Comply GL 20 Assessment By 2025!

The revised GL20 guideline introduces several key changes compared to the previous version:

  1. 網路彈性評估框架 (CRAF): The new version introduces the CRAF, which provides detailed guidelines on risk assessment and control principles to help insurers implement their cybersecurity frameworks effectively.
  2. 評估要求: The revised guideline requires insurers to complete three types of assessments:
    • 固有風險評估(IRA)
    • 成熟度評估(MA)
    • 基於威脅情報的攻擊模擬 (TIBAS) (適用於高或中固有風險水準的保險公司)  
  3. 文件和提交: Insurers must submit the results of these assessments, including justifications and remediation roadmaps, to the Insurance Authority within twelve months of the effective date. This means the assessments should be submitted before 2025 年 12 月 31 日完成。
  4. External Consultants: Insurers with high or medium inherent risk levels are required to engage external consultants to perform the assessments
  5. Scope of Assessment: The revised guideline expands the scope to include all systems, infrastructure (both on-premises and cloud), processes, and people supporting the insurers’ business in Hong Kong

網路彈性評估框架 (CRAF)

The Cyber Resilience Assessment Framework (CRAF) introduced in the revised GL20 guideline by the Insurance Authority of Hong Kong includes three main assessments: Inherent Risk Assessment (IRA), Maturity Assessment (MA), and Threat Intelligence Based Attack Simulation (TIBAS). Here are the details:

1. Inherent Risk Assessment (IRA)

The IRA evaluates the inherent risk level of an insurer’s cybersecurity posture based on various indicators and assessment criteria. This assessment helps insurers understand their exposure to cyber threats and the potential impact on their operations. The IRA results in an overall inherent risk rating of low, medium, or high

2. Maturity Assessment (MA)

The MA assesses the maturity of an insurer’s cybersecurity controls and practices. It involves evaluating the insurer’s cybersecurity posture against a set of control principles outlined in the guideline. The assessment identifies gaps in the current cybersecurity framework and requires insurers to develop a remediation roadmap to address these gaps and improve their control maturity level

3. Threat Intelligence Based Attack Simulation (TIBAS)

TIBAS is required for insurers with medium or high inherent risk levels. This assessment involves simulating real-world cyberattacks based on threat intelligence relevant to the insurance industry. The simulation tests the insurer’s cybersecurity systems, processes, and personnel to evaluate their ability to detect, respond to, and recover from cyber incidents. For medium-risk insurers, the simulation must cover at least three attack scenarios, while high-risk insurers must cover five scenarios

CRAF提交協議

授權保險公司必須在以下期限內向保險業監管局(IA)提交評估結果:

  • 12個月 適用於高固有風險評級的保險公司。
  • 18個月 適用於低或中等固有風險評級的保險公司。

首次提交後,保險公司應每三年提交一次結果。提交的內容應包括:

  1. 固有風險評估結果:
    • 整體固有風險等級及單項指標等級。
    • 支援評級的相關文件和資訊。
  2. 網路安全成熟度評估結果:
    • 整體網路安全成熟度水準與個體控制原則水準。
    • 確定改進/補救計劃的差距,包括行動點和目標完成日期。
  3. 基於威脅情報的攻擊模擬 (TIBAS) 結果 (對於中或高固有風險評級):
    • 透過描述和風險評級確定 TIBAS 練習中的差距。
  4. 附加資訊:
    • 保險監管局合理要求的任何其他資訊。

結果,包括保險監管局規定的完整評估模板,應由保險公司的首席執行官或高級行政人員以及負責進行評估的評估員和/或驗證員審查和簽署。

我們的評估服務

We provide a comprehensive Assessment Service to help insurance companies comply with the latest version of the Insurance Authority’s Guideline on Cybersecurity (GL 20). Our methodology includes:

  1. 初步諮詢: Understanding your organization’s unique cybersecurity needs and challenges.
  2. 固有風險評估(IRA): Evaluating your inherent risk exposure through detailed analysis and risk profiling.
  3. 成熟度評估(MA): Assessing the maturity of your cybersecurity framework using industry-standard benchmarks and best practices.
  4. 基於威脅情報的攻擊模擬 (TIBAS): Conducting realistic attack simulations to test your defenses and response capabilities.
  5. 差距分析: Identifying gaps in your current cybersecurity measures and providing actionable recommendations.
  6. 實施支持: Assisting with the implementation of recommended improvements to ensure compliance and enhanced security

我們的專家團隊使用先進的工具和方法來確保您的網路安全措施符合 GL 20 要求,協助您實現合規性並加強整體安全諮勢。

ISO 27001:2022 Consultation Service

In addition to our GL 20 Assessment Service, we offer a comprehensive ISO 27001 Consultation Service. Our team of experts will guide you through the entire certification process, from initial gap analysis to final audit preparation. We help you develop and implement an effective Information Security Management System (ISMS) that meets ISO 27001 standards, ensuring your organization is well-protected against information security threats.

Both ISO 27001 and GL 20 emphasize the importance of a robust cybersecurity framework. By aligning your cybersecurity measures with ISO 27001, you not only enhance your compliance with GL 20 but also adopt internationally recognized best practices. This dual approach ensures your organization is well-prepared to tackle evolving cyber threats while meeting regulatory requirements. With our support, you can achieve ISO 27001 certification efficiently and strengthen your overall security posture, gaining the trust of your clients and stakeholders.

You may reach https://cassolution.com/what-is-iso-iec-27001 了解更多

Contact Us to Know More

Comments (0)