Hong Kong SAR, China

The Personal Data (Privacy) Ordinance (PDPO) was passed in the Hong Kong Special Administrative Region of China in 1995 and came into force in December 1996 (with the exception of individual provisions). It applies to the processing of personal data in, or by persons under the control of Hong Kong SAR, China. The PDPO underwent major amendments in 2012, including new regulations on the use of personal data for direct marketing purposes and incorporating additional safeguards in response to public concerns over new privacy challenges. In 2021, the PDPO underwent another major amendments. The amendments aim to combat doxxing acts that are intrusive to personal data privacy.

Huawei Cloud Compliance with the PDPO of the Hong Kong Special Administrative Region of the People's Republic of China describes our experiences and practices on privacy protection and how we can help you meet the PDPO compliance requirements of Hong Kong SAR, China.

The Hong Kong Monetary Authority (HKMA) of China is the government body responsible for maintaining the stability of the monetary and banking systems. It is primarily responsible for making financial policies and managing banks and currencies in Hong Kong SAR, China.

The HKMA has issued a series of guidelines and circulars providing practical guidance to Hong Kong financial institutions on IT risk management. The main regulatory guidelines and circulars are as follows:

Supervisory guidelines:

• Supervisory Policy Manual on the General Principles of Technology Risk Management (TM-G-1): Provides authorized institutions (AIs) with guidance on general principles which AIs are expected to consider in managing technology-related risks.

• Supervisory Policy Manual on Outsourcing (SA-2): Sets out the HKMA's supervisory approach to outsourcing and the key points which the HKMA recommends AIs to address when outsourcing.

• Supervisory Policy Manual on Business Continuity Planning (TM-G-2): Sets out the HKMA's supervisory approach to business continuity planning and the sound practices that the HKMA expects AIs to take into consideration in business continuity planning.

• Guideline on the Authorization of Virtual Banks: Sets out the principles that the HKMA will take into account when deciding whether to authorize a virtual bank to conduct banking business in Hong Kong.

• Guidance on Cloud Computing: Describe the risk management initiatives that the HKMA expects AIS to consider when adopting cloud computing.

• Risk Management of E-banking (TM-E-1): The HKMA has issued guidance on the management of risks associated with electronic banking by AIs.

Regulatory circulars:

• Customer Data Protection: Remind AIs of the importance of protecting the confidentiality of customer data and some of the key control measures for protecting customer data.

• Incident Response and Management Procedures: Reminds AIs that effective incident response and management capabilities and procedures must be in place to deal with significant incidents and sets out the principles to be followed by AIs in any public communication regarding such incidents.

Huawei Cloud Compliance with the Hong Kong Financial Services Regulations & Guidelines describes how Huawei Cloud can help you meet the regulatory requirements of the financial industry in Hong Kong.

In addition, in order to further strengthen the cybersecurity capability of AIs in Hong Kong SAR, China, HKMA published the Cybersecurity Fortification Initiative (CFI) in May 2016 and revised and released CFI 2.0 in November 2020. AIs in Hong Kong SAR, China are required to implement the Cyber Resilience Assessment Framework 2.0 (C-RAF 2.0).

C-RAF 2.0 is a structured assessment framework. Through this framework, AIs can assess their inherent risks and maturity level of cybersecurity measures according to a set of "control principles". Through this process, AIs should be able to better understand, assess, strengthen and continuously improve their cyber resilience.

HUAWEI CLOUD User Guide to C-RAF 2.0 in Hong Kong Special Administrative Region of the People’s Republic of China provides an overview of C-RAF 2.0 and describes how HUAWEI CLOUD will help you meet the relevant control principles specified in the maturity assessment matrix of C-RAF 2.0.

The Insurance Authority (IA) of Hong Kong Special Administrative Region of People's Republic of China ("Hong Kong SAR, China") is an insurance regulatory agency independent of the government. Its purpose is to help insurance institutions comply with international insurance regulatory requirements and maintain the stable development of the insurance industry.

To regulate the application of Information Technology (IT) in the insurance industry, the IA has released a series of regulatory requirements and guidelines for institutions and organizations that are authorized to engage in insurance business (authorized insurers) in the areas of cyber security, IT outsourcing, online insurance management and other insurance-related activities. The main regulatory requirements are as follows:

• Guideline on Cybersecurity (GL20): This guideline sets out the minimum standards to be met by authorized insurers in terms of cybersecurity and the general guidelines to be used by the IA in evaluating the cybersecurity frameworks of insurers.

• Guideline on Outsourcing (GL14): This guideline sets out the important considerations that the IA expects authorized insurers to consider in formulating and monitoring outsourcing arrangements, to protect the interests of existing and prospective policy holders. This guideline also sets out the approach for the IA to monitor the outsourcing arrangements of authorized insurers.

• Guideline on the Use of Internet for Insurance Activities, GL8: This guideline outlines the matters that should be considered by authorized insurers when engaging in online insurance activities.

Huawei Cloud Compliance with the Hong Kong Insurance Services Regulations & Guidelines describes how Huawei Cloud can help you meet the regulatory requirements of the insurance industry of Hong Kong, China when using Huawei Cloud, while demonstrating Huawei Cloud’s own compliance.

The Securities and Futures Commission (SFC) of Hong Kong Special Administrative Region of People's Republic of China (Hong Kong SAR, China) is an independent statutory body responsible for regulating the securities and futures markets in Hong Kong SAR, China.

To regulate the application of Information Technology (IT) in the securities and futures industry, the SFC published a series of regulatory requirements and guidelines, covering the areas of technology risk management and cyber security, use of external electronic data storage, and Internet trading security management for institutions or organizations that are permitted to engage in securities and futures-related activities (licensed corporations, LC for short). The main regulatory requirements are as follows:

• Use of external electronic data storage: This policy document sets out requirements for LCs to store their regulatory records with an external electronic data storage provider (EDSP), and explains the approval requirements for record storage and the regulatory standards to be observed by LCs when information is stored or processed electronically using EDSPs.

• Guideline for Reducing and Mitigating Hacking Risks Associated with Internet Trading: This policy document sets out baseline requirements that reduce and mitigate hacking risks associated with Internet trading. The controls and measures specified in the guideline can only reduce or mitigate hacking risks associated with Internet trading, but cannot eliminate them. It must be emphasized that these are the minimum standards to be met by LCs and are not exhaustive.

• Good industry practices for IT risk management and cybersecurity: This policy document provides a list of industry practices on technology risk management and cyber security that LCs engaged in Internet trading may consider incorporating into their IT and cybersecurity risk management frameworks. This list builds on the controls suggested in past circulars and supplements them with recommendations from an external cybersecurity expert based on the latest technological developments.

Huawei Cloud User Guide to Securities and Futures Industry Regulations & Guidelines in the Hong Kong Special Administrative Region of the People's Republic of China describes how Huawei Cloud can help you meet the regulatory requirements of the securities and futures industry of Hong Kong SAR, China when using Huawei Cloud, while demonstrating Huawei Cloud’s own compliance.

Huawei Cloud is committed to providing you with secure and regulation-compliant infrastructure and services. Each service has built-in security functions and is guaranteed to run securely through continuous O&M. Huawei Cloud ensures that its infrastructure and services have passed the assessment of independent third-party security authoritative bodies and the review of security certification bodies.

When using Huawei Cloud services, you need to consider the security and compliance of internal applications and customized configurations based on the features of cloud services. As the owner and controller of your data, you are responsible for data security configuration, confidentiality, integrity, availability, and identity authentication and authorization of data access.

In addition, you need to ensure that your services meet corresponding regulatory requirements. If securities-related activities are conducted on the cloud, the requirements on the use of external electronic data storage released by the SFC must be met.

You can download Huawei Cloud Security White Paper to view details about Huawei Cloud and your security responsibilities.

For further information about security and compliance, contact your account manager or Huawei Cloud customer service.

Huawei Cloud is committed to building secure and trusted cloud services. The infrastructure and services provided by Huawei Cloud have been assessed by authoritative, independent, third-party agencies and reviewed by the relevant certifying bodies.

Huawei Cloud is compliant with a wide range of international standards and practices, including:

• Security standards: ISO 27001, ISO 27017, CSA STAR, PCI DSS, PCI 3DS, ISO 27034, and NIST cyber security framework (CSF), and more

• Privacy standards: ISO 27018, ISO 27701, BS 10012, ISO 29151, and ISO 27799

• Other standards: ISO 22301 (for business continuity management), ISO/IEC 20000 (for IT service management), TL 9000 and ISO 9001 (for quality management), SOC 1, SOC 2, and SOC 3(for audit)

Learn more from Compliance Certificates in the Compliance Center.