OLN

Insurance

Cyber Resilience Assessment Framework Introduced for Insurers in Hong Kong

by

Following consultation with the insurance industry, on 11 December 2024 the Insurance Authority published a revised Guideline on Cybersecurity (Revised GL20). It takes effect on 1 January, 2025, introducing a Cyber Resilience Assessment Framework (CRAF or Framework) for insurers.

What Insurers Need to Know

The Framework applies (with limited exceptions) to the authorised insurers in relation to the business they carry on in or from Hong Kong. The provisions do not apply to captive, marine mutual, and special purpose insurers, Lloyd’s and insurers that have ceased underwriting or accepting business and are in run-off. All other provisions of the revised GL20 apply to all authorised insurers except for captive and marine mutual insurers.

The Framework requires insurers to evaluate inherent risk and the maturity of their controls against the prescribed control principles. The Framework’s three step approach is:

– Step One: the insurer conducts an inherent risk assessment.

– Step Two: the insurer conducts a cybersecurity maturity assessment.

– Step Three: the insurer makes a submission to the Insurance Authority on assessment results and proposed remedial measures.

What Insurers Need to Do, Generally

Important aspects of GL 20 require insurers to demonstrate a robust cybersecurity strategy and framework.  The requirements include:

1. Insurer’s board of directors to endorse the cybersecurity strategy and framework (CSF). In doing so it should ensure:

a. There are clearly defined roles and responsibilities including reporting lines and escalation procedures.

b. It should cultivate a strong level of awareness of and commitment to cybersecurity.

c. Risk appetite and tolerances are well defined.

d. This requires a complete risk assessment to identify risks and assess mitigating measures.It has oversight of CSF design and its implementation and effectiveness.

e. Where a designated management team of appropriately qualified individuals are tasked to assist the board, both board and team need to ensure the CSF is updated continuously.

2. Insurers are to include objectives and staff and system user competencies in the CSF, implement continuous monitoring and review the CSF periodically – annually, or more frequently if a material event occurs such as an incident or new system deployment.

3. Insurers are to have a well-developed cybersecurity incident response plan.

What insurers need to do regarding the Framework

Important actions to be implemented by insurers under CRAF include:

1. Conduct assessments:

a. An inherent risk assessment is to be conducted in accordance with the Inherent Risk Assessment Matrix. This is designed to identify the insurer’s rating on a three-tiered system:

i. High – extensive adoption of technologies over numerous delivery channels

ii. Medium – adoption of some complex new technologies

iii. Low or not applicable if appropriate – few emerging technologies are adopted

        b. A cybersecurity maturity assessment is to be conducted in accordance with the Cybersecurity Maturity Assessment Matrix – having regard to Governance, Identification, Protection, Detection, Response and Recovery, Situational Awareness and Third-Party Risk Management. If an insurer wishes to adopt an alternative cybersecurity assessment framework, for example, the framework adopted by the organisation elsewhere or a framework previously used, it must be comparable to the Framework and meet all required conditions.

        2. Make appointments:

        a. an Assessor is to be appointed, with appropriate skills and qualifications (having regard to the inherent risk rating). When assessing cybersecurity controls, the Assessor should determine the sampling size and approach, taking a risk-based approach. Samples may be limited to the preceding 6 months if the assessment is being conducted for the first time. Otherwise, a 12 months period should be used.

        b. If necessary, a Validator with the prescribed qualifications, is to be appointed.

        3. Make submissions to the Insurance Authority:

        a. For insurers with a high inherent risk rating the results of their assessments are to be submitted within 12 months from the effective date of CRAF.

        b. For insurers with a low or medium inherent risk rating the results of their assessments are to be submitted within 18 months from the effective date of CRAF.

        Thereafter, submissions are to be made at least every three years or more frequently (annually) or upon a major change to business or technologies.

        4. Ensure the insurer’s Chief Executive or a senior officer (i.e. a key persons in control function) and the Assessor and/or Validator responsible for conducting Assessment review and approve the assessment.

        Conclusion:

        The insurance industry faces significant cyber risk as a first party issue, in its supply chain and in its insurance portfolios. GL20 is a valuable tool for insurers to measure, implement and enhance their cyber governance, systems, controls and resilience on a continuous basis.

        Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

        Legal Update: Is an insurer vicariously liable for an agent’s fraud?

        by

        Vicarious liability is the legal doctrine that holds one party liable for wrongdoing committed by another, typically where the party held liable is superior to or has some right to control the other’s actions.  This most commonly arises in the employment context, where an employer is generally held liable for any tort committed by an employee in the course of his/her duties.  However, vicarious liability is not limited to the employment relationship and can extend to the relationship between insurer and insurance agent. 

        Recent cases affirm that the relationship between insurer and agent can give rise to vicarious liability, even though the agent is not the insurer’s employee and the agent’s contract with the insurer explicitly denies any employment relationship.  In deciding whether to impose vicarious liability, courts will consider if this is fair, just and reasonable taking into account the overall relationship (including the insurer’s control over the agent) and enterprise risk considerations, including the insurer’s business model, the regulatory framework governing the insurance industry and deterrence of future harm.  In Hong Kong, many agents are tied exclusively to one insurer and even non-exclusive agents are bound under the HKFI Code of Practice to represent no more than four insurers, including no more than 2 long-term insurers.  These ties between insurer and agent, and the functions performed by the agent on the insurer’s behalf, tend to create circumstances where a court may find vicarious liability.

        Case Analysis

        A recent Singapore case, in which a major life insurer was held vicariously liable for an agent’s fraud, is instructive.  In that case, the agent had sold the plaintiffs (an elderly Indonesian couple) a fictitious 5-year life insurance policy.  Funds remitted by the plaintiffs for the fake policy were used by the agent to buy unauthorized policies in the plaintiffs’ names, which the agent later deceived the plaintiffs into surrendering.  The funds were then misappropriated by the agent.  Throughout this process, the insurer relied on the agent to liaise with the plaintiffs regarding the policies they held and to transmit instructions as to how to handle their money, refund cheques and surrender proceeds. 

        In finding the insurer vicariously liable for the agent’s fraud, the Singapore High Court applied a 2-stage test, under which vicarious liability will be imposed where:

        1. There is a “special relationship” between the tortfeasor (fraud perpetrator) and the defendant making it “fair, just and reasonable” for liability to be imposed; and
        2. The conduct of the tortfeasor is closely connected to his/her relationship with the defendant, particularly where that relationship materially increases the risk of the fraud being committed.

        In applying this test for vicarious liability, the Singapore Court followed an established line of UK and Canadian caw law which identified two policy considerations for imposing liability:  1) effective compensation for the victim; and 2) enterprise risk theory, which holds that an enterprise which engages agents to advance its business interests and creates the risk of those agents committing wrongs against third parties should bear responsibility for the consequences, since it is best placed (and should be incentivized)  to manage the risks and prevent wrongdoing. 

        Under the first stage of the test (requiring a special relationship between tortfeasor and defendant), vicarious liability is no longer restricted to employment relationships and the court will examine the facts to see if the relationship has some of the same fundamental qualities inherent in employer-employee relationships, including control over the tortfeasor (agent) and integration of his/her activities in the defendant’s (insurer’s) enterprise.  On the facts of the Singapore case, the court found that these elements were present, noting that even though the agent’s contract with the insurer specifically stated that the agent was not an employee, she represented the insurer exclusively and performed a wide range of functions on the insurer’s behalf.  Further, the insurer’s control over her was very similar to that of an employer training, managing, supervising and disciplining its employees. 

        Turning to the second stage of the test (requiring a sufficient connection between the tortfeasor’s conduct and his/her relationship with the defendant), the court noted that the fraud had been perpetrated in the context of a business model in which insurers relied on agents to promote and market their policies by developing close relationships with high net-worth policy holders.  On the facts, the insurer further enhanced the risk of the agent’s fraud by allowing her to perform tasks on both sides without verification, including accepting her word as instructions and authorization from the customer.  Given this business framework and the policy justifications of victim compensation and deterrence, the court found that there was a sufficient connection between the agent’s fraud and her relationship with the insurer so as to justify imposing vicarious liability.

        OLN Insights

        1.  Recent case law confirms that vicarious liability is not confined to employment relationships and can render an insurer liable for its agent’s fraud.  Courts will look beyond the agent’s contract with the insurer in assessing if the agent is truly acting as an independent contractor or is effectively controlled by the insurer and integrated within the insurer’s enterprise. 

        2. Policy considerations, and particularly enterprise risk considerations, may lead a court to hold an insurer vicariously liable for an agent’s fraud in the current regulatory context, which (in Hong Kong as in Singapore) expects insurance companies to take responsibility for the management of its agents, particularly where agents are representing no more than a few insurers, and are seen by the public as representatives of their appointing insurer and an extension of their enterprise.

        3. To mitigate exposure, insurers would be well advised to institute more robust controls to verify policyholder instructions rather than relying exclusively on agents to communicate with customers.  Verification should be undertaken of significant policy-related requests from policyholders, including instructions on how to apply remitted and/or excess funds and policy surrender requests.  For example, policy approval confirmation letters, premium payment letters, policy surrender letters and refund cheques could be mailed directly to the policyholder (with proof of delivery) rather than passed on through the agent. 

        About OLN’s Insurance Practice Group

        OLN’s Insurance Practice Group has direct experience of the legal, regulatory and practical challenges facing insurers and reinsurers throughout Asia region. Members of our Group have worked in the insurance industry and have extensive experience working in and advising insurers and reinsurers on contractual and regulatory matters and risk management issues relevant to their businesses. We have particular expertise in the review and drafting of contractual documentation relating to insurance and reinsurance activities, including the development of policy wording for life, accident, medical and health insurance products, and the review and vetting of related proposals, product brochures and training materials. We also have experience advising on disputes over coverage for claims under both life and general insurance policies, and with support from OLN’s Dispute Resolution Group, are well placed to represent clients in all aspects of insurance litigation.

        For more information about any other insurance-related matters, please contact:

        Greg Crichton, Consultant