• Contact Us
Comply GL 20 Assessment By 2025!

The revised GL20 guideline introduces several key changes compared to the previous version:

  1. Cyber Resilience Assessment Framework (CRAF): The new version introduces the CRAF, which provides detailed guidelines on risk assessment and control principles to help insurers implement their cybersecurity frameworks effectively.
  2. Assessment Requirements: The revised guideline requires insurers to complete three types of assessments:
    • Inherent Risk Assessment (IRA)
    • Maturity Assessment (MA)
    • Threat Intelligence Based Attack Simulation (TIBAS) (applicable for insurers with high or medium inherent risk levels)  
  3. Documentation and Submission: Insurers must submit the results of these assessments, including justifications and remediation roadmaps, to the Insurance Authority within twelve months of the effective date. This means the assessments should be submitted before December 31, 2025.
  4. External Consultants: Insurers with high or medium inherent risk levels are required to engage external consultants to perform the assessments
  5. Scope of Assessment: The revised guideline expands the scope to include all systems, infrastructure (both on-premises and cloud), processes, and people supporting the insurers’ business in Hong Kong

Cyber Resilience Assessment Framework (CRAF)

The Cyber Resilience Assessment Framework (CRAF) introduced in the revised GL20 guideline by the Insurance Authority of Hong Kong includes three main assessments: Inherent Risk Assessment (IRA), Maturity Assessment (MA), and Threat Intelligence Based Attack Simulation (TIBAS). Here are the details:

1. Inherent Risk Assessment (IRA)

The IRA evaluates the inherent risk level of an insurer’s cybersecurity posture based on various indicators and assessment criteria. This assessment helps insurers understand their exposure to cyber threats and the potential impact on their operations. The IRA results in an overall inherent risk rating of low, medium, or high

2. Maturity Assessment (MA)

The MA assesses the maturity of an insurer’s cybersecurity controls and practices. It involves evaluating the insurer’s cybersecurity posture against a set of control principles outlined in the guideline. The assessment identifies gaps in the current cybersecurity framework and requires insurers to develop a remediation roadmap to address these gaps and improve their control maturity level

3. Threat Intelligence Based Attack Simulation (TIBAS)

TIBAS is required for insurers with medium or high inherent risk levels. This assessment involves simulating real-world cyberattacks based on threat intelligence relevant to the insurance industry. The simulation tests the insurer’s cybersecurity systems, processes, and personnel to evaluate their ability to detect, respond to, and recover from cyber incidents. For medium-risk insurers, the simulation must cover at least three attack scenarios, while high-risk insurers must cover five scenarios

CRAF Submission Protocol

Authorized insurers must submit the results of their assessments to the Insurance Authority (IA) within:

  • 12 months for insurers with a high inherent risk rating.
  • 18 months for insurers with a low or medium inherent risk rating.

Following the first submission, insurers should submit the results every three years. The submission should include:

  1. Inherent Risk Assessment Results:
    • Overall inherent risk rating and individual indicator ratings.
    • Relevant documents and information supporting the ratings.
  2. Cybersecurity Maturity Assessment Results:
    • Overall cybersecurity maturity level and individual control principle levels.
    • Identified gaps with an improvement/remedial plan, including action points and target completion dates.
  3. Threat Intelligence Based Attack Simulation (TIBAS) Results (for medium or high inherent risk rating):
    • Identified gaps from the TIBAS exercise with descriptions and risk ratings.
  4. Additional Information:
    • Any other information reasonably requested by the IA.

The results, including completed assessment templates prescribed by the IA, should be reviewed and signed off by the Chief Executive or Senior Executive of the insurer, as well as the Assessor(s) and/or Validator(s) responsible for conducting the assessments.

Our Assessment Service

We provide a comprehensive Assessment Service to help insurance companies comply with the latest version of the Insurance Authority’s Guideline on Cybersecurity (GL 20). Our methodology includes:

  1. Initial Consultation: Understanding your organization’s unique cybersecurity needs and challenges.
  2. Inherent Risk Assessment (IRA): Evaluating your inherent risk exposure through detailed analysis and risk profiling.
  3. Maturity Assessment (MA): Assessing the maturity of your cybersecurity framework using industry-standard benchmarks and best practices.
  4. Threat Intelligence Based Attack Simulation (TIBAS): Conducting realistic attack simulations to test your defenses and response capabilities.
  5. Gap Analysis: Identifying gaps in your current cybersecurity measures and providing actionable recommendations.
  6. Implementation Support: Assisting with the implementation of recommended improvements to ensure compliance and enhanced security

Our expert team uses advanced tools and methodologies to ensure your cybersecurity measures align with GL 20 requirements, helping you achieve compliance and strengthen your overall security posture.

ISO 27001:2022 Consultation Service

In addition to our GL 20 Assessment Service, we offer a comprehensive ISO 27001 Consultation Service. Our team of experts will guide you through the entire certification process, from initial gap analysis to final audit preparation. We help you develop and implement an effective Information Security Management System (ISMS) that meets ISO 27001 standards, ensuring your organization is well-protected against information security threats.

Both ISO 27001 and GL 20 emphasize the importance of a robust cybersecurity framework. By aligning your cybersecurity measures with ISO 27001, you not only enhance your compliance with GL 20 but also adopt internationally recognized best practices. This dual approach ensures your organization is well-prepared to tackle evolving cyber threats while meeting regulatory requirements. With our support, you can achieve ISO 27001 certification efficiently and strengthen your overall security posture, gaining the trust of your clients and stakeholders.

You may reach https://cassolution.com/what-is-iso-iec-27001 for more information.

Contact Us to Know More

Comments (0)