Guideline On Cybersecurity English
Guideline On Cybersecurity English
Guideline On Cybersecurity English
GUIDELINE ON CYBERSECURITY
Insurance Authority
Contents Page
1. Introduction ............................................................................................3
2. Interpretation ..........................................................................................3
5. Governance ............................................................................................7
2
1. Introduction
1.2 Cyber risk is one of the most significant operational risks that
insurers face, particularly with regard to the business
operations they conduct digitally and on-line. Cybersecurity
incidents can result in financial loss, business disruption,
damage to reputation and other adverse consequences to an
insurer. Accordingly, this Guideline requires authorized
insurers to put in place resilient cybersecurity frameworks to
protect their business data and the personal data of their
existing or potential policyholders, and to ensure continuity of
their business operations.
2. Interpretation
(b) “cyber risk” refers to any risks that emanate from the
transmission, storage, use or processing of data
transmitted, stored and retrieved in electronic means,
including technology tools and platform such as computer
systems, mobile applications, the internet and
telecommunications networks. It encompasses data breach
and leakage, loss of data, physical damage to such data
caused by cybersecurity incidents, fraud committed by
3
misuse of and unauthorized access to data, any liability
arising from data storage and transmission, and the
availability, integrity, and confidentiality of such data;
4
authorized insurer’s critical systems caused by cyber risk.
3.1 Except for captive insurers and marine mutual insurers, this
Guideline applies to all authorized insurers in relation to the
insurance business they carry on in or from Hong Kong.
3.3 This Guideline does not have the force of law and should not
be interpreted in a way that would override the provision of
any law. A non-compliance with the provisions in this
Guideline would not by itself render an authorized insurer
liable to judicial or other proceedings. A non-compliance may,
however, reflect on the IA’s view of the continued fitness and
properness of the directors or controllers of authorized insurers
to which this Guideline applies. The IA may also take guidance
from this Guideline in considering whether there has been an
act or omission likely to be prejudicial to the interests of policy
holders or potential policy holders (albeit the IA will always
take account of the full context, facts and impact of any matter
before it in this respect).
5
4. Cybersecurity strategy and framework
6
5. Governance
7
(ii) evaluating inherent cyber risks presented by users,
process and technology and underlying data that support
each identified function, activity, product and service;
7. Continuous monitoring
8
8. Response and recovery
9
9.2 Cyber risks and vulnerabilities evolve rapidly, as do best
practices and technical standards to address them. Insurers
should arrange adequate training for all system users on the
subject of cybersecurity awareness and the latest developments
in cybersecurity, taking into account the type and level of cyber
risks they may face. Insurers are encouraged to promote the
professional competence and capacity of their staff, especially
those responsible for cybersecurity and systems.
10. Implementation
June 2019
10