Avoid up to HK$5m in penalties: Essential steps to prepare for Hong Kong cybersecurity law on 1 January 2026

Starting 1 January 2026, Hong Kong SAR will implement its first-ever cybersecurity law. Companies that fall short of the requirements could face fines of up to HK$5 million (approximately US$642,500) along with additional daily penalties for any ongoing breaches.

The Protection of Critical Infrastructures (Computer Systems) Ordinance targets key sectors such as energy, banking, telecommunications, transport, and healthcare.

The law focuses on three main areas:

• Organisational cybersecurity requirements for the management of critical infrastructure in Hong Kong SAR.
• The implementation of robust preventive measures to guard against cyber threats and attacks.
• Procedures for timely incident reporting and effective response to cybersecurity incidents.

What does the new cybersecurity law mean for your business? 

The new law will raise the bar on compliance and operations. Key obligations for businesses designated as critical infrastructure operators (CIOs) include:

• Prevention and incident obligations: CIOs must conduct an annual computer-system security risk assessment and submit a report within three months at the end of each assessment period. 
• Incident response obligations: Within three months of receiving CIO designation, organisations must formulate and submit an emergency response plan. 

At the same time, insurers are expected to take a more cautious approach to underwriting. Without proof of strong cybersecurity practices, your business could face reduced coverage and higher costs.

On the flip side, companies that can demonstrate cyber maturity will be better positioned to negotiate more favourable insurance terms.

What can your business do to prepare for the new regulatory landscape? 

While the final code of practice has yet to be released, you can prepare now with a few practical steps:

1. Assess your cybersecurity posture

Understanding where you stand today is the first step. Tools such as Marsh’s Cyber Self-Assessment — the only diagnostic accepted by all insurers for application and binding — highlight gaps in your current controls, identify areas for improvement, and simplify the insurance process.

2. Develop and test an incident response plan

An incident response plan is essential to reduce losses and costs during a cyber incident, but many businesses struggle to design realistic scenarios on their own. With Marsh’s Cyber Crisis Simulation Exercise, you can pressure-test your plan against industry, maturity level, and operational requirements and ensure board-level directors and senior managers can respond effectively. Where applicable, the exercise can also reflect insurer engagement and claims management.

Together, these steps can strengthen your cyber resilience, improve your risk profile, and help secure better insurance outcomes.