News & Promotions

The Hong Kong Insurance Authority (IA) issued the Cybersecurity Guideline (GL20) in 2019 to regulate the minimum cybersecurity measures required by the insurance industry. This aimed to mitigate cybersecurity threats faced by insurance companies and protect policyholders' data. GL20 also serves as the IA's guiding principle for evaluating the effectiveness of insurers' cybersecurity frameworks.

To address the increasingly severe cybersecurity landscape, the IA will introduce a revised GL20 in 2024. This update introduces more detailed guidelines and stricter risk assessment methodologies, including Threat Intelligence-Based Attack Simulation (TIBAS), providing insurance companies with more precise direction for cybersecurity risk management. Below are the risk assessment requirements of the new GL20 (all assessments must be conducted by a third party):

Inherent Risk Assessment (IRA)

The IRA assesses an insurance company's responsiveness and recovery capabilities under cyberattacks, classifying the risk level as low, medium, or high, and comprehensively analyzing its cybersecurity status.

Maturity Assessment (MA)

This assessment evaluates the actual maturity of an insurance company's overall security posture—including management, protection, detection, and remediation—requiring the development and implementation of improvement plans to achieve the desired security level.

Threat Intelligence-Based Attack Simulation (TIBAS)

TIBAS is required for companies with a medium or high IRA result. For medium-risk companies, the simulated cyberattack test must cover at least three attack scenarios; for high-risk companies, it must cover five. The test also includes assessing cybersecurity systems, personnel, and processes. Critically, the simulated attacks must be based on threat intelligence reflecting real-world attacks highly relevant to the insurance industry.

BAS Simulation Attack Platforms: Your Best Partner for GL20 TIBAS Compliance

Faced with the heightened requirements of the new GL20, insurance companies need to adopt more proactive cybersecurity strategies. Automated Breach and Attack Simulation (BAS) platforms available in the market can help you continuously self-assess risks and identify existing security gaps. Service providers can also leverage these platforms, with their real-world attack models based on global threat intelligence, as tools for conducting TIBAS. BAS solutions can:

• Automate Realistic Attack Simulations: Simulate various real-world cyberattacks, including ransomware, data breaches, and Advanced Persistent Threats (APTs), to comprehensively detect cybersecurity vulnerabilities.
• Validate Security Controls: Verify the effectiveness of existing security tools and strategies, identify potential security loopholes, and provide remediation recommendations.
• Enhance Team Security Awareness: Improve the security awareness and emergency response capabilities of the team through simulated attacks.

The new GL20 is scheduled for official release in 2024. Insurance companies are required to submit assessment results within 9 months and every 3 years thereafter. Contact us to learn more about how BAS and our consultantation service partners can help you meet the GL20 TIBAS requirements and build a stronger cybersecurity defense system!