Lexis insights

Legal news, views and insight from LexisNexis Hong Kong

12 August 2019 | by LexisNexis Hong Kong


The Hong Kong Insurance Authority (“IA”) has published its Guideline on Cybersecurity (GL 20) (the “Guideline”) for authorised insurers. The Guideline will take effect on 1 January 2020. It sets the minimum standard for cybersecurity that authorised insurers are expected to have in place and the general guiding principles which the IA uses in assessing the effectiveness of an authorised insurer’s cybersecurity framework. Cybersecurity refers to strategies, policies, standards, practices, technology, and innovations regarding the security of an authorised insurer’s systems and operations. These measures are to safeguard and reduce the risks of authorised insurers from cyberattacks or cybersecurity incidents.


The Guideline applies to all authorised insurers, except for captive insurers and marine mutual insurers, regarding the insurance business they carry on in or from Hong Kong. It should be read in conjunction with the relevant provisions of the Insurance Ordinance, other relevant Ordinances, and any other rule, regulation, code, circular and guideline made or issued under the Insurance Ordinance and other relevant Ordinances. The Guideline does not have the force of law and should not be interpreted in a way that would override the provision of any law.

Key takeaways

Cybersecurity strategy and framework

Authorised insurers should establish and maintain a cybersecurity strategy and framework to mitigate potential cyber risks that are commensurate with the nature, size and complexity of their business. An authorised insurer should also review (e.g. on an annual basis, upon a cybersecurity incident or a major system change) and update their cybersecurity strategy regularly. This is to ensure that their strategy remains relevant whenever there is a significant change in their mode of business operation or in the external business environment.


The board of directors of an authorised insurer (the “Board”) should bear the overall responsibility for cybersecurity controls and ensure accountability within the authorised insurer. It should cultivate a strong level of awareness of and commitment to cybersecurity. The Board should establish a defined risk appetite and tolerance limit on cyber risks and oversee the design, implementation and effectiveness of the relevant cybersecurity programs.

Risk identification, assessment and control

Authorised insurers should recognize cyber risks and conduct assessment on the effectiveness of the mitigating measures to protect against cyberattacks or cybersecurity incidents. A self-assessment tool should be put in place as part of an enterprise risk management program.

Continuous monitoring

An authorised insurer should establish systematic monitoring processes for early detection of cybersecurity incidents, regularly evaluate the effectiveness of internal control procedures and update the risk appetite and tolerance limit as appropriate.

Response and recovery

Authorised insurers should develop a cybersecurity incident response plan that should also include the criteria for the escalation of response and recovery activities to the Board or its designated management team. Upon the detection of a relevant incident, an authorised insurer should report the incident with the related information to the IA as soon as practicable, and in any event no later than 72 hours from detection.

Information sharing and training

An authorised insurer should establish a process to gather and analyse relevant cyber risk information and participate in information sharing groups, such as an information sharing intelligence platform. This allows authorised insurers to react to cyberattacks or cybersecurity incidents appropriately without delay. Authorised insurers should arrange adequate training for all system users on the subject of cybersecurity awareness and the latest developments in cybersecurity.

For more information on cybersecurity and insurance topics, please see:

Butterworths Hong Kong Data Privacy Handbook

Cyberlaw in Hong Kong – Fourth Edition

Halsbury’s Laws of Hong Kong Second Edition

  • Insurance

Lexis Advance® Hong Kong Practical Guidance

  • Hong Kong Data Protection
  • Hong Kong Financial Services

For enquiries about the above publications, please contact your Account Manager via sales.hk@lexisnexis.com

Contact Us