{"id":32722,"date":"2026-04-14T06:11:24","date_gmt":"2026-04-14T06:11:24","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/?post_type=insight-and-news&#038;p=32722"},"modified":"2026-05-18T06:59:06","modified_gmt":"2026-05-18T06:59:06","slug":"what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-4","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hant\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-4\/","title":{"rendered":"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 4)"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hant\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 4)                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Apr<\/span>\n                        <span class=\"day\">14<\/span>\n                        <span class=\"year\">2026<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 4)\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\">\u00a0<\/div>\n<p id=\"ember60\" class=\"ember-view reader-text-block__paragraph\">The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key issues businesses and industries need to be aware of. Our previous articles in the series are available on <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-1\/\" target=\"_self\" data-test-app-aware-link=\"\">here<\/a>, <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-2\/\" target=\"_self\" data-test-app-aware-link=\"\">here<\/a>,\u00a0<a href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-3\/\">here<\/a> and\u00a0<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-4\/\" target=\"_self\" data-test-app-aware-link=\"\">here<\/a> <a href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-5\/\">.<\/a><\/p>\n<p id=\"ember61\" class=\"ember-view reader-text-block__paragraph\">In this article, <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\" target=\"_self\" data-test-app-aware-link=\"\">P\u00e1draig Walsh<\/a> from our <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/practice-areas\/cybersecurity\/\" target=\"_self\" data-test-app-aware-link=\"\">Cybersecurity<\/a> practice reviews the reporting and response obligations in respect of security drills led by the Commissioner of Critical Infrastructure (Computer-system Security) and maintaining a detailed emergency response plan.<\/p>\n<p id=\"ember62\" class=\"ember-view reader-text-block__paragraph\">9. <strong>Incident<\/strong> <strong>Reporting and Response Obligations<\/strong><\/p>\n<p id=\"ember63\" class=\"ember-view reader-text-block__paragraph\">9.1 <strong>What is a computer-system security incident?<\/strong><\/p>\n<p id=\"ember64\" class=\"ember-view reader-text-block__paragraph\">A computer-system security incident is an event that:<\/p>\n<p id=\"ember65\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 involves unauthorised access to the CCS or any other unauthorised act on or through the CCS or another computer system; and<\/p>\n<p id=\"ember66\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 has an actual adverse effect on the computer-system security of the CCS.<\/p>\n<p id=\"ember67\" class=\"ember-view reader-text-block__paragraph\">9.2 <strong>What is the main purpose of the incident reporting and response obligations of CI Operators?<\/strong><\/p>\n<p id=\"ember68\" class=\"ember-view reader-text-block__paragraph\">The main purpose of incident reporting and response obligations of CI Operators under PCICSO is to ensure CI Operators respond to incidents and recover CCS promptly.<\/p>\n<p id=\"ember69\" class=\"ember-view reader-text-block__paragraph\">9.3 <strong>What are the main incident reporting and response obligations of CI Operators?<\/strong><\/p>\n<p id=\"ember70\" class=\"ember-view reader-text-block__paragraph\">The main incident reporting and response obligations of CI Operators are to:<\/p>\n<p id=\"ember71\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 participate in a computer-system security drill required by the CICS Commissioner;<\/p>\n<p id=\"ember72\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 submit and implement a computer-system security incident emergency response plan; and<\/p>\n<p id=\"ember73\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 notify computer-system security incidents to the CICS Commissioner.<\/p>\n<p id=\"ember74\" class=\"ember-view reader-text-block__paragraph\">9.4 <strong>What is the role of the designated regulators in respect of incident reporting and response obligations under PCICSO?<\/strong><\/p>\n<p id=\"ember75\" class=\"ember-view reader-text-block__paragraph\">There is no primary role for the designated regulators in respect of incident reporting and response obligations under PCICSO. The CICS Commissioner will perform those obligations directly.<\/p>\n<p id=\"ember76\" class=\"ember-view reader-text-block__paragraph\">The regulatory intent is that designated regulators can apply specialist sector regulatory oversight and expertise in respect of organisational and preventive obligations, while the CICS Commissioner will have global oversight of incident reporting and response by all CI Operators. So, CI Operators that deal with their designated regulators for organisational and preventive obligations for computer system security under PCICSO, must directly deal with the CICS Commissioner for incident reporting and response obligations under PCICSO. Those CI Operators may have sector specific reporting obligations in addition to the obligations to the CICS Commissioner.<\/p>\n<p id=\"ember77\" class=\"ember-view reader-text-block__paragraph\">The currently designated regulators under PCICSO are the Hong Kong Monetary Authority for the banking and financial services sector, and the Communications Authority for the telecommunications and broadcasting services sector.<\/p>\n<p id=\"ember78\" class=\"ember-view reader-text-block__paragraph\">10. <strong>Incident Response Obligations: Security drills<\/strong><\/p>\n<p id=\"ember79\" class=\"ember-view reader-text-block__paragraph\">10.1 <strong>Can the obligation to perform a security drill be performed unilaterally by CI Operators?<\/strong><\/p>\n<p id=\"ember80\" class=\"ember-view reader-text-block__paragraph\">The statutory obligation under PCICSO specifically relates to a requirement notified by the CICS Commissioner in writing to participate in a computer system security drill conducted by the CICS Commissioner. The CI Operator cannot excuse itself from this statutory requirement on the basis of the conduct of internally organised security drills.<\/p>\n<p id=\"ember81\" class=\"ember-view reader-text-block__paragraph\">10.2 <strong>What are the purposes of the security drill?<\/strong><\/p>\n<p id=\"ember82\" class=\"ember-view reader-text-block__paragraph\">The purposes of the security drill are for the CI Commissioner to test the CI Operator\u2019s readiness to respond to security incidents, primarily:<\/p>\n<p id=\"ember83\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 assessing the validity and effectiveness of CI Operator\u2019s emergency response plan; and<\/p>\n<p id=\"ember84\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 assessing the participating personnel\u2019s knowledge of their roles and responsibilities in responding to security incidents.<\/p>\n<p id=\"ember85\" class=\"ember-view reader-text-block__paragraph\">10.3 <strong>What are the features of a security drill conducted by the CICS Commissioner?<\/strong><\/p>\n<p id=\"ember86\" class=\"ember-view reader-text-block__paragraph\">The particular features of a security drill will be determined by the CICS Commissioner. The security drill may be conducted as a tabletop exercise, functional exercise, simulated attack or other means directed by the CICS Commissioner.<\/p>\n<p id=\"ember87\" class=\"ember-view reader-text-block__paragraph\">A security drill may involve multiple CI Operators in the same or different sectors, and multiple government units. The purpose could be to test the coordination of security incidents with large societal or economic impacts and restoration of public order.<\/p>\n<p id=\"ember88\" class=\"ember-view reader-text-block__paragraph\">A security drill will not involve actual deployment of CCSs or their production environment.<\/p>\n<p id=\"ember89\" class=\"ember-view reader-text-block__paragraph\">10.4 <strong>How frequently will security drills be conducted?<\/strong><\/p>\n<p id=\"ember90\" class=\"ember-view reader-text-block__paragraph\">No more than once every two years.<\/p>\n<p id=\"ember91\" class=\"ember-view reader-text-block__paragraph\">10.5 <strong>Who would be required to attend a security drill?<\/strong><\/p>\n<p id=\"ember92\" class=\"ember-view reader-text-block__paragraph\">The expectation of the CICS Commissioner is that these persons should attend a security drill:<\/p>\n<p id=\"ember93\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 management personnel with a role in the emergency response plan;<\/p>\n<p id=\"ember94\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CSS Management Unit;<\/p>\n<p id=\"ember95\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 emergency response team members;<\/p>\n<p id=\"ember96\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 corporate communications personnel; and<\/p>\n<p id=\"ember97\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 other personnel necessary for the particular security drill.<\/p>\n<p id=\"ember98\" class=\"ember-view reader-text-block__paragraph\">10.6 <strong>What is the role of the CICS Commissioner after the security drill?<\/strong><\/p>\n<p id=\"ember99\" class=\"ember-view reader-text-block__paragraph\">The CICS Commissioner will provider comments on the performance of the CI Operator in the security drill, including areas of improvement. The CI Operator will be required to take remedial actions to adopt and implement recommendations of the CICS Commissioner.<\/p>\n<p id=\"ember100\" class=\"ember-view reader-text-block__paragraph\">10.7 <strong>Is participation in a security drill conducted by the CICS Commissioner discretionary?<\/strong><\/p>\n<p id=\"ember101\" class=\"ember-view reader-text-block__paragraph\">It is mandatory for a CI Operator to participate in a security drill conducted by the CICS Commissioner, once the CICS Commissioner has given written notice to the CI Operator to do so. Failure to participate once notified is an offence.<\/p>\n<p id=\"ember102\" class=\"ember-view reader-text-block__paragraph\">11. <strong>Incident Response Obligations: Emergency response plan<\/strong><\/p>\n<p id=\"ember103\" class=\"ember-view reader-text-block__paragraph\">11.1 <strong>What is the basic obligation of the CI Operator in respect of its emergency response plan?<\/strong><\/p>\n<p id=\"ember104\" class=\"ember-view reader-text-block__paragraph\">A CI Operator must submit an emergency response plan detailing the particulars and process for the CI Operator\u2019s response to security incidents in respect of CCS of its critical infrastructure within three months of its designation by the CICS Commissioner, and within one month after any revisions thereafter.<\/p>\n<p id=\"ember105\" class=\"ember-view reader-text-block__paragraph\">11.2 <strong>What is the scope of the emergency response plan?<\/strong><\/p>\n<p id=\"ember106\" class=\"ember-view reader-text-block__paragraph\">The scope of the emergency response plan should include incident management, and business continuity management and disaster recovery planning.<\/p>\n<p id=\"ember107\" class=\"ember-view reader-text-block__paragraph\">11.3 <strong>What is incident management?<\/strong><\/p>\n<p id=\"ember108\" class=\"ember-view reader-text-block__paragraph\">The incident management aspects of the emergency response plan ensure that the incident response activities are carried out in an orderly, efficient and effective manner, minimising damage from the security incident.<\/p>\n<p id=\"ember109\" class=\"ember-view reader-text-block__paragraph\">11.4 <strong>What is business continuity management?<\/strong><\/p>\n<p id=\"ember110\" class=\"ember-view reader-text-block__paragraph\">The primary focus of business continuity management is on the CI Operator\u2019s ability to continue essential operation during disruptions arising from security incidents.<\/p>\n<p id=\"ember111\" class=\"ember-view reader-text-block__paragraph\">11.5 <strong>What is disaster recovery planning?<\/strong><\/p>\n<p id=\"ember112\" class=\"ember-view reader-text-block__paragraph\">The primary focus of disaster recovery planning is on the effective restoration of the CCS from severe disruption. This enhances the resilience of business operations in connection with CCS.<\/p>\n<p id=\"ember113\" class=\"ember-view reader-text-block__paragraph\">11.6 <strong>Who is responsible for the emergency response plan?<\/strong><\/p>\n<p id=\"ember114\" class=\"ember-view reader-text-block__paragraph\">The emergency response plan is considered a critical document by the CICS Commissioner, and is not an administrative matter. The CI Operator must ensure that the emergency response plan and any subsequent material changes are approved by:<\/p>\n<p id=\"ember115\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the Board of Directors of the CI Operator;<\/p>\n<p id=\"ember116\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 a functional sub-committee properly delegated by the Board; or<\/p>\n<p id=\"ember117\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 senior management overseeing the operation of the concerned critical infrastructure, such as a Chief Executive Officer or Chief Operating Officer.<\/p>\n<p id=\"ember118\" class=\"ember-view reader-text-block__paragraph\">11.7 <strong>What security incident response matters should be included in the emergency response plan?<\/strong><\/p>\n<p id=\"ember119\" class=\"ember-view reader-text-block__paragraph\">The security incident matters to be included in the emergency response plan include:<\/p>\n<p id=\"ember120\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the structure, roles and responsibilities of a team responsible for responding to security incidents;<\/p>\n<p id=\"ember121\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the threshold for initiating emergency response protocols to security incidents;<\/p>\n<p id=\"ember122\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the procedures for reporting security incidents;<\/p>\n<p id=\"ember123\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The procedures for investigating the cause and assessing the impact of security incidents, including playbooks for:<\/p>\n<p id=\"ember124\" class=\"ember-view reader-text-block__paragraph\">(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 containing the security incident;<\/p>\n<p id=\"ember125\" class=\"ember-view reader-text-block__paragraph\">(ii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 handling of digital evidence, including identification, collection, acquisition, preservation of evidence and chain of custody;<\/p>\n<p id=\"ember126\" class=\"ember-view reader-text-block__paragraph\">(iii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 investigating the cause and impact of the incident;<\/p>\n<p id=\"ember127\" class=\"ember-view reader-text-block__paragraph\">(iv)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 recording the incident response process, including details of the incident, actions taken and decisions made; and<\/p>\n<p id=\"ember128\" class=\"ember-view reader-text-block__paragraph\">(v)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 conducting a post-incident review;<\/p>\n<p id=\"ember129\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the recovery plan for resuming the provision of essential services by, or the normal operation of, affected critical infrastructure;<\/p>\n<p id=\"ember130\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the plan for communicating with stakeholders and the general public in respect of security incidents;<\/p>\n<p id=\"ember131\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the recommended post-incident measures for mitigating the risks of recurrence of security incidents, including a post-security incident review that address:<\/p>\n<p id=\"ember132\" class=\"ember-view reader-text-block__paragraph\">(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 facts and causes of the security incident;<\/p>\n<p id=\"ember133\" class=\"ember-view reader-text-block__paragraph\">(ii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 gaps in existing governance, risk management and compliance in respect of the security incident, and the degree of consequence;<\/p>\n<p id=\"ember134\" class=\"ember-view reader-text-block__paragraph\">(iii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 effectiveness and efficiency in executing the emergency response plan; and<\/p>\n<p id=\"ember135\" class=\"ember-view reader-text-block__paragraph\">(iv)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 improvement actions recommended; and<\/p>\n<p id=\"ember136\" class=\"ember-view reader-text-block__paragraph\">(h)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 review procedure for the emergency response plan.<\/p>\n<p id=\"ember137\" class=\"ember-view reader-text-block__paragraph\">11.8 <strong>What business continuity matters should be included in the emergency response plan?<\/strong><\/p>\n<p id=\"ember138\" class=\"ember-view reader-text-block__paragraph\">The business continuity matters to be included in the emergency response plan include:<\/p>\n<p id=\"ember139\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the business continuity objectives to be achieved;<\/p>\n<p id=\"ember140\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 business impact analysis of the CCS to identify, as applicable:<\/p>\n<p id=\"ember141\" class=\"ember-view reader-text-block__paragraph\">(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 maximum tolerable downtime (\u201cMTD\u201d);<\/p>\n<p id=\"ember142\" class=\"ember-view reader-text-block__paragraph\">(ii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 recovery time objectives (\u201cRTO\u201d);<\/p>\n<p id=\"ember143\" class=\"ember-view reader-text-block__paragraph\">(iii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 recovery point objectives (\u201cRPO\u201d); and<\/p>\n<p id=\"ember144\" class=\"ember-view reader-text-block__paragraph\">(iv)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 minimum service levels (\u201cMSL\u201d).<\/p>\n<p id=\"ember145\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 resources needed to resume the relevant business processes;<\/p>\n<p id=\"ember146\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 policies and procedures to ensure continuity of essential services;<\/p>\n<p id=\"ember147\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 roles and responsibilities of relevant management and personnel;<\/p>\n<p id=\"ember148\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 training and testing to ensure responsible employees are familiar with the business continuity plan and policy; and<\/p>\n<p id=\"ember149\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 evaluation and review whenever there are material changes to CCS.<\/p>\n<p id=\"ember150\" class=\"ember-view reader-text-block__paragraph\">11.9 <strong>What disaster recovery matters should be included in the emergency response plan?<\/strong><\/p>\n<p id=\"ember151\" class=\"ember-view reader-text-block__paragraph\">The business continuity matters to be included in the emergency response plan include:<\/p>\n<p id=\"ember152\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 recovery strategy that aligns with the business continuity objectives;<\/p>\n<p id=\"ember153\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 policies and procedures for backup, taking into account geo-location risk management for data hosting sites;<\/p>\n<p id=\"ember154\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 recovery procedures to an alternative site, including resumption plans for the primary site;<\/p>\n<p id=\"ember155\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 regular testing of backup media and telecommunication services; and<\/p>\n<p id=\"ember156\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 evaluation and review whenever there are material changes to CCS.<\/p>\n<p id=\"ember157\" class=\"ember-view reader-text-block__paragraph\">11.10 <strong>What training obligations are required by CI Operators?<\/strong><\/p>\n<p id=\"ember158\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must ensure all members of the emergency response team are familiar with both their own roles and responsibilities and those of other team members as defined in the emergency response plan. The CI Operator must also provide training for all team members to ensure their capabilities to carry out their assigned duties.<\/p>\n<p id=\"ember159\" class=\"ember-view reader-text-block__paragraph\">Members of the emergency response team are expected to participate in security drills conducted by the CICS Commissioner, and may be subject to comment by the CICS Commissioner in respect of performance at that security drill.<\/p>\n<p id=\"ember160\" class=\"ember-view reader-text-block__paragraph\">11.11 <strong>How should the emergency response plan address communication matters in the context of security incident response?<\/strong><\/p>\n<p id=\"ember161\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must ensure there are multiple communication channels (e.g. phone, correspondence and email) available to effectively communicate with stakeholders in response to the security incident.<\/p>\n<p id=\"ember162\" class=\"ember-view reader-text-block__paragraph\">The CI Operator should appoint at least two contact points for non-working hours emergencies in relation to computer security issues. The contact points will be required to maintain communication with the CICS Commissioner during an emergency, and should also be capable of handling security incidents or relaying security messages to responsible personnel in a timely manner.\u00a0 The CI Operator must provide contact details of these contact points to the CICS Commissioner.<\/p>\n<p id=\"ember163\" class=\"ember-view reader-text-block__paragraph\">11.12 <strong>Are there requirements in respect of data gathering in the course of security incident response?<\/strong><\/p>\n<p id=\"ember164\" class=\"ember-view reader-text-block__paragraph\">The CI Operator is expected to collect and preserve digital evidence of the security incident, and is encouraged to engage capable incident response and forensic examination personnel to do so. Initially, the CI Operator must prioritise timely system recovery to restore essential impacted business operations. Otherwise, collection of digital evidence is a priority.<\/p>\n<p id=\"ember165\" class=\"ember-view reader-text-block__paragraph\">11.13 <strong>How frequently should the emergency response plan be reviewed?<\/strong><\/p>\n<p id=\"ember166\" class=\"ember-view reader-text-block__paragraph\">The emergency response plan should be reviewed upon any material changes to CCS, and in any event at least once every two years.<\/p>\n<p id=\"ember167\" class=\"ember-view reader-text-block__paragraph\">11.14 <strong>What is the process to notify the CICS Commissioner in respect of the emergency response plan?<\/strong><\/p>\n<p id=\"ember168\" class=\"ember-view reader-text-block__paragraph\">There is no prescribed format for an emergency response plan. Accordingly, the CICS Commissioner has not published a prescribed form for the purpose of giving notice.<\/p>\n<p id=\"ember169\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must submit the emergency response plan to the CICS Commissioner within three months of designation, and thereafter within one month of any revision to the emergency response plan.<\/p>\n<p id=\"ember170\" class=\"ember-view reader-text-block__paragraph\">Failure to give notice when required is an offence.<\/p>\n<p id=\"ember171\" class=\"ember-view reader-text-block__paragraph\">11.15 <strong>What other regulatory oversight is there of the emergency response plan?<\/strong><\/p>\n<p id=\"ember172\" class=\"ember-view reader-text-block__paragraph\">PCICSO includes a positive statutory obligation on CI Operators to implement the emergency response plan. The Code of Practice requires that the CI Operator should provide necessary resources required to implement the emergency response plan. It is not a document for presentation and filing purposes. It is a document to direct the activities of the CI Operator in respect of CCS.<\/p>\n<p id=\"ember173\" class=\"ember-view reader-text-block__paragraph\">Cybersecurity professionals will be very familiar with security drills and exercises. They are the tried and tested means of assessing whether an emergency response plan is fit for purpose. The innovation of PCICSO is to set the framework for the conduct of those drills periodically on the scale of the Hong Kong economy. An emergency response plan is a critical document, and will assist CI Operators to think through foreseeable issues that might arise in a security incident.<\/p>\n<p id=\"ember174\" class=\"ember-view reader-text-block__paragraph\">In the next article in this series, we will look at specific incident notification obligations under PCICSO.<\/p>\n<p style=\"text-align: right;\"><strong><em>P\u00e1draig Walsh<\/em><\/strong><\/p>\n<p>If you want to know more about the content of this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a><br \/>Partner |\u00a0<a href=\"mailto:padraigwalsh@tannerdewitt.com\">Email<\/a><\/p>\n<p>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on <em>14 April 2026.<\/em><\/p>\n<\/div>\n\n\n\n\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0 The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key [&hellip;]<\/p>\n","protected":false},"author":22,"featured_media":32724,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[162,23,291],"insight-category":[1121],"insight-month":[1155],"insight-practice-area":[1146,1142],"insight-year":[1162],"class_list":["post-32722","insight-and-news","type-insight-and-news","status-publish","has-post-thumbnail","hentry","tag-cybersecurity","tag-legal-updates","tag-tmt","insight-category-legal-updates-and-insights","insight-month-april","insight-practice-area-cybersecurity","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1162"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32722","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/users\/22"}],"version-history":[{"count":6,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32722\/revisions"}],"predecessor-version":[{"id":32782,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32722\/revisions\/32782"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/media\/32724"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/media?parent=32722"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/tags?post=32722"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-category?post=32722"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-month?post=32722"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-practice-area?post=32722"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-year?post=32722"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}