Avoid up to HK$5m in penalties: Essential steps to prepare for Hong Kong cybersecurity law on 1 January 2026

Starting 1 January 2026, Hong Kong SAR will implement its first-ever cybersecurity law. Companies that fall short of the requirements could face fines of up to HK$5 million (approximately US$642,500) along with additional daily penalties for any ongoing breaches.

The Protection of Critical Infrastructures (Computer Systems) Ordinance targets key sectors such as energy, banking, telecommunications, transport, and healthcare.

The law focuses on three main areas:

Organisational cybersecurity requirements for the management of critical infrastructure in Hong Kong SAR.
The implementation of robust preventive measures to guard against cyber threats and attacks.
Procedures for timely incident reporting and effective response to cybersecurity incidents.

What does the new cybersecurity law mean for your business?

The new law will raise the bar on compliance and operations. Key obligations for businesses designated as critical infrastructure operators (CIOs) include:

Prevention and incident obligations: CIOs must conduct an annual computer-system security risk assessment and submit a report within three months at the end of each assessment period.
Incident response obligations: Within three months of receiving CIO designation, organisations must formulate and submit an emergency response plan.

At the same time, insurers are expected to take a more cautious approach to underwriting. Without proof of strong cybersecurity practices, your business could face reduced coverage and higher costs.

On the flip side, companies that can demonstrate cyber maturity will be better positioned to negotiate more favourable insurance terms.

What can your business do to prepare for the new regulatory landscape?

While the final code of practice has yet to be released, you can prepare now with a few practical steps:

1. Assess your cybersecurity posture

Understanding where you stand today is the first step. Tools such as Marsh’s Cyber Self-Assessment — the only diagnostic accepted by all insurers for application and binding — highlight gaps in your current controls, identify areas for improvement, and simplify the insurance process.

2. Develop and test an incident response plan

An incident response plan is essential to reduce losses and costs during a cyber incident, but many businesses struggle to design realistic scenarios on their own. With Marsh’s Cyber Crisis Simulation Exercise, you can pressure-test your plan against industry, maturity level, and operational requirements and ensure board-level directors and senior managers can respond effectively. Where applicable, the exercise can also reflect insurer engagement and claims management.

Together, these steps can strengthen your cyber resilience, improve your risk profile, and help secure better insurance outcomes.

Why partner with Marsh?

Marsh Asia is the only broker in the region offering a full suite of cyber resilience services, delivered by a 25-strong local team of former underwriters, lawyers, actuaries, cyber advisors, and claims specialists.

Our integrated approach covers insurance, risk intelligence, claims and incident management, and cybersecurity. With tools like the Cyber Self-Assessment (used by more than 500 Asian companies) and Cyber Risk Quantification , we help translate cyber risk into financial impact.

Globally, we placed over US$4 billion in cyber premiums in 2024, giving us unmatched insights and negotiating power.

Get your business ready for upcoming changes

Find out how Marsh Asia can help you strengthen your cyber risk preparedness amid increasing regulatory requirements.