What's in need now?

Hong Kong's Insurance Authority (IA) has published the Guideline on Cybersecurity ("GL20") in 2019, to regulate and supervise the insurance industry to protect all policy holders from cyber threats. It sets the minimum standard for cybersecurity that Authorised Insurers are expected to have in place and the general guiding principles which the IA uses in assessing the effectiveness of an insurer’s cybersecurity framework. In response to the fast changing landscape of emerging technologies and cybersecurity threats, IA has proposed an updated framework and the revised GL20 will be rolled out soon in the first quarter of 2024. The proposed update covers a new GL20 assessment approach, which will provide more detailed guidance on the management of cyber risks by Authorised Insurers. The assessments for Authorised Insurers, as mandated in the proposal, are shown as below:

1. Inherent Risk Assessment ("IRA")

Authorised Insurers are required to perform the IRA to evaluate the Inherent Risk rating of the Authorised Insurers according to the indicators and assessment criteria within the GL20 Appendix: Annex A, which will result in the Authorised Insurer's overall Inherent Risk rating. The Inherent Risk rating, which consist of three levels as Low, Medium and High, determines the expected maturity level of cyber resilience for the Authorised Insurers:

2. Maturity Assessment ("MA")

Authorised Insurers should then assess and determine the actual maturity level of its cybersecurity posture according to the list of control principles within the GL20 Appendix: Annex B (the Maturity Assessment, "MA"). There are 3 maturity level: Baseline, Intermediate and Advanced; and the control principles spanning across 7 domains. Any gaps between the expected level and the actual level of maturity should be identified, and Authorised Insurers shall develop and implement an improvement roadmap to achieve the expected level of maturity if any gaps exist;

3. Threat Intelligence Based Attack Simulation ("TIBAS")

A minimum of three end-to-end cyber-attack scenarios shall be covered in the simulation for Authorised Insurers with medium inherent risks, and five for those with high inherent risks. The cybersecurity systems, people and process would be evaluated as part of this exercise.

Different from the current GL20, the revised GL20 requires the submission of the assessment results to IA within 9 months after rollout and every 3 year thereafter. Authorised Insurers may consider the start of the assessment activities as soon as possible, particularly for those High/Medium risk Authorised Insurers for which external consultants must be involved to perform the assessment.

How can Deloitte help?

Our Deloitte Cyber professional team has the experience and knowledge to get companies prepared for achieving compliance with the new GL20 assessment requirements. Our extended service offerings could cover from Advise, Operate to Implement, with below key offerings directly addressing the revised GL20 requirements:

• Gap Analysis and Readiness Assessment on the new GL20 Cybersecurity Framework
• Support IRA and MA
• Support TIBAS

There are also some recent successful stories of our cybersecurity assessments similar to the newly proposed revised GL20:

1. Cyber Resilience Assessment Framework ("C-RAF 2.0"): Deloitte team was engaged by various local/overseas banks and multiple virtual banks to perform cyber security assessment against C-RAF 2.0, covering the scope similar to GL20 Assessments, including IRA, MA and TIBAS;
2. Intelligence-led Cyber Attack Simulation ("iCAST"): Deloitte team was engaged by several leading banking clients to plan, conduct and execute an iCAST, akin to TIBAS, to emulate various and compelling threats facing the bank based on a cyber threat intelligence analysis against their critical functions and Hong Kong financial industry sector, which in turn provides the organization with an opportunity to assess maturity of cyber resilience.

The revised GL20 requirements applies to all authorised insurers in relation to the insurance business they carry in or from Hong Kong, feel free to contact our Deloitte Cyber Team for further understanding.

The Deloitte ONEInsurance Cyber Team offers a comprehensive suite of Advise-Implement-Operate (AIO) services to help insurers achieve compliance, including gap analysis and readiness assessments.