoS\u201d) attack causing degradation of an essential service;<\/p>\n<p id=\"ember74\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ransom DDoS attack where a ransom note is received;<\/p>\n<p id=\"ember75\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ransomware attack that causes suspension of an essential service or shows signs of data compromise;<\/p>\n<p id=\"ember76\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 unintended external connection to a CCS caused by malware infection or by an adversary exploiting a vulnerability;<\/p>\n<p id=\"ember77\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 an employee or other insider accesses sensitive digital data of a CCS and maliciously exfiltrates that data or maliciously misconfigures the access privilege of the CCS;<\/p>\n<p id=\"ember78\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 configurations or data of a CCS are modified by a malicious payload or script;<\/p>\n<p id=\"ember79\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 an employee or other insider abuses his authority to interfere with the functioning of the CCS; and<\/p>\n<p id=\"ember80\" class=\"ember-view reader-text-block__paragraph\">(h)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 any tampering with cryptographic key management devices that hampers the normal functioning of a CCS.<\/p>\n<p id=\"ember81\" class=\"ember-view reader-text-block__paragraph\">12.5 <strong>What is a notifiable serious computer-system security incident?<\/strong><\/p>\n<p id=\"ember82\" class=\"ember-view reader-text-block__paragraph\">A notifiable serious security incident is a computer-system security incident which has disrupted, is disrupting or is likely to disrupt the core function of the critical infrastructure concerned. The timelines for notifying a serious security incident are shorter.<\/p>\n<p id=\"ember83\" class=\"ember-view reader-text-block__paragraph\">12.6 <strong>How can a CI Operator assess if a notifiable computer-system security incident is also a serious security incident?<\/strong><\/p>\n<p id=\"ember84\" class=\"ember-view reader-text-block__paragraph\">A computer-system security incident is considered as a serious incident if:<\/p>\n<p id=\"ember85\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the downtime affecting the core function of the critical infrastructure concerned has exceeded or is likely to exceed the maximum tolerable downtime prescribed in the business continuity management plan of the CI Operator;<\/p>\n<p id=\"ember86\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the service performance has dropped or is likely to drop below the minimum service level prescribed in the business continuity management plan of the CI Operator;<\/p>\n<p id=\"ember87\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the incident has triggered or is likely to trigger the activation of business continuity or disaster recovery procedures;<\/p>\n<p id=\"ember88\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the incident has caused or is likely to cause the leakage of material volume of customer data according to volumes prescribed in the business continuity management plan of the CI Operator;<\/p>\n<p id=\"ember89\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the incident has leaked or is likely to leak sensitive digital data that hampers the normal functioning of the CCS;<\/p>\n<p id=\"ember90\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the incident has caused or is likely to cause a material number of customer enquiries or complaints according to numbers and volume prescribed in the business continuity management plan of the CI Operator; or<\/p>\n<p id=\"ember91\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 threat actors have threatened to launch an attack against a CCS at a specified time that would likely trigger any of these scenarios.<\/p>\n<p id=\"ember92\" class=\"ember-view reader-text-block__paragraph\">12.7 <strong>Are all incidents causing adverse impacts to CCS notifiable?<\/strong><\/p>\n<p id=\"ember93\" class=\"ember-view reader-text-block__paragraph\">No. Examples of incidents that would not be notifiable include:<\/p>\n<p id=\"ember94\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 an event arising from pure technical failure;<\/p>\n<p id=\"ember95\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 natural disaster;<\/p>\n<p id=\"ember96\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mass power outage;<\/p>\n<p id=\"ember97\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 a computer-system security threat that is detected and timely removed or quarantined; or<\/p>\n<p id=\"ember98\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 personal data leakage arising from human mistake.<\/p>\n<p id=\"ember99\" class=\"ember-view reader-text-block__paragraph\">12.8 <strong>What is the timeline for notifying a computer-system security incident?<\/strong><\/p>\n<p id=\"ember100\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must notify the CICS Commissioner as soon as practicable after becoming aware of a serious computer-system security incident, and no later than 48 hours after becoming aware. The timelines are shorter for a serious computer-system security incident.<\/p>\n<p id=\"ember101\" class=\"ember-view reader-text-block__paragraph\">Failure to give notice when required is an offence.<\/p>\n<p id=\"ember102\" class=\"ember-view reader-text-block__paragraph\">12.9 <strong>What is the timeline for notifying a serious computer-system security incident?<\/strong><\/p>\n<p id=\"ember103\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must notify the CICS Commissioner as soon as practicable after becoming aware of a serious computer-system security incident, and no later than 12 hours after becoming aware.<\/p>\n<p id=\"ember104\" class=\"ember-view reader-text-block__paragraph\">Failure to give notice when required is an offence.<\/p>\n<p id=\"ember105\" class=\"ember-view reader-text-block__paragraph\">12.10 <strong>When will a CI Operator be considered to have become aware of a computer-system security incident?<\/strong><\/p>\n<p id=\"ember106\" class=\"ember-view reader-text-block__paragraph\">The CICS Commissioner accepts that, once signs of disruption or irregularity are noticed in a CCS, then a short period of investigation is needed to confirm whether a computer-system security incident. Once the CI Operator has a reasonable degree of certainty that a computer-system security incident has occurred, the CI Operator will be deemed to have become aware of the computer-system security incident.<\/p>\n<p id=\"ember107\" class=\"ember-view reader-text-block__paragraph\">12.11 <strong>How is the notification made?<\/strong><\/p>\n<p id=\"ember108\" class=\"ember-view reader-text-block__paragraph\">The CICS Commissioner has published a prescribed form [<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_20\/CICS005.pdf\" target=\"_self\" data-test-app-aware-link=\"\" rel=\"noopener\">link<\/a>] that must be used by the CI Operator to notify the CICS Commissioner of a computer-system security incident. The CI Operator should complete the form as far as practicable based on the information available, and submit the form through a designated secured channel.<\/p>\n<p id=\"ember109\" class=\"ember-view reader-text-block__paragraph\">The CI Operator may first make the notification to a designated telephone number. If the initial notification is not in the prescribed notice form of the CICS Commissioner, then the CI Operator must complete and submit the prescribed notice form to the CICS Commissioner within 48 hours of the initial notification.<\/p>\n<p id=\"ember110\" class=\"ember-view reader-text-block__paragraph\">12.12 <strong>What information is required under the prescribed notice form?<\/strong><\/p>\n<p id=\"ember111\" class=\"ember-view reader-text-block__paragraph\">The prescribed notice form requires information on:<\/p>\n<p id=\"ember112\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 name of the CI Operator;<\/p>\n<p id=\"ember113\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CCS affected;<\/p>\n<p id=\"ember114\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 assessment of seriousness of the incident;<\/p>\n<p id=\"ember115\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nature of the incident;<\/p>\n<p id=\"ember116\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 time of the identifying the incident, and becoming aware of it;<\/p>\n<p id=\"ember117\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 summary of key incident points; and<\/p>\n<p id=\"ember118\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 details of the reporting party.<\/p>\n<p id=\"ember119\" class=\"ember-view reader-text-block__paragraph\">If the initial notification is by call to a designated number, then the information required is:<\/p>\n<p id=\"ember120\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the nature of the computer-system security incident;<\/p>\n<p id=\"ember121\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the CCSs involved; and<\/p>\n<p id=\"ember122\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the key summary points of the incident.<\/p>\n<p id=\"ember123\" class=\"ember-view reader-text-block__paragraph\">In this case, the prescribed notice form must be submitted within 48 hours of the call.<\/p>\n<p id=\"ember124\" class=\"ember-view reader-text-block__paragraph\">12.13 <strong>What is the timeline for providing a report to the CICS Commissioner on a computer-system security incident?<\/strong><\/p>\n<p id=\"ember125\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must submit a report to the CICS Commissioner in respect of the computer-system security incident within 14 days after the date on which the CI Operator became aware of the incident.<\/p>\n<p id=\"ember126\" class=\"ember-view reader-text-block__paragraph\">Failure to submit a report when required is an offence.<\/p>\n<p id=\"ember127\" class=\"ember-view reader-text-block__paragraph\">12.14 <strong>What is the process to submit a report the CICS Commissioner in respect of a computer-system security incident?<\/strong><\/p>\n<p id=\"ember128\" class=\"ember-view reader-text-block__paragraph\">The CICS Commissioner has published a prescribed form for the purpose of submitting a report in respect of a computer-system security incident [<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_20\/CICS006.pdf\" target=\"_self\" data-test-app-aware-link=\"\" rel=\"noopener\">link<\/a>].<\/p>\n<p id=\"ember129\" class=\"ember-view reader-text-block__paragraph\">12.15 <strong>What information is required under the prescribed report form?<\/strong><\/p>\n<p id=\"ember130\" class=\"ember-view reader-text-block__paragraph\">The prescribed report form requires information on:<\/p>\n<p id=\"ember131\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 name of the CI Operator;<\/p>\n<p id=\"ember132\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 details and physical location of CCS affected;<\/p>\n<p id=\"ember133\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nature and details of the incident;<\/p>\n<p id=\"ember134\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 point of intrusion;<\/p>\n<p id=\"ember135\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root cause analysis;<\/p>\n<p id=\"ember136\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 time of the identifying the incident, and becoming aware of it;<\/p>\n<p id=\"ember137\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 method and means of identification of incident<\/p>\n<p id=\"ember138\" class=\"ember-view reader-text-block__paragraph\">(h)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 details of vulnerabilities found;<\/p>\n<p id=\"ember139\" class=\"ember-view reader-text-block__paragraph\">(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 impact assessment, including scope of impact, operational and service impact, data impact, customer\/third party impact, and financial impact;<\/p>\n<p id=\"ember140\" class=\"ember-view reader-text-block__paragraph\">(j)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 duration of disruption;<\/p>\n<p id=\"ember141\" class=\"ember-view reader-text-block__paragraph\">(k)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 response actions, current status summary and future actions with timelines;<\/p>\n<p id=\"ember142\" class=\"ember-view reader-text-block__paragraph\">(l)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 details of third party service providers engaged to support;<\/p>\n<p id=\"ember143\" class=\"ember-view reader-text-block__paragraph\">(m)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 stakeholder communications, including to media; and<\/p>\n<p id=\"ember144\" class=\"ember-view reader-text-block__paragraph\">(n)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 details of the reporting party.<\/p>\n<p id=\"ember145\" class=\"ember-view reader-text-block__paragraph\">12.14 <strong>Is the report to the CICS Commissioner intended to be a final report?<\/strong><\/p>\n<p id=\"ember146\" class=\"ember-view reader-text-block__paragraph\">No. The CI Operator is expected to promptly provide a supplementary report or material to the CICS Commissioner if additional information becomes available after submitting the written report.<\/p>\n<p id=\"ember147\" class=\"ember-view reader-text-block__paragraph\">12.15 <strong>Is the CI Operator required to make other notifications and reports in respect of a computer-system security incident?<\/strong><\/p>\n<p id=\"ember148\" class=\"ember-view reader-text-block__paragraph\">The notice and reporting obligations under PCICSO are without prejudice to notice and reporting obligations under sector-specific regulations. So, if other applicable laws or regulations impose notification and reporting obligations on the CI Operator, then the CI Operator will need to additionally fulfil those obligations and cannot rely on its notification and report to the CICS Commissioner.<\/p>\n<p id=\"ember149\" class=\"ember-view reader-text-block__paragraph\">Examples of other sector specific notice obligations include:<\/p>\n<p id=\"ember150\" class=\"ember-view reader-text-block__paragraph\">(a) <em>Banking sector<\/em>: There is a duty on authorised institutions to notify the Monetary Authority when they become aware that a significant incident, IT-related fraud or a major security breach has occurred. There is also a specific obligation to notify affected customers, and make public announcements if necessary.<\/p>\n<p id=\"ember151\" class=\"ember-view reader-text-block__paragraph\">(b) <em>Insurance sector<\/em>: There is a duty on insurers, upon detection of a relevant cyber incident, to report the incident with the related information to the Insurance Authority as soon as practicable, and in any event within 72 hours from detection.<\/p>\n<p id=\"ember152\" class=\"ember-view reader-text-block__paragraph\">(c) <em>Financial services sector<\/em>: There is a duty on licensed corporations to report to the Securities and Futures Commission upon the happening of any material cybersecurity incident (including ransomware attacks) or any material failure, error or defect in the operation or functioning of trading, accounting, clearing or settlement systems or equipment.<\/p>\n<p id=\"ember153\" class=\"ember-view reader-text-block__paragraph\">12 hours and 48 hours. These are the timelines that CISOs leading CSS Management Units will be acutely mindful of. Notification obligations are the core emergency legal requirement under PCICSO. However, CI Operators must be mindful that it will not be possible to fully and accurately provide the information required for notifications unless the organisational and preventative obligations have also been rigorously followed. It is the exacting process of preparing plans, assessments and audits, and conducting training and drills, that provides the resources, information and expertise to make accurate complete notifications within the exceptionally short timelines required under PCICSO.<\/p>\n<p id=\"ember154\" class=\"ember-view reader-text-block__paragraph\">In our final article in this series, we will review the enforcement powers of the CICS Commissioner under PCICSO.<\/p>\n<p style=\"text-align: right;\"><strong><em>P\u00e1draig Walsh<\/em><\/strong><\/p>\n<p>If you want to know more about the content of this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a><br \/>Partner |\u00a0<a href=\"mailto:padraigwalsh@tannerdewitt.com\">Email<\/a><\/p>\n<p>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on <em>16 April 2026.<\/em><\/p>\n<\/div>\n\n\n\n\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0 The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key [&hellip;]<\/p>\n","protected":false},"author":22,"featured_media":32732,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[162,23,291],"insight-category":[1121],"insight-month":[1155],"insight-practice-area":[1146,1142],"insight-year":[1162],"class_list":["post-32731","insight-and-news","type-insight-and-news","status-publish","has-post-thumbnail","hentry","tag-cybersecurity","tag-legal-updates","tag-tmt","insight-category-legal-updates-and-insights","insight-month-april","insight-practice-area-cybersecurity","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1162"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/32731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/users\/22"}],"version-history":[{"count":5,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/32731\/revisions"}],"predecessor-version":[{"id":32785,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/32731\/revisions\/32785"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/media\/32732"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/media?parent=32731"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/tags?post=32731"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-category?post=32731"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-month?post=32731"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-practice-area?post=32731"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-year?post=32731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}