• Contact Us

Introduction to Hong Kong Insurance Authority's GL20

The GL20 is a guideline issued by the Hong Kong Insurance Authority (IA) that relates to the regulation of insurance companies in Hong Kong. Specifically, it provides guidance on the conduct of insurance business, focusing on areas such as:

  • Corporate Governance: Establishing best practices for governance structures and processes within insurance companies.
  • Risk Management: Outlining expectations for risk management frameworks to ensure that insurers adequately identify, assess, and manage risks.
  • Internal Controls: Recommending effective internal control systems to safeguard assets and ensure the integrity of financial reporting.

Revision of HKIA Guideline on Cybersecurity (GL20)

Learn about the new cybersecurity standards in the revised GL20 guideline, here’s introduce several key changes compared to the previous version:

  1. Cyber Resilience Assessment Framework (CRAF): The new version includes the CRAF, offering comprehensive guidelines on risk assessment and control principles. This framework is designed to help insurers effectively implement their cybersecurity measures.
  2. Assessment Requirements: Insurers are now required to complete three types of assessments:
    • Inherent Risk Assessment (IRA)
    • Maturity Assessment (MA)
    • Threat Intelligence Based Attack Simulation (TIBAS) (applicable for insurers with high or medium inherent risk levels) 
  3. Documentation and Submission: Insurers must submit the results of their assessments, along with justification and remediation roadmaps, to the Insurance Authority within twelve months from the effective date. All submissions should be completed by December 31, 2025.
  4. Engagement External Consultants: For those with high or medium inherent risk levels, it is mandatory to engage external consultants to carry out the assessments.
  5. Expanded Scope of Assessment: The revised guideline broadens the scope to encompass all systems, infrastructure (both on-premises and cloud), processes and personnel that support the insurers’ operations in Hong Kong.

Cyber Resilience Assessment Framework (CRAF)

The Cyber Resilience Assessment Framework (CRAF) introduced in the revised GL20 guideline by the Insurance Authority of Hong Kong includes three main assessments: Inherent Risk Assessment (IRA), Maturity Assessment (MA), and Threat Intelligence Based Attack Simulation (TIBAS).

1. IRA

2. MA

3. TIBAS

Inherent Risk Assessment

The IRA evaluates the inherent risk level of an insurer’s cybersecurity posture based on various indicators and assessment criteria. This assessment helps insurers understand their exposure to cyber threats and the potential impact on their operations. The IRA results in an overall inherent risk rating of low, medium, or high

Maturity Assessment

The MA assesses the maturity of an insurer’s cybersecurity controls and practices. It involves evaluating the insurer’s cybersecurity posture against a set of control principles outlined in the guideline. The assessment identifies gaps in the current cybersecurity framework and requires insurers to develop a remediation roadmap to address these gaps and improve their control maturity level

Threat Intelligence Based Attack Simulation

TIBAS is required for insurers with medium or high inherent risk levels. This assessment involves simulating real-world cyberattacks based on threat intelligence relevant to the insurance industry. The simulation tests the insurer’s cybersecurity systems, processes, and personnel to evaluate their ability to detect, respond to, and recover from cyber incidents. For medium-risk insurers, the simulation must cover at least three attack scenarios, while high-risk insurers must cover five scenarios

CRAF Submission Protocol

Authorized insurers must submit the results of their assessments to the Insurance Authority (IA) within:

  • 12 months for insurers with a high inherent risk rating.
  • 18 months for insurers with a low or medium inherent risk rating.

Following the first submission, insurers should submit the results every three years. The submission should include:

  1. Inherent Risk Assessment Results:
    • Overall inherent risk rating and individual indicator ratings.
    • Relevant documents and information supporting the ratings.
  2. Cybersecurity Maturity Assessment Results:
    • Overall cybersecurity maturity level and individual control principle levels.
    • Identified gaps with an improvement/remedial plan, including action points and target completion dates.
  3. Threat Intelligence Based Attack Simulation (TIBAS) Results (for medium or high inherent risk rating):
    • Identified gaps from the TIBAS exercise with descriptions and risk ratings.
  4. Additional Information:
    • Any other information reasonably requested by the IA.

The results, including completed assessment templates prescribed by the IA, should be reviewed and signed off by the Chief Executive or Senior Executive of the insurer, as well as the Assessor(s) and/or Validator(s) responsible for conducting the assessments.

Our Assessment Service

We provide a comprehensive Assessment Service to help insurance companies comply with the latest version of the Insurance Authority’s Guideline on Cybersecurity (GL 20). Our methodology includes:

  • Initial Consultation

    Understanding your organisation's unique cybersecurity needs and challenges.

  • Inherent Risk Assessment (IRA)

    Evaluating your inherent risk exposure through detailed analysis and risk profiling.

  • Maturity Assessment (MA)

    Assessing the maturity of your cybersecurity framework using industry-standard benchmarks and best practices.

  • Threat Intelligence Based Attack Simulation (TIBAS)

    Conducting realistic attack simulations to test your defences and response capabilities.

  • Gap Analysis

    Identifying gaps in your current cybersecurity measures and providing actionable recommendations.

  • Implementation Support

    Assisting with the implementation of recommended improvements to ensure compliance and enhanced security

Our expert team uses advanced tools and methodologies to ensure your cybersecurity measures align with GL 20 requirements, helping you achieve compliance and strengthen your overall security posture.

ISO 27001 Consultation Services

We offer a comprehensive ISO 27001 Consultation Service to help you develop an effective Information Security Management System (ISMS) that meets ISO 27001 standards. By aligning with ISO 27001, you enhance your compliance with GL 20 and adopt global best practices, better preparing your organization to address evolving cyber threats and regulatory demands. With our support, you can achieve ISO 27001 certification efficiently, strengthening your security posture and gaining the trust of clients and stakeholders.

Visit to our Website https://cassolution.com/what-is-iso-iec-27001 for more information.

For further information on GL 20 Process, Please fill the below enquiry form, we will contact you as soon as possible.

Enquiry Form for GL 20