The Insurance Authority has issued its Guideline on Cybersecurity (GL20) for authorised insurers, which will take effect on 1 January 2020.
GL20 will apply to all authorised insurers (except for captive insurers and marine mutual insurers) in relation to the insurance business they carry on in or from Hong Kong. It sets out the minimum cybersecurity standards relevant insurers will need to establish and maintain.
Strong cyber resilience has become a key area of concern for the Insurance Authority as insurers face increased exposure to cyber risk and cyber-attacks become increasingly sophisticated, with potential consequences for insurers and their policyholders becoming more severe.
GL20 builds on the Insurance Authority’s existing cybersecurity recommendations introduced in the Guideline on the Corporate Governance of Authorised Insurers (GL10), which suggested that in respect of cybersecurity threats, prevention is better than cure, and requires insurers to have policies and procedures in place to identify, prevent, detect and mitigate cybersecurity threats.
GL20 defines a "cyber risk" broadly, as any risk from the storage, transmission, use or processing of data, stored, transmitted and retrieved in electronic means. It includes data breaches, leaks and loss, and physical damage to data caused by cybersecurity incidents; fraud through the misuse of, and unauthorised access to, data; and any liability from data storage and transmission and the availability, integrity and confidentiality of data.
As outlined in GL20, a "cybersecurity incident" threatens the security of the insurer's system, including leakage of electronic data; denial of service attacks; abuse of information systems; compromise of protected information systems or assets; malicious destruction or alteration of data; malware infection, website defacement and malicious scripts affecting networked systems.
GL20 covers the following key priority areas for enhancing insurers' cyber resilience:
Also complementary to GL20 are the cyber risk requirements in the newly-published Guideline on Enterprise Risk Management (GL21) (which is also effective from 1 January 2020). As well as requiring compliance with GL20, GL21's specific cyber risk provisions require insurers to implement and maintain a cyber risk policy tailored to the scale and complexity of the business including controls relating to:
As 1 January 2020 is fast-approaching, relevant Hong Kong insurers should as soon as possible perform a gap analysis of their existing cybersecurity resilience against the new requirements so necessary steps can be taken to rectify any deficiencies.
For advice on how to strengthen your cybersecurity corporate strategy and framework, and cyber incident response plan, or if you are facing any cybersecurity issues, please reach out to Joyce Chan, Gill Morrissey or your usual Clyde & Co contact.