How companies can use the new cybersecurity bill to their advantage

The new cybersecurity law in Hong Kong is a wake-up call.

This Easter, multi-national retailer Marks & Spencer suffered a severe cyberattack, which wiped $5.32b (£500m) off its stock value, with a further financial impact of $3.19b (£300m).

Worse, customer data was stolen, including personal information such as names, addresses, phone numbers, and order history.

Hong Kong recently passed the Protection of Critical Infrastructure (Computer System) Ordinance, which is scheduled to take effect on 1 January 2026. The changes are limited to critical infrastructure such as banking and healthcare.

However, all companies can incorporate some of the restrictions into their own infrastructure to better protect themselves.

Many of these changes are essential to all businesses because they codify best practices in cybersecurity and also have significant implications for companies operating in critical infrastructure sectors.  

The four key changes are stricter cybersecurity requirements for organisations managing critical infrastructure; government authority to access computer systems in case of cybersecurity incidents has raised concerns among some international tech firms; mandatory security audits, risk assessments, and incident reporting; and fines of up to $5m for non-compliance.

Impact on businesses operating in the critical infrastructure sector 
Companies in industries such as energy, banking, telecommunications, healthcare, and transport will face heightened regulatory scrutiny and must implement stringent security measures to comply with the law.

One of the most significant changes is the requirement for businesses to conduct regular cybersecurity audits and risk assessments to identify and address vulnerabilities before cybercriminals can exploit them. Organisations will also need to submit security management plans and incident response strategies to the authorities, demonstrating their preparedness for potential cyber threats.

Companies must report cybersecurity incidents within a strict timeframe – serious breaches must be reported within 12 hours, whilst other incidents must be disclosed within 48 hours. This requirement aims to minimise the impact of cyberattacks on essential services, but it also places considerable pressure on companies to maintain robust monitoring systems and response protocols.
Cybersecurity is no longer just an IT issue – it’s a core component of risk management, much like climate resilience.

For real estate investors and operators, a single breach can wipe out years of value creation. The M&S attack is a stark reminder that digital vulnerabilities can have very real financial consequences.

Companies that fail to meet the cybersecurity standards set by the law could face fines of up to $5m. This creates a strong incentive for businesses to invest in cybersecurity infrastructure, staff training, and external security expertise to ensure they meet regulatory expectations.

Beyond compliance, the law is expected to influence business operations and investment decisions. Some international firms have expressed concerns that the stringent regulations could deter technology investments in Hong Kong, particularly for companies that rely on cloud-based services and cross-border data transfers.

The government’s authority to access computer systems in the event of cybersecurity incidents has also raised concerns about privacy and operational impact amongst multinational corporations.

The G in Environmental, Social and Governance policy
The law has significant implications for Environmental, Social, and Governance (ESG) principles, particularly in the Governance aspect.

The law requires businesses to enhance data protection and risk management – key components of ESG governance. Companies must conduct regular audits and report incidents promptly, ensuring transparency and accountability in their operations.  

The new cybersecurity law in Hong Kong is a wake-up call. Whilst it targets critical infrastructure, the smartest companies – especially in real estate – will go beyond compliance.

Proactively adopting these standards isn’t just about avoiding fines; it’s about protecting asset value, investor confidence, and operational continuity.

From a social responsibility perspective, the law protects critical infrastructure, ensuring reliable access to essential services. Businesses that comply with cybersecurity standards demonstrate a commitment to consumer protection, strengthening trust and reputation amongst stakeholders.

Additionally, ESG ratings and investment impact are closely tied to cybersecurity resilience. Investors are increasingly assessing cybersecurity preparedness when evaluating ESG performance.

Companies that fail to meet cybersecurity standards may face lower ESG ratings, which can impact their investment attractiveness and long-term sustainability.

A holistic approach to integrating cybersecurity in ESG 
Integrating cybersecurity into an ESG strategy requires a holistic approach that aligns security measures with governance, social responsibility, and sustainability goals.

Businesses can start by conducting ESG-aligned cybersecurity risk assessments, ensuring that digital threats are mapped to fulfil broader ESG objectives. For example, protecting renewable energy systems from cyberattacks contributes to environmental sustainability, whilst securing healthcare data reinforces social responsibility.

Embedding cybersecurity into governance structures is another crucial step. Organisations should integrate cyber metrics into ESG disclosures, collaborate with compliance teams to align policies with global regulations, and establish board-level cyber-ESG committees to prioritise investments in secure digital infrastructure.

Transparent reporting is essential – stakeholders expect companies to disclose their cybersecurity risk management strategies and demonstrate a commitment to continuous improvement.

Cybersecurity is now a pillar of good governance. Investors scrutinise companies’ digital risk management as part of ESG performance. Embedding cybersecurity into ESG strategy isn’t just good practice – it’s a competitive advantage in attracting capital and building stakeholder trust.

Securing sustainable supply chains plays a vital role in ESG-driven cybersecurity. Since third-party vendors account for a significant portion of data breaches, businesses must ensure that their suppliers adhere to cyber-ESG criteria, such as the use of ethical AI and energy-efficient data centres.

Continuously monitoring critical partners helps maintain compliance and strengthens overall security resilience.

Expanding cyber insurance considerations 
As cyber threats continue to grow in scale and sophistication, businesses should reassess their cyber insurance policies to ensure comprehensive protection.

Coverage should include: Legal liability, which protects against lawsuits from customers or third parties affected by data breaches; operational disruption coverage to recoup revenue losses resulting from system downtime caused by cyberattacks; ransom payment coverage for expenses related to ransomware demands, should the company choose to negotiate; regulatory fine coverage to cover penalties incurred from non-compliance; and incident response costs to fund forensic investigations, public relations efforts, and customer notification procedures.

By voluntarily adopting stricter cybersecurity measures, businesses outside of regulated sectors can reduce their exposure to cyber threats and enhance stakeholder confidence.