A pre-eminent law firm in Hong Kong

A Hong Kong icon returns

Our vision is to help support our clients and the broader community in Hong Kong to capitalise on the exciting and unique range of local and global opportunities the city offers.
View more
IWD 2025

Accelerate Action

During International Women's Day, JSM reaffirmed its commitment to advance equity in the workplace. JSM partner and co-chair of the firm's Gender Equality Network, Jasmine Chiu, shared JSM's Diversity, Equity and Inclusion strategies and initiatives with three publications highlighting our efforts to empower all employees in their career advancement.
Learn more
Asian Financial Forum 2025

Powering the next growth engine

JSM was a collaborating partner at the 2025 Asian Financial Forum (AFF), facilitating the exchange of insights among influential leaders in the global economy. Our Commercial Managing Partner Hannah Ha, led an insightful panel titled “Global Spectrum – Forging Regional Capital Markets Collaboration.
Learn more
1 2 3
Introducing JSM

Homegrown.
Global outlook.

Our story is more than 160 years old. It is a story that demonstrates the resilience, spirit and strength the people of Hong Kong are renowned for, as our city grew from the small provincial port in Southern China to become the leading global financial and legal centre that it is today.

When the world has changed so has our firm – always taking the initiative to find the best course through unchartered territory for our clients, the community and our people.

View more

Our story is more than 160 years old. It is a story that demonstrates the resilience, spirit and strength the people of Hong Kong are renowned for, as our city grew from the small provincial port in Southern China to become the leading global financial and legal centre that it is today.

When the world has changed so has our firm – always taking the initiative to find the best course through unchartered territory for our clients, the community and our people.

View more
Who we are

Established in 1863.

Reinvented in 2024.

Insights

Latest publications

Part 1: A snapshot of Hong Kong competition law enforcement since 2024 Hong Kong competition law enforcement operates under an adversarial system, distinguishing itself from the administrative enforcement regimes adopted in Mainland China. Under this framework, the Hong Kong Competition Commission (the “Commission”) oversees investigating and prosecuting anti-competitive conduct that contravenes the Hong Kong Competition Ordinance. The Commission has to apply to the Hong Kong Competition Tribunal (the “Tribunal”) for imposing penalties. From 2024 to Q1 2025, the Commission maintained robust enforcement efforts, with a particular focus on tackling cartel cases impacting livelihoods and enhancing co-operation with Mainland authorities. In this three-part legal update, we examine key developments in competition law enforcement, highlighting significant cases, and providing practical insights to help clients navigate Hong Kong’s dynamic competition landscape. Administrative developments (1) Enhancing cross-border cooperation with Guangdong AMR in GBA In January 2024, the Commission and the Guangdong Administration for Market Regulation (“Guangdong AMR”) jointly published the Competition Compliance Manual for Businesses in Guangdong and Hong Kong (the “Manual”).11 This initiative aims to assist businesses in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA), particularly small and medium-sized enterprises, in understanding and navigating the competition law frameworks in both Hong Kong and Mainland China to ensure compliance. The Manual provides a comprehensive overview of key legal provisions and enforcement mechanisms while also incorporating relevant case studies and practical compliance recommendations. It not only serves as a valuable resource for businesses but also signals the commitment of competition agencies on both sides to fostering a fair and competitive business environment in the GBA. The Manual also builds upon and advances the goals established in the Memorandum of Understanding (MoU) signed between the two agencies on July 19, 2023.22 (2) Leadership confidence On 26 April 2024, the Hong Kong government announced the reappointment of Samuel Chan Ka-yan as chairman of the Commission, along with nine incumbent members, for a two-year term starting 1 May 2024. Additionally, Rasul Butt was reappointed as chief executive officer of the Commission for a three-year term beginning 3 May 2024.33 These reappointments reflect the government’s confidence in their leadership and strategic direction. (3) MoU with ICAC On 18 December 2024, the Commission signed a MoU with the Independent Commission Against Corruption (ICAC) to enhance collaboration and information exchange between the two agencies.44 The MoU establishes a framework for collaboration on case referrals, joint investigations and research, specifically targeting illegal activities involving both anti-competitive and corrupt practices. Under the MoU, both agencies will actively consider referring matters to one another based on their respective functions. Businesses are advised to remain vigilant about potential violations that may fall under both the Prevention of Bribery Ordinance and the Competition Ordinance. If a case overlaps the jurisdiction of both agencies, they will co-ordinate to conduct joint investigations for efficient resolution. The MoU also creates a platform for coordinating training initiatives to enhance enforcement capabilities. This MoU follows two successful joint actions in April and August 202455 targeting bid-rigging and corruption in the building maintenance sector. The MoU signing acknowledges the significant risks companies face when engaging in public biddings vulnerable to bid-rigging and corruption, highlighting the importance of maintaining vigilant oversight of projects vulnerable to such misconduct. This is also the third inter-agency MoU signed by the Commission, following agreements with the Communication Authority (CA) in 201566 and the Securities and Futures Commission (SFC) in 202077. These partnerships demonstrate the agencies’ commitment to fostering a complementary and coordinated approach to fulfilling their respective enforcement responsibilities. Enforcement developments (1) Administrative level The leading EV producer BYD adjusted its potentially anti-competitive business policy after the Commission raised concerns.88 The Commission conducted four warranted searches targeting suspected cartels involved in the funeral services, building maintenance and logistics technology services sectors. Table 1: Warranted Searches (2024 to Q1 2025) Please click on the superscript numbers 99, 1010, 1111, 1212 for details of the corresponding remarks in the table. View the table in actual size (2) Adjudicative level Midland initiated the first legal challenge to the Commission’s application of Leniency Policy for Undertakings Engaged in Cartel Conduct (“Undertaking Leniency Policy”) in the real estate agency cartel case in March 2024.1313 The Tribunal made a judgment on the first cartel case linked to a government subsidy programme in July 2024;1414 The Tribunal concluded the cleansing service cartel case in February 2025, which was initially brought by the Commission in 2022.1515 In February 2025, West Kowloon Magistrates’ Court handed down the first criminal conviction for obstructing the Commission’s investigation in the cleaning service cartel case.1616 Table 2 – Timeline of Listed Cases at Adjudicative Level Date Event Real estate agents (Midland et al) Jan. 2023 Commission probed internal memos regarding real estate agency commissions1717 Nov. 2023 Commission commenced proceedings against Midland and senior management1818 Mar. 2024 Midland initiated legal challenge to Commission’s leniency policy Government subsidy case in IT sector (Multisoft et al) Mar. 2023 Commission brought first proceedings in government subsidy case in the IT sector1919 Jun. 2024 Tribunal ordered payment of penalties against respondents who admitted liability; Commission applied for relief against non-responding parties2020 Jul. 2024 Tribunal handed down judgment in this government subsidy case Cleansing service case (Hong Kong Commercial Cleaning (“HKC”)) Dec. 2021 Commission brought proceedings against cleansing service cartel2121 Jan. 2024 An involved undertaking (Man Shun Hong Kong & Kln Cleaning Company Limited) and its director admit liability2222 Aug. 2024 Commission brought plea against individual obstructing investigation before West Kowloon Magistrates’ Courts2323 Dec. 2024 HKC and its two directors admitted liability2424 Jan. 2025 Tribunal issued orders against all respondents2525 Feb. 2025 Tribunal made judgment Feb. 2025 West Kowloon Magistrates’ Courts issued a criminal conviction against the individual obstructing Commission’s investigation   In Parts 2 and 3, we will uncover key revelations from the Commission’s raids and delve into these cases that have progressed at the Tribunal from 2024 to Q1 2025, shedding light on their implications and essential takeaways for companies to navigate Hong Kong’s competition law maze. Before delving into Part 2, let’s reflect on several critical questions: What implications can companies learn from the active joint oversight of the Commission and ICAC in public tendering? What red flags should companies watch out for to avoid unknowingly participating in bid-rigging or bribery schemes? How can warranty restrictions on car repairs be potentially incompatible with Hong Kong’s competition laws? What lessons can companies draw from enforcement actions of competition authorities in the aftersales market?  
Legal update 25 March 2025
Legal update 25 March 2025
Background For nearly two centuries, Hong Kong has adopted a “deeds registration system” under the Land Registration Ordinance (Cap. 128 of the Laws of Hong Kong) (“LRO”). The existing deeds registration system governs priority of instruments registered in the Land Registry, but does not serve as a guarantee of title to the property. As a result, in order to ascertain whether a vendor has good title, it is still common practice for the purchaser to engage solicitors to inspect historical title deeds and documents relating to the relevant property for each conveyancing transaction. This title investigation process is labour-intensive, time consuming, and sometimes inevitably subjective and uncertain. Further, upon completion of each transaction, the purchaser or mortgagee must safekeep the voluminous title deeds and documents, which will similarly be required for future transactions. On the other hand, a “title registration system” recognises the person registered in the title register kept by the Land Registry (“Title Register”) to be the true owner, and the Title Register will be conclusive evidence of title. A title registration system was introduced by the enactment of the Land Titles Ordinance (Cap. 585 of the Laws of Hong Kong) (“LTO”) in 2004, but the LTO has yet to come into operation to date due to a number of unresolved legal and operational issues. After lengthy consultation and discussion, on 28 February 2025, the Hong Kong Government gazetted the Registration of Titles and Land (Miscellaneous Amendments) Bill 2025 (“Amendment Bill”) to amend the LTO, with a view to implementing the title registration system by stages. The title registration system, as modified in the Amendment Bill, will represent a significant step forward in modernising the land system in Hong Kong, which we welcome and support. The Amendment Bill will revamp almost the whole LTO and is a piece of complex and extensive legislation. In the first part of this update, we summarise the legal positions and key differences under the existing regime, the LTO and the Amendment Bill. In the second part, we have selected and further elaborated on some salient features of the Amendment Bill which may be of interest to readers. Any reference to a section of the LTO in this update is a reference to the relevant section of the LTO as may have been amended or added by the Amendment Bill. “New Land First” proposal Before delving into the summary, the most significant feature of the Amendment Bill is certainly the Government’s proposal to adopt the title registration system to “new land” first. The concept of “new land” is introduced in the Amendment Bill to mean land held under a Government lease or an agreement for a Government lease granted on or after the commencement date of the LTO. Subject to certain exceptions (please refer to item 1 of Part 2 below), “new land” generally includes land granted by the Government through land sale, private treaty grant and land exchange (each a “New Land”). New Land is free from prior interests or title defects and provides a clean start to the Title Register. After the implementation of the title registration system to New Land, the Government will work out the mechanism for conversion or transition of the existing land interests into the Title Register. Part 1 – A succinct summary The legal positions and key differences under the existing regime, the LTO and the Amendment Bill are summarised below: View the table in actual size Part 2 – Salient features We have selected some salient features of the Amendment Bill for further elaboration below. 1. Exceptions to New Land Some pieces of land may at first glance appear to fall within the scope of New Land, but are in fact excluded from the title registration system for the time being, namely: land held under short term tenancy from the Government which is usually of temporary nature (typically for seven years or less); land granted to extend the term or size of an existing Government lease (e.g. by an extension letter); land where the lease is modified without being surrendered and re-granted (e.g. by deed of variation or modification letter); land deemed to be held under a new Government lease upon renewal by virtue of the Government Leases Ordinance (Cap.40 of the Laws of Hong Kong); land under a Government lease deemed to be issued upon issuance of Certificate of Compliance by virtue of the Conveyancing and Property Ordinance (Cap.219 of the Laws of Hong Kong); and land held under a direct lease from the Government under the Block Crown Lease (Cheung Chau) Ordinance (Cap.488 of the Laws of Hong Kong). 2. Indefeasible title Under the existing LTO, the MR rule allows the court to restore ownership to innocent former owners if they lost their titles as a result of fraud. The Amendment Bill proposes to abolish the MR rule (by repealing the relevant section under the existing LTO). This provides for title certainty to a purchaser who genuinely pay for valuation consideration to buy the property. The innocent former owner would have no recourse against such purchaser, but could instead be potentially compensated through the Indemnity Fund, subject to the revised cap of HK$50 million. However, where the purchaser is a party to the fraud or has knowledge of the fraud or has contributed to the fraud (in other words, the purchaser is not bona fide), the court may still grant an order to rectify the Title Register under section 82 of the LTO. The Land Registrar will also have the power to make a restriction order under section 78 of the LTO to prohibit the registration of property transfer if fraud is suspected. 3. Nature of indemnifiable loss and time limit for application For parties entitled to be compensated for their loss of title through the Indemnity Fund, sections 85 and 85D of the LTO clarify the amount of indemnity payable in case of fraud, mistake or omission. Generally, the amount which a person is entitled to be indemnified in relation to a fraudulent entry is the lesser of: the value of the indemnifiable interest as at the date on which a specified order is made in relation to the entry; and the value determined by the Financial Secretary. On the other hand, the amount indemnifiable in case of mistake or omission is the actual and foreseeable amount of loss suffered as a result of the indemnifiable mistake or omission. Those entitled to be indemnified should be mindful of the time when the application has to be made. If the court is satisfied that an entry was registered or omitted by fraud, mistake or omission, and subsequently makes a specified order to rectify, the party who failed to recover the property must claim for indemnity within one year after the rectification order is made. 4. Introduction of “overriding interests” Under the existing registration system, registrable instruments that are not registered in the Land Registry would be void against bona fide purchaser or mortgagee for valuable consideration, except that this does not apply to a tenancy or lease at market rent for less than three years. The LTO and the Amendment Bill introduce a list of exhaustive definitions of “overriding interests”, which are interests that affect the land despite not being registered, such as (among others) easements out of necessity and rights of way. This means that the registered owners of New Land may be subject to certain unregistered overriding interests. That said, under section 46 of the LTO, generally the vendor will have an obligation to provide the purchaser with the full particulars of the relevant overriding interests which the vendor has, or ought reasonably to have, knowledge. Under section 48 of the LTO, the grant of lease of New Land could only be effectual if such lease is registered in the Title Register. This raises the question of whether a tenancy or lease at market rent held in good faith for less than three years (which is not required to be registered under the existing the LRO) must also be registered in the Title Register. To align with this prevailing legal position, both LTO and the Amendment Bill have already specified such tenancy or lease as an overriding interest, the registration of which in the Title Register is not necessary. 5. Interests of purchasers for valuable consideration not affected by notice Interests not registrable under the existing LRO (such as resulting trust or constructive trust in favour of other family members or occupants of the property) are common in Hong Kong due to informal family arrangement. Under the doctrine of notice, a purchaser who has actual or constructive notice of such non-registrable interests will take the property subject to such non-registrable interests. After section 28A of the LTO comes into operation, purchasers of New Land for valuable consideration without fraud will no longer be affected by such non-registrable interests. The exception is when the purchaser acquired the property as a result of fraud, even though the purchaser has paid valuable consideration for acquiring the property. The operative effect of this section 28A also means that the doctrine of notice in Wong Chim-Ying v Cheng Kam-Wing ([1991] 2 HKLR 253) will cease to apply to New Land, to the extent varied by section 28A. Practically, this means that, in the absence of fraud, even if a purchaser is aware of certain non-registrable interests in a property, their title to the property will not be affected by such non-registrable interests. 6. Effect of breach of trustee’s duty A trustee may be registered as owner, chargee or lessee of New Land. If the trustee disposes of New Land in breach of the trustee’s duty, the transaction will still be valid and enforceable if the purchaser is bona fide acting in good faith and has provided valuable consideration. The disposition cannot be overturned simply because of the breach of trust. While the above protection is offered to bona fide purchasers, the LTO and Amendment Bill do not extend the indemnity to other affected third parties (such as the beneficiaries of the relevant trusts). In other words, such third parties will probably have to claim relief against defaulted trustees through legal proceedings for breach of duty. 7. Rights of succession The LTO and the Amendment Bill stipulate that certain succession rights in relation to New Land will not be affected by the title registration system. Specifically, under section 58 of the LTO, the right of owners of New Land to dispose of their New Land through a will is preserved. The law governing intestate succession also remains unchanged. Furthermore, the operation of sections 15 and 18 of the New Territories Ordinance (Cap.97 of the Laws of Hong Kong), which address matters related to land in the New Territories, is preserved by the said section 58 (to the extent they apply to New Land). The law of intestate succession is also not affected by the LTO and the Amendment Bill. Nevertheless, it is very common for beneficiaries under intestate estate to enter into deed of family arrangement to reallocate the distribution of estate among the beneficiaries. It remains to be seen how such family arrangement may interact with the title registration system. 8. Stamp duty charge on the registered land The Amendment Bill provides (through a proposed additional amendment to the Stamp Duty Ordinance (Cap.117 of the Laws of Hong Kong)) that there will be a charge in favour of the Collector of Stamp Revenue on the registered land, when an instrument relating to the registered land is submitted to the Stamp Office for adjudication and the adjudication is pending. Such charge will stand until the earlier of the date on which such instrument is stamped, or the date on which the Stamp Office confirms that no stamp duty is payable on such instrument or that such instrument is not chargeable with stamp duty. There is uncertainty (from the text of the LTO and Amendment Bill) as to how this charge impacts on the security of banks and lenders who provide secured financing involving instruments that require adjudication. Banks and lenders may therefore have to seek additional legal protection from the borrower to cover such potential stamp duty exposure. 9. Interaction with Companies Ordinance Section 37(2) of the LTO states that in relation to registered charges, in case of conflict or inconsistency between the provisions of the LTO and the provisions of Part 8 of the Companies Ordinance (Cap.622 of the Laws of Hong Kong), the latter should prevail over the LTO. One important possible consequence is that if a company creates a charge relating to registered land, such charge should be registered in both Title Register and the Companies Registry. However, where the charge is (only) registered in the Title Register but is not registered with the Companies Registry within the prescribed time period, the charge will then be void against any liquidator and creditor of the company by virtue of section 337 of the Companies Ordinance. The registration of the charge in the Title Register cannot cure such defect. Conclusion As mentioned above, we welcome the introduction of the title registration system beginning with New Land first, as we agree that it will offer a higher degree of certainty in property ownership, simplify the traditional conveyancing process and enhance business efficiency in property transactions with respect to New Land. As the Amendment Bill will go through discussions and debate in the Legislative Council, we expect there will be further improvements and clarifications. Inevitably, there are also likely to be teething problems and legal issues arising from the new regime coming into force. Meanwhile, we also look forward to the Government introducing plans in due course for a progressive, comprehensive and seamless conversion of existing lands registered under the LRO to become lands regulated under the title registration system. Our team is prepared to support and guide our clients on any issues relating to the title registration system which they may encounter. Please feel free to reach out to any of us if you have any enquiry or would like to learn more on how we can help you to better prepare for the implementation of title registration system.
Legal update 21 March 2025
After nearly two years of deliberation and consultation with various stakeholders, the Protection of Critical Infrastructures (Computer Systems) Bill (the “Bill”) was passed by the Legislative Council on 19 March 2025. As stated by the Secretary for Security, Chris Tang, the purpose of the law is to “establish legal requirements for organisations designated as critical infrastructure operators”. The Bill is expected to come into effect on 1 January 2026. Last year, we published an update discussing the initial proposed legislative framework (“Proposed Framework”) and another update summarising the Security Bureau’s response to stakeholders’ feedback regarding the Proposed Framework (“Consultation Report”). This legal update provides a brief overview of the scope as well as the main obligations under the Bill. We also discuss specific issues that entities regulated by the Bill should be mindful of. Scope of regulation There are three definitions essential to understanding the Bill and the scope of its regulation: (i) critical infrastructures (“CI”), (ii) CI operators (“CIOs”) and (iii) Critical Computer Systems (“CCS”). Designations of CI and CIOs The Bill imposes various obligations on CIOs, i.e. organisations that operate CI. The Bill provides that CI are those essential to the continuous provision in Hong Kong of an essential service in 8 designated sectors, namely: (1) energy, (2) information technology (IT), (3) banking and financial services, (4) air transport, (5) land transport, (6) maritime transport, (7) healthcare services and (8) telecommunications and broadcasting services (“Designated Sectors”).     It is worth noting that an infrastructure not within the eight Designated Sectors may still be considered as a CI if damage or loss of functionality to it may hinder or substantially affect the maintenance of critical societal or economic activities in Hong Kong. Examples may include major sports and performance venues or major technology parks. However, the Bill does not provide definitions of the Designated Sectors. The Consultation Report acknowledged that stakeholders had called for a clearer and narrower definition of the IT sector, but the Security Bureau maintained its position and stated that it would communicate with potential CIOs before designating them as such. Designations of CCS The Bill provides that a CCS is one that is accessible by a CIO in or from Hong Kong and that is essential to the core function of a CI. The Bill applies to CCSs and CIs whether they are in-house or outsourced. Extraterritorial application The Consultation Report clarified that the Bill does not have extraterritorial effect. The Commissioner of Critical Infrastructure (Computer-system Security) (the “Commissioner”) will only request information that is accessible by CIOs with offices set up in Hong Kong. With this in mind, CIOs that operate in multiple jurisdictions should carefully consider the access granted to a CIO’s office in Hong Kong. Obligations of CIOs The Bill provides three main categories of obligations to be borne by CIOs: Organisational obligations (Category 1 Obligations) Maintain a physical office in Hong Kong for carrying on the CIO’s business (i.e. it is not merely a correspondence address) Report any change in operatorship of CIs within 1 month from when the change occurs Set up a computer-system security management unit (in-house or outsourced) Preventive obligations (Category 2 Obligations) Notify the following to the Commissioner’s Office within 1 month of its occurrence: material changes in design, configuration, security or operation, etc. of CCS addition / removal of CCS to the CI changes that render an existing system essential to the core function of the CIO Formulate, implement and submit a computer-system security management plan11 within 3 months after receiving designation as CIO (unless an extension is granted) Conduct a computer-system security risk assessment at least once every 12 months and submit a report within 3 months after each assessment period (unless an extension is granted) Conduct an independent computer-system security audit at least once every 24 months and submit a report within 3 months after each audit period (unless an extension is granted) Incident reporting and response obligations (Category 3 Obligations) Participate in a computer-system security drill organised by the Commissioner’s Office Formulate an emergency response plan22 and submit the plan within 3 months after receiving CIO designation Notify the Commissioner of computer-system security incidents: Incidents which have disrupted or are disrupting or likely to disrupt the core function of CI will need to be reported within 12 hours after CIO becoming aware of the incident Other incidents need to be reported within 48 hours after CIO becoming aware of the incident. A written report of the incident shall be submitted within 14 days from the date on which CIO first becomes aware of the incident   Non-compliance with the obligations under the Bill may constitute offences punishable with maximum fines ranging from HK$500,000 to HK$5 million. If it is a continuing offence, the daily additional maximum fine ranges from HK$50,000 to HK$100,000 for every day during which the offence continues. It is important to note that the defences of “due diligence” (i.e. the commission of the offence was due to a cause beyond the defendant’s control and the defendant has taken all reasonable precautions and exercised all due diligence to avoid committing the offence) and “reasonable excuse” (i.e. the defendant has sufficient evidence to raise an issue that it had such a reasonable excuse and contrary is not proved by the prosecution beyond reasonable doubt) are available for certain offences under the Bill. The penalties under the Bill only apply to CIOs at the organisation level and do not extend to senior management at the individual level. However, if the violations involve criminal acts such as providing false information or fraud-related activities, then the relevant individuals may be held personally liable for those criminal acts. Regulatory and enforcement authorities The Bill will be enforced by the Commissioner’s Office, which is expected to be established by June this year.33 The Bill also designates regulators of certain industries as designated authorities, which now only include the Monetary Authority (to regulate the banking and financial services sector) and the Communications Authority (to regulate the telecommunications and broadcasting services sector). Potential issues for further consideration Being the first legislation of its kind in the city, some concepts in the Bill may require further clarification to enable effective compliance by CIOs. We highlight a few issues below which CIOs may need to consider when preparing for compliance with the Bill. (1) What is a computer-system security incident? CIOs have an obligation to notify and respond to computer-system security incidents (“Security Incidents”). A Security Incident is defined in the Bill to mean an event that involves unauthorised access to the CCS, or any unauthorised acts done on or through the CCS or another computer system that has an actual adverse effect on the computer-system security of the CCS. “Adverse effect” is not defined in the Bill, and it is possible the Commissioner or designated authorities may release further codes of practice to elaborate on this term. The Secretary for Security has clarified the term can generally be understood as “compromising or undermining of the availability, integrity and confidentiality of the information or services of a CCS or its protection ability.”44 The Consultation Report noted the Code of Practice (“CoP”) will provide guidelines and examples on what would amount to Security Incidents. In the meantime, it may be helpful to take reference from similar legislations in other jurisdictions to understand the types of incidents that may constitute “adverse effect” to CCS. Singapore Singapore’s Cybersecurity Act 2018 adopts a similar definition for “cybersecurity incident”, which is defined as “an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system“.55 In the Explanatory Statement for Cybersecurity Act 2018, it was further explained that a cybersecurity incident is a cybersecurity threat that has been realised, with the following examples provided:66 The unauthorised hacking of a computer; The accessing of a hyperlink in a phishing email that results in the installation of a malicious computer program; and The opening of an infected document in an email that results in the execution of a malicious computer program. The United Kingdom The United Kingdom’s Network and Information Systems Regulations 2018 provides that essential service operators should report incident (which is defined as any event having an actual adverse effect on the security of network and information systems) which have significant impact on the continuity of the relevant essential services.77 While what may constitute significant impact may vary depending on the industry, the following factors are relevant in determining the significance of impact: The number of users affected by the disruption of essential services; The duration of the incident; and The geographical area affected by the incident. (2) Where do the codes of practice stand in the legislative regime? The Bill provides that a regulating authority may issue codes of practice to provide practical guidance on how CIOs are to comply with their obligations under the Bill. The codes of practice are not part of the Bill and the failure to comply with a code of practice does not give rise to any civil or criminal liability per se. However, CIOs should note that the codes of practice are admissible evidence in legal proceedings and that proof of contravention of such may be relied on by parties to the proceedings. (3) What are regulated organisations? The Bill provides parallel regimes for the regulation of CIOs and regulated organisations. Regulated organisations are CIOs specified in the Bill that are regulated by specified designated authorities. All other CIOs are regulated by the Commissioner. The parallel regimes may prevent double reporting obligations by the regulated organisations. Regulated organisations are not subject to any less obligations than other CIOs under the Bill, but the major difference being that they are regulated by different authorities and thus they have different points of contact when fulfilling their statutory obligations. It is worth noting designated authorities only regulate Category 1 and 2 Obligations. It seems the Bill intends for the Commissioner to regulate Category 3 Obligations (i.e. obligations relating to incident reporting and response) for all CIOs. Therefore, CIOs operating in banking and financial services and telecommunications and broadcasting services sectors are likely to have to notify multiple authorities if they become aware of a Security Incident. Currently, the Bill only specifies the designated authorities and regulated organisations in the table below. It is anticipated that more may be added to the list in the future. Relevant sector Designated authority Regulated organisations Banking and financial services Monetary Authority Authorised institutions Licensees as defined by section 2 of Payment Systems and Stored Value Facilities Ordinance (Cap. 584) Settlement institutions of a designated system System operators of a designated system Tele-communications and broadcasting services Communications Authority Holders of a unified carrier licence Holders of a space station carrier licence Domestic free television programme service licensees Licensees as defined by section 13A(1) of Telecommunications Ordinance (Cap. 106)   (4) What should a computer-system security risk assessment cover? A CIO must conduct regular computer-system security risk assessments, which shall include, among other things, a vulnerability assessment and a penetration test. Vulnerability assessment is defined to mean “an assessment that (a) systematically examines the system for known vulnerabilities; and (b) aims at identifying the vulnerabilities of the system for preventing any exploitation of them.” Penetration test means “a test that (a) simulates an attack on the system by electronic means and (b) aims at identifying the vulnerabilities of the system through the simulated attack.” (5) What are the requirements for computer-system security management plans and emergency response plans? CIOs are required to submit a computer-system security management plan and an emergency response plan that cover matters specified in Schedule 3 of the Bill within 3 months after their designation as CIOs. Importantly, the submission of these plans is some of the earliest obligations that CIOs need to fulfil upon their designation. As the Bill imposes extensive requirements on these plans, potential CIOs should plan and start preparing them in early course. CIOs should review their upcoming budgets and ensure they allocate sufficient resources for complying with the requirements under the Bill, especially when external consultants may need to be engaged. Requirements on computer-system security management plans The Bill provides for general matters that a computer-system security management plan should cover, including: and personnels responsible for the risk management of the CCS; The process of identifying the computer systems essential to the functioning of the critical infrastructures; Policies and guidelines for the identification of risks relating to computer-system security, detection of threats, controlling of access to systems, etc.; and The provision of training to staff whose work relates to the computer-system security of the CCS. A computer-system security management plan should also include an emergency response plan. Requirements on emergency response plans The Bill provides that emergency response plans should at a minimum cover the following matters: The division of work in the team responsible for responding to Security Incidents. The threshold for initiating the emergency response plan. Procedures for reporting Security Incidents. Procedures for investigating causes and impacts of Security Incidents. The recovery plan for resuming the normal operation of the critical infrastructure. The plan for communicating with stakeholders and the public regarding Security Incidents. Post-incident measures for preventing the recurrence of Security Incidents. Policies and guidelines for reviewing any submitted emergency response plans. Concluding remarks The Bill is welcomed as the designated critical infrastructures are essential to the functioning of the city. A cyber security attack on any of the designated sectors will not only bring about serious disruption but economic damage. Greater digitalisation and rising cyber threats highlight the existential risk posed by cyber incidents. The introduction of such a legal regime will result in CIOs adopting more robust cyber security measures to protect not only their own systems, but the larger network of essential services they support. And companies or vendors that interact with CIOs will be required to up their game as well (e.g. these companies will need to implement security protocols and update their cyber defences). For CIOs third-party risk management practices are fundamental. As we highlighted above, the various planning, reporting and response obligations imposed by the Bill and the ambiguities in regulatory scope may present challenges to potential CIOs. Preparation in advance and close communication with the regulating authorities will be essential in ensuring compliance. CIOs should also stay abreast of the regulatory development in this area, particularly with regards to the release of the CoP as it will provide the detailed standards and other guidance on compliance with the Bill. The Cybersecurity Team at JSM has extensive experience advising clients in both public and private sectors on the complex legal issues arising from high-stakes cybersecurity incidents. We also support organisations in pre-incident preparations, including the development of internal policies, procedures, playbooks and response plans, as well as offering trainings and tabletop simulation exercises to ensure that your organisation is prepared to meet the requirements of the Bill when it comes into force. Please feel free to contact us if you have any compliance enquiry or would like to learn more on how we can help you better prepare for legal risks arising from cyber incidents.
Legal update 18 March 2025
Banks have certain activities related to insurance, such as referrals, premium financing and trust arrangements. Under Section 64G of the Insurance Ordinance Cap. 41 (“Ordinance”), a person cannot carry on regulated activities without an insurance intermediary licence. Regulated activities include negotiating or arranging a contract of insurance, inviting or inducing a person to enter into, or make a material decision on, a contract of insurance, and giving regulated advice. Material decision and regulated advice refer to activities such as making an insurance application, renewing, cancelling or assigning an insurance policy. Given the broad definition of regulated activities, certain insurance-related activities of the bank may be regarded as regulated activities. A copy of the Explanatory Note can be access here. The Insurance Authority has provided some guidance under the Explanatory Note in relation to the licensing requirements for banks under the new regime. However, whether an activity amounts to a regulated activity will depend on full factual context and this will need to be considered objectively. The Explanatory Note clarifies that “inviting or inducing” requires an element of encouraging, convincing or persuading a person, and is more than just mere provision of information. A summary of the FAQs in the Explanatory Note is set out below. Activity Not likely a regulated activity if a bank staff … Likely a regulated activity if a bank staff … Referral Discusses general concepts of insurance as part of financial planning (e.g., discuss concept of annuity) and refers clients to a licensed insurance intermediary if clients have expressed interest Informs clients the conditions of lending (e.g., fire insurance is a requirement for mortgage application) and refers clients to a licensed insurance intermediary Actively approaches clients to discuss specific insurance products Encourages clients to purchase particular insurance products from a licensed insurance intermediary (e.g., offers preferential premium financing rates for specific insurance products) Obtains a direct remuneration for successful referrals Premium financing Provides clients with the terms of a loan and the credit underwriting criteria Encourages clients to apply for premium financing and to assign the policy to the bank Takes the initiative to introduce premium financing to clients (this is regarded as encouraging or persuading clients to apply for insurance) Policy assignment Informs clients that policy assignment is a condition of lending Goes beyond merely providing the terms of a loan and recommends particular insurance products Exercising rights under insurance policy Exercises rights under the loan (e.g., exercising rights as an assignee of an insurance policy) Trust arrangement Provides information about possible holding structure options, including trusts. Bank staff should make it clear that they are not providing any recommendation or opinion about using trust structure, and should recommend clients to discuss this with a licensed insurance intermediary. Reminds clients to check the terms of their insurance contract and whether there are any restrictions against trust structures Provides recommendation to hold insurance policy on trust Having known about the restrictions in the insurance contract against trust structures, encourages or persuades clients to purchase another insurance policy with no such restriction   Comment The Explanatory Note provides useful guidance to the banking sector in carrying out various insurance-related activities, including whether such activities may constitute regulated activities and therefore require an insurance intermediary licence. The entire factual context will need to be considered and it should be viewed objectively (from the client’s perspective) as to whether the activities may be seen as encouraging or persuading the client to apply for, or make a material decision on, insurance, or advising about insurance matters. In particular, when providing premium financing terms or other lending terms, bank staff need to be careful to only inform clients of the terms and conditions of lending and not to encourage or persuade clients to apply for certain insurance products, or to give opinions about the suitability of particular insurance products. Banks should also review the remuneration structure of staff who are involved in referral activities to ensure there is no direct incentive for any non-licensed person to carry out regulated activities. Banks should also ensure there is proper monitoring and supervision of staff, as well as dedicated policies and procedures, in respect of insurance-related activities. * This legal update was first published in 2019 and JSM was known as Mayer Brown when it was issued.
People

Find a lawyer

Learn more about our lawyers and the work they do for clients in Hong Kong, across the region and globally.
View all

Responsible business

DE&I

Respecting, supporting and empowering our people at work and in the community.
View more

Social impact

Advancing sustainability and empowering communities for a better future.
View more

Pro bono

Legal service as a catalyst for community change.
View more
Explore

Careers

At Johnson Stokes & Master, we provide a pathway for your professional growth and advancement. With our deep-rooted and extensive history, we invite you to explore current opportunities to join us, thrive in a supportive environment, and make a meaningful impact for our clients.
View more

Please scan the QR code and follow us on WeChat

Wechat ID: JSM_Legal
JSM WeChat QR code