Last Friday, the Hong Kong Insurance Authority published its Guideline on Cybersecurity (GL 20) for authorised insurers.  GL 20 will take effect on 1 January 2020.

Cybersecurity is a global regulatory focus and a top priority area for the Insurance Authority, given the growing exposure to cyber risk as a result of increased digital connectivity.


GL 20 applies to all authorised insurers (except for captive insurers and marine mutual insurers) in relation to the insurance business that they carry on in or from Hong Kong.


GL 20 sets the minimum standards for cybersecurity that authorised insurers are expected to have in place, and the guiding principles which the Insurance Authority uses in assessing the effectiveness of insurers’ cybersecurity frameworks.

The guideline requires insurers to put in place resilient cybersecurity frameworks to protect their business data and the personal data of their existing or potential policyholders, and to ensure continuity of their business operations.

Key areas of focus

The guideline covers the following key areas:

  • Cybersecurity strategy and framework – This should be endorsed by the board of the authorised insurer, and be reviewed and updated regularly (such as on an annual basis, upon a cyber incident or a major system change) to ensure relevance.
  • Governance – The board of directors of an authorised insurer should hold overall responsibility for cybersecurity controls and ensure accountability within the insurer. It should cultivate a strong level of awareness of and commitment to cybersecurity.
  • Risk identification, assessment and control – A cyber risk self-assessment tool should be put in place as part of an enterprise risk management program.
  • Continuous monitoring – An authorised insurer should establish systematic monitoring processes for early detection of cybersecurity incidents, regularly evaluate the effectiveness of internal controls and update the risk appetite and tolerance limit as appropriate.
  • Response and recovery – An insurer should develop a cybersecurity incident response plan, which should also include the criteria for the escalation of the response and recovery activities to the board or designated management team. Upon detection of a relevant incident, an insurer should report the incident and related information to the Insurance Authority as soon as practicable, and in any event no later than 72 hours from detection.
  • Information sharing and training – An insurer should establish a process to gather and analyse cyber risk information and participate in information sharing groups to enable it to respond to cyber incidents in an appropriate and timely manner. It should also arrange adequate training for all system users on cybersecurity awareness and latest developments.