6 August, 2019
The Insurance Authority has issued its Guideline on Cybersecurity (GL20) for authorised insurers, which will take effect on 1 January 2020.
GL20 will apply to all authorised insurers (except for captive insurers and marine mutual insurers) in relation to the insurance business they carry on in or from Hong Kong. It sets out the minimum cybersecurity standards relevant insurers will need to establish and maintain.
Strong cyber resilience has become a key area of concern for the Insurance Authority as insurers face increased exposure to cyber risk and cyber-attacks become increasingly sophisticated, with potential consequences for insurers and their policyholders becoming more severe.
Identify, Prevent, Detect and Mitigate
GL20 builds on the Insurance Authority’s existing cybersecurity recommendations introduced in the Guideline on the Corporate
Governance of Authorised Insurers (GL10), which suggested that in respect of cybersecurity threats, prevention is better than cure, and requires insurers to have policies and procedures in place to identify, prevent, detect and mitigate cybersecurity threats.
GL20 defines a "cyber risk" broadly, as any risk from the storage, transmission, use or processing of data, stored, transmitted and retrieved in electronic means. It includes data breaches, leaks and loss, and physical damage to data caused by cybersecurity incidents; fraud through the misuse of, and unauthorised access to, data; and any liability from data storage and transmission and the availability, integrity and confidentiality of data.
As outlined in GL20, a "cybersecurity incident" threatens the security of the insurer's system, including leakage of electronic data; denial of service attacks; abuse of information systems; compromise of protected information systems or assets; malicious destruction or alteration of data; malware infection, website defacement and malicious scripts affecting networked systems.
GL20 covers the following key priority areas for enhancing insurers' cyber resilience:
- Board-approved cybersecurity strategy and framework – This should be tailored to the nature, scale and complexity of the insurer and its business, and should include well-defined cybersecurity objectives and clear processes for the management of cyber risks. It should be reviewed regularly (at least annually, on the introduction of new systems or significant system changes or occurrence of cybersecurity incidents) and, as appropriate, updated.
- Top-down governance – The board retains overall responsibility for cybersecurity controls. There should be a board-approved cyber risk appetite and tolerance limit. Clearly defined responsibilities, reporting lines and escalation procedures for cybersecurity should be implemented. Delegation to a designated management team to oversee and implement cybersecurity measures and controls is permitted.
- Risk identification, assessment and control – A self-assessment tool for overall cyber risk management should be put in place. Cyber risk mitigation processes should be reviewed and assessed regularly (at least annually or on the introduction of new systems or significant system changes).
- Continuous monitoring – A systematic monitoring process (including internal and external audit, network monitoring, testing) should be maintained for early detection of cyber incidents, regular assessment of the effectiveness of internal controls and as necessary updating of the risk appetite and tolerance limit.
- Response and recovery – An incident response plan should be developed covering different scenarios of cyber incidents and corresponding contingency strategies, including escalation procedures. A cyber incident must be reported to the Insurance Authority within 72 hours after detection. Drills should be conducted at least annually.
- Information sharing and training – A process to collect and analyse cyber risk information should be established, and the insurer should participate in information sharing groups so measures can be taken in relation to local and international cyber risks and cyber-attacks. Training on cybersecurity awareness and latest developments should be given to all system users.
Also complementary to GL20 are the cyber risk requirements in the newly-published Guideline on Enterprise Risk Management (GL21) (which is also effective from 1 January 2020). As well as requiring compliance with GL20, GL21's specific cyber risk provisions require insurers to implement and maintain a cyber risk policy tailored to the scale and complexity of the business including controls relating to:
- protection of policyholder and digital/electronic data
- identifying, preventing, detecting and mitigating cybersecurity threats
- monitoring and reporting of cyber risks
- regular testing of mitigation measures
- communication of cybersecurity policies and procedures to staff, and regular review and assessment of the policies and procedures and monitoring of their implementation.
Next steps
As 1 January 2020 is fast-approaching, relevant Hong Kong insurers should as soon as possible perform a gap analysis of their existing cybersecurity resilience against the new requirements so necessary steps can be taken to rectify any deficiencies.