Hong Kong Unveils Cybersecurity Guidelines for InsurersBreach Reporting Deadlines, Other Requirements, Are Spelled Out
The Insurance Authority of Hong Kong has issued cybersecurity guidelines with a compliance deadline of January 2020.
Under the new requirements, insurers must report breaches no later than 72 hours after detection.
"The guidelines require authorized insurers to put in place resilient cybersecurity frameworks to protect their business data and the personal data of their existing or potential policyholders, and to ensure continuity of their business operations," the insurance authority notes in a statement.
Cyber risks are among the most significant operational risks that insurers face, the authority notes. Cybersecurity incidents can result in financial losses, business disruptions and damage to reputation, it points out.
The regulator says that except for captive insurers and marine mutual insurers, the guidelines apply to all authorized insurers that do business in Hong Kong. There are close to 200 registered insurers authorized to operate in the country that offer general, life, medical, motor and other coverage, the authority notes.
The regulator stressed that noncompliance with the provisions in this guideline would render an authorized insurer liable to judicial or other proceedings. The authority, however, has not specified the potential penalties.
This is the first time that the Insurance Authority of Hong Kong has come out with a comprehensive cybersecurity structure for insurers, says Hong Kong-based Parag Deodhar, former CISO of AXA Group, a general insurance company.
"The insurance industry is quite mature in the region, given there are many multinational organizations operating in the domain who are regulated by stringent compliance structure," Deodhar says.
The new guidelines require insurers to identify cyber risks and conduct assessments on the effectiveness of mitigation efforts.
The key elements of the cyber risk management program, according to the guidelines, include:
- Identifying business functions, activities, products and services and maintaining a current inventory or mapping of its information assets and system configurations;
- Evaluating inherent cyber risks presented by users, processes and technologies and underlying data that support each identified function, activity, product and service;
- Conducting a business impact analysis for cyber risk - a determination of risks and prioritization of risk responses through identification of threats, vulnerabilities, likelihood and impact.
Lars Neilsen , Hong Kong insurance leader at the consultancy PWC, says, the guidelines set the minimum standard of cybersecurity that is expected of an authorized insurer.
Incident Response Plan
The guidelines require insurers to develop a cybersecurity incident response plan, which covers scenarios of cybersecurity incidents and corresponding contingency strategies to maintain and restore critical functions and essential activities.
"The plan should also include criteria for the escalation of the response and recovery activities to the board or its designated management team," the authority notes.
Some key components of the incident response plan, the guidelines note, are:
- Assessing the nature, scope and impact of the incident and take all immediate practicable steps to contain the incident and mitigate its impact;
- Notifying internal stakeholders, and, where applicable, external stakeholders and considering joint incident response actions, if necessary;
- Identifying and mitigating all vulnerabilities that were exploited in a breach to prevent similar incidents.
Insurance companies are experienced in handling various types of risks, Deodhar says. "They have three lines of defense. The operations team looks into varied forms of risk. The risk management team takes up the next level of defense in ensuring the policy holders' information is protected. And the auditing team, which is an independent body, ensures that the other teams have complied with risk management and compliance regulations to keep the data safe."
The insurance authority says it's imperative for CISOs to implement prudent and pragmatic threat monitoring mechanisms, establish a process for gathering and analyzing relevant cyber risk information, and participate in information sharing groups.
It stressed that insurers should provide cybersecurity awareness training to all system users, taking into account the type and level of cyber risk the insurer faces and the latest cyber threats.
"The insurance companies in the region take the regulatory requirements quite seriously and constantly have information sharing programs to share best practices," Deodhar says.
Earlier, Hong Kong and Singapore signed a cybersecurity memorandum of understanding that establishes a data protection information sharing mechanism and calls for joint research projects and this can also be extended to the insurance domain.
The new guidelines require that insurers establish and clearly define their cybersecurity objectives, as well as the requirements for competency of relevant personnel or system users.
Insurers must develop well-defined processes and implement the necessary technology for managing cyber risks.
The guidelines also state:
- The board of directors should be responsible for cybersecurity controls and ensure accountability by articulating clear responsibilities and lines of reporting and escalation for cybersecurity controls.
- Insurers should establish continuous monitoring processes for early detection of cybersecurity incidents, regularly evaluate the effectiveness of internal control procedures and update the risk appetite and tolerance limit as appropriate;
- They also should manage the identities and credentials for physical and remote access to information assets.