What will be the impact of HKMA’s Cybersecurity Fortification Initiative on Cyber Insurance development?

The Hong Kong Monetary Authority (HKMA) announced on May 18th 2016 the implementation of a programme to enhance cyber security in the banking sector in Hong Kong through the Cybersecurity Fortification Initiative (CFI).  This initiative will focus on three main “pillars”:

  • Cyber Resilience Assessment Framework (C-RAF), which is a risk-based framework for financial institutions to assess their own risk profiles and that should include Intelligence-led Cyber Attack Simulation Test (iCAST)
  • Professional Development Programme, in order to increase the supply of qualified professionals in cybersecurity and resolve the shortage of skills available in the region
  • Cyber Intelligence Sharing Platform: a platform to allow the banking industry to share information and collaborate in relation with cyber threat intelligence.

The three-months consultation period for discussing the assessment framework is now over and the final version will be released soon. Based on the Consultation Draft, we know that Cyber Insurance Programme will be required to obtain advanced levels of certain Control Principles (Risk Management Programme, Escalation and communication…).


We understand that the focus of the HKMA’s initiative is to strengthen protection and prevention measures within banks in order to avoid or mitigate any harmful consequences of a cyber-attack. Even though they are mentioned, risk-transfer and cyber insurance programme seem not to be the top-priority for the HKMA as financial institutions should be liable for their own risk and not “rest” on a potential risk-transfer programme. However, financial coverage, pre-loss services, incident response team, IT forensics, public relation and legal support and all other additional services offered by Insurers will help financial institutions to implement key requirements of this framework including identification, quantification and mitigation of inherent risks but also implementation of proper training programme (especially on phishing, spear phishing and social engineering), drafting and testing of incident response plan, etc.

As a result, we can say that this initiative will not create the long-awaited trigger that the Insurance industry is waiting from local authorities to boost the Cyber Insurance market. However, this initiative, coupled with others, including the Hong Kong Securities and Futures Commissions’ (SFC) issuance of the cybersecurity circular, illustrates Hong Kong regulators continued and increasing focus on cybersecurity.


Timothée GRANGE
Loss Adjuster / Asia-Pacific Director – GM Consultant