Organisations operating in sectors deemed critical to Hong Kong’s infrastructure are preparing for the implementation of a new cybersecurity law set to take effect in 2026, with implications for governance, operational resilience, and regulatory compliance.
The forthcoming law requires organisations to enhance their digital security posture, introducing formal obligations for breach reporting, cyber risk assessments, and the development of response frameworks. These measures are designed to limit the fallout of cyber incidents and align the city’s digital security practices with international standards.
In an interview with Insurance Business, Simon McConnell (pictured), a partner at Clyde & Co and chair of the firm’s Asia-Pacific board, said firms should anticipate significant changes in how they manage cybersecurity.
“The new obligations imposed ensure data is well protected and risks are minimised in the event of cyber incidents, particularly in critical sectors, where such incidents could cause large-scale disruption and damage. The stringent breach reporting obligations will facilitate faster incident response and recovery, making sure threats are rapidly contained and downtime is minimised during crises in critical sectors,” he said.
Incident response planning, internal communication protocols, and vendor obligations are all areas that will need attention, according to McConnell.
“The formulation of cyber incident response plans and reporting protocols enhances transparency and communication within businesses and between stakeholders. This new development aligns Hong Kong with global regulatory developments and could restore more trust in the city as an international business hub,” he said.
The new legal requirements may also necessitate the reallocation of company resources to hire or train cybersecurity personnel, build incident reporting mechanisms, and continuously monitor evolving threats.
McConnell noted that companies, especially small and mid-sized enterprises (SMEs), could face difficulties meeting the operational and financial demands of compliance.
“Companies may need to recruit qualified cybersecurity professionals or train existing staff on cybersecurity compliance and establish new systems to meet ongoing monitoring and reporting requirements specified in the law. Companies, particularly small to medium-sized ones, may find it challenging to allocate the financial and human resources needed to meet the new standards,” he said.
A key area of uncertainty remains the classification of “critical infrastructure operators,” a designation that will determine which organisations fall under the law’s strictest provisions. The Security Bureau is expected to issue more specific guidance, but no timeline has been confirmed.
“The tight timeline for companies to prepare for the various requirements of the bill may pose a challenge, especially without clear guidance,” McConnell told Insurance Business.
McConnell emphasised the need for organisations to assess which of their systems support business continuity and process sensitive data.
“Existing cybersecurity measures should be reviewed to understand the company’s cyber threat detection capabilities, and contracts – both existing and future – should be examined to ensure they include necessary security obligations and responsibilities. As stipulated in the law, cyber incident response plans should be formulated to address disruptions and reduce downtime to critical computer systems during a cyber incident,” he said.
Staff training and breach simulation exercises were also cited as essential to ensure readiness.
“Clear reporting protocols may be established by companies, such as preparing incident notification procedures to escalate a breach to senior management, and detailed communication processes that allow the company to react efficiently. Regular drills should be conducted to ensure cyber-readiness within the company,” McConnell said.
These preparations come as cyber risks continue to dominate global business risk assessments. According to the Allianz Risk Barometer for 2025, cyber incidents such as data breaches and system outages ranked as the most significant risk factor for the fourth year in a row, with 38% of surveyed professionals identifying it as their top concern.
In Hong Kong’s SME segment, a recent survey conducted by QBE between late 2024 and early 2025 found that digital threats, operational costs, and AI integration are reshaping risk profiles.
More than half of Hong Kong SMEs now use AI in their operations, but a growing number report concern over its implications. In the past year, 47% identified AI as a risk, citing data privacy and cyber vulnerabilities as primary issues.
Although cybersecurity awareness is rising, investment has not consistently followed. The proportion of SMEs implementing security software or conducting cybersecurity training declined slightly. However, hiring dedicated cyber staff and purchasing cyber insurance saw an uptick, with 43% of SMEs reporting active cyber coverage, up from 39% previously.
