Following consultation with the insurance industry, on 11 December 2024 the Insurance Authority published a revised Guideline on Cybersecurity (Revised GL20). It takes effect on 1 January, 2025, introducing a Cyber Resilience Assessment Framework (CRAF or Framework) for insurers.
What Insurers Need to Know
The Framework applies (with limited exceptions) to the authorised insurers in relation to the business they carry on in or from Hong Kong. The provisions do not apply to captive, marine mutual, and special purpose insurers, Lloyd’s and insurers that have ceased underwriting or accepting business and are in run-off. All other provisions of the revised GL20 apply to all authorised insurers except for captive and marine mutual insurers.
The Framework requires insurers to evaluate inherent risk and the maturity of their controls against the prescribed control principles. The Framework’s three step approach is:
– Step One: the insurer conducts an inherent risk assessment.
– Step Two: the insurer conducts a cybersecurity maturity assessment.
– Step Three: the insurer makes a submission to the Insurance Authority on assessment results and proposed remedial measures.
What Insurers Need to Do, Generally
Important aspects of GL 20 require insurers to demonstrate a robust cybersecurity strategy and framework. The requirements include:
1. Insurer’s board of directors to endorse the cybersecurity strategy and framework (CSF). In doing so it should ensure:
a. There are clearly defined roles and responsibilities including reporting lines and escalation procedures.
b. It should cultivate a strong level of awareness of and commitment to cybersecurity.
c. Risk appetite and tolerances are well defined.
d. This requires a complete risk assessment to identify risks and assess mitigating measures.It has oversight of CSF design and its implementation and effectiveness.
e. Where a designated management team of appropriately qualified individuals are tasked to assist the board, both board and team need to ensure the CSF is updated continuously.
2. Insurers are to include objectives and staff and system user competencies in the CSF, implement continuous monitoring and review the CSF periodically – annually, or more frequently if a material event occurs such as an incident or new system deployment.
3. Insurers are to have a well-developed cybersecurity incident response plan.
What insurers need to do regarding the Framework
Important actions to be implemented by insurers under CRAF include:
1. Conduct assessments:
a. An inherent risk assessment is to be conducted in accordance with the Inherent Risk Assessment Matrix. This is designed to identify the insurer’s rating on a three-tiered system:
i. High – extensive adoption of technologies over numerous delivery channels
ii. Medium – adoption of some complex new technologies
iii. Low or not applicable if appropriate – few emerging technologies are adopted
b. A cybersecurity maturity assessment is to be conducted in accordance with the Cybersecurity Maturity Assessment Matrix – having regard to Governance, Identification, Protection, Detection, Response and Recovery, Situational Awareness and Third-Party Risk Management. If an insurer wishes to adopt an alternative cybersecurity assessment framework, for example, the framework adopted by the organisation elsewhere or a framework previously used, it must be comparable to the Framework and meet all required conditions.
2. Make appointments:
a. an Assessor is to be appointed, with appropriate skills and qualifications (having regard to the inherent risk rating). When assessing cybersecurity controls, the Assessor should determine the sampling size and approach, taking a risk-based approach. Samples may be limited to the preceding 6 months if the assessment is being conducted for the first time. Otherwise, a 12 months period should be used.
b. If necessary, a Validator with the prescribed qualifications, is to be appointed.
3. Make submissions to the Insurance Authority:
a. For insurers with a high inherent risk rating the results of their assessments are to be submitted within 12 months from the effective date of CRAF.
b. For insurers with a low or medium inherent risk rating the results of their assessments are to be submitted within 18 months from the effective date of CRAF.
Thereafter, submissions are to be made at least every three years or more frequently (annually) or upon a major change to business or technologies.
4. Ensure the insurer’s Chief Executive or a senior officer (i.e. a key persons in control function) and the Assessor and/or Validator responsible for conducting Assessment review and approve the assessment.
Conclusion:
The insurance industry faces significant cyber risk as a first party issue, in its supply chain and in its insurance portfolios. GL20 is a valuable tool for insurers to measure, implement and enhance their cyber governance, systems, controls and resilience on a continuous basis.
Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.