Financial Crime World

Hong Kong Bracing for Tougher Cybercrime Laws Amid Rising Threats

Hong Kong is facing a surge in cyberattacks, with CEO fraud and ransomware attacks being two of the most common types. To combat these threats, the Hong Kong Law Reform Commission (HKLRC) has proposed stricter laws to tackle cybercrime.

Strengthening Cybercrime Laws

The HKLRC recommends increasing the limitation period for summary proceedings on new cybercrime offenses from six months to two years, allowing for a more effective prosecution of offenders. The maximum sentence for most offenses is also set to increase from 14 years to life imprisonment in cases where the act endangers human lives.

  • Limitation period for summary proceedings increased from 6 months to 2 years
  • Maximum sentence increased from 14 years to life imprisonment in cases that endanger human lives

Proposed Defenses and Exemptions

In addition, the HKLRC has requested submissions on whether there should be defenses and exemptions to the proposed new cybercrime offenses and the appropriate scope of such exemptions.

Cybersecurity Legislation

Cybersecurity is a growing concern for Hong Kong, with the government announcing plans to introduce legislation to strengthen the protection of network systems and critical infrastructure. The proposed law will define cybersecurity responsibilities for operators of critical infrastructure and impose compliance obligations on them.

  • Definition of “critical information infrastructure operators” similar to China’s national Cybersecurity Law
  • Compliance obligations on operators of critical infrastructure

Public Consultation Exercise

The government has indicated that it will consult with the Panel on Security in the Legislative Council on the introduction of cybersecurity legislation and launch a public consultation exercise by the end of this year.

Sample Cyberattacks: CEO Fraud and Ransomware

CEO fraud is a sophisticated email scam where attackers impersonate CEOs or executives to trick employees into transferring money or providing confidential company information. In one typical scenario, the attacker gains access to the CEO’s or executive’s email account, sends emails to employees requesting money, and intercepts payments from employees.

Ransomware is a form of malware that encrypts files and demands a ransom payment to regain access. Both types of attacks would be considered offenses under the new cybercrime laws.

Next Steps

We will continue to monitor developments on cybersecurity and cybercrime legislation in Hong Kong. Responses to the consultation paper are due on October 19, 2022. Stay tuned for updates on this important issue.