Person using a futuristic HUD interface screen with data, business information

CRAF in GL20 for Insurers



Cyber Resilience Assessment Framework (CRAF) in GL20

Cyber Resilience Assessment Framework (CRAF), defined in GUIDELINE ON CYBERSECURITY (GL20) by the Insurance Authority of HK, is designed to help authorized insurers evaluate their inherent risks and maturity levels in cyber resilience. The assessment framework utilizes established risk indicators, control principles, and calculation methodologies to deliver insights that enhance the organization's cyber risk management.

GUIDELINE ON CYBERSECURITY (GL20) was revised and released by the Insurance Authority of Hong Kong in Dec 2024. This Guideline shall take effect from 1 January 2025.

This Guideline sets the minimum standard for cybersecurity that authorized insurers are expected to have in place and the general guiding principles, which the IA uses in assessing the effectiveness of an insurance company’s cybersecurity framework. The CRAF is defined in this guideline.

Note:

HK Monetary Authority (HKMA) also released a similar CRAF for use by banks in Hong Kong.  The contents in this webpage focus on that released by Insurance Authority for use by insurers in HK.

Comprehensive Framework

Tailored for Insurers

Expert Assessors

Regular and Ad Hoc Assessments

Regulatory Compliance

Risk-Based Approach

What is CRAF ?

The Cyber Resilience Assessment Framework (CRAF) is a structured evaluation tool specifically designed for authorized insurers to assess their inherent risks and maturity levels in cyber resilience. CRAF provides a comprehensive set of risk indicators, control principles, and methodologies that guide organizations in identifying vulnerabilities and implementing effective cybersecurity measures. By leveraging both qualitative and quantitative assessment criteria, CRAF enables insurers to gain valuable insights into their cyber resilience posture, ensuring they can proactively manage risks and safeguard their critical assets against evolving cyber threats.

Who is CRAF suitable for?

CRAF in GL20 is suitable for authorized insurers operating in or from Hong Kong, including those involved in various types of insurance businesses. This framework is particularly beneficial for organizations that are looking to enhance their cyber resilience and comply with regulatory requirements set by the Insurance Authority (IA). CRAF is designed for both large insurance firms and smaller entities, providing a flexible approach to assessment that caters to the specific needs and complexities of each organization. Additionally, it serves as a valuable resource for risk management and cybersecurity teams, helping them make informed decisions to strengthen their overall cyber risk management strategies.

What are the benefits of CRAF?

The Cyber Resilience Assessment Framework (CRAF) in GL20 offers numerous benefits for authorized insurers seeking to bolster their cybersecurity posture:

  • Systematic Risk Evaluation: CRAF provides a structured approach to identifying and evaluating inherent cyber risks, allowing organizations to prioritize their security efforts effectively.
  • Regulatory Compliance: The framework facilitates compliance with regulatory requirements, helping insurers avoid potential penalties and maintain their operational integrity.
  • Actionable Insights: CRAF offers tailored recommendations that empower organizations to implement effective cybersecurity controls and improve their overall resilience.
  • Enhanced Reputation: By adopting CRAF, insurers can build trust with clients and enhance their reputation in the market.
  • Business Continuity: Ultimately, CRAF leads to a more secure operational environment, ensuring business continuity in the face of evolving cyber threats.
Business28.png

How does CRAF work?

The initial assessment involves evaluating your organization's inherent risk level using the Inherent Risk Assessment Matrix. Depending on the rating:

  • Low Risk: Proceed to Cybersecurity Maturity Assessment.
  • Medium/High Risk: Re-assessment by assessors with required qualifications. Proceed to Cybersecurity Maturity Assessment after re-perform the assessment.

Following the inherent risk assessment, the organization's cybersecurity maturity will be evaluated based on the Cybersecurity Maturity Assessment Matrix. This phase ensures that the organization has the necessary controls and processes in place to mitigate cyber risks effectively.

For an insurer with a medium or high inherent risk rating, the CMA must be conducted by an Assessor with the required qualifications.
If the assessment is performed by an Internal Staff as the Assessor, the results of the CMA must also be independently validated by a Validator with required qualifications.

As an item in the Cybersecurity Maturity Assessment, an independent Threat Intelligence and Cyber Attack Simulation Testing shall be conducted by experts who have the necessary skills and expertise, as well as industry-recognised qualifications across red team and threat intelligence.

It is different and on top of performing security vulnerability and penetration testing of a single system or an isolated environment. A minimum of 3 end-to-end cyber attack scenarios shall be covered in the simulation, in a production environment to simulate real-life attack scenarios.

  • Regular Assessments: Conducted at least every three years.
  • Ad Hoc Assessments: Recommended upon major changes in business or technologies. An insurer should also , conduct assessment on an ad hoc basis when the IA considers it appropriate.

Related assessments should be conducted by competent professionals with the necessary qualifications and experience in cybersecurity and risk management. All results are validated independently to maintain the highest standards of integrity and accuracy.

Insurers must submit assessment results to the Insurance Authority (IA) within specified timeframes based on their inherent risk ratings. This includes:

  • Detailed reports on inherent risk assessment and cybersecurity maturity assessment, including the identified gaps of control principles from TIBAS Testing for insurers with medium or high inherent risk rating.
  • Identification of control gaps and an improvement plan.
  • Regular updates every three years post-initial submission.

A non-compliance, without mitigation measure, may reflect on the IA’s view of the continued fitness and properness of the directors or controllers of authorized insurers to which this Guideline applies.

Banking13.png

How much does a Cyber Resilience Assessment cost?

As every company has distinct prerequisites and specific requirements for CRAF, the costs for the analysis and reports relating to it cannot be provided as a fixed amount. Please get in touch with us, and we will be pleased to offer you a personalized solution.

Business2.png

What you can expect from us?

More than 35 years of experience in the certification of management systems and processes, including information security and privacy information security segments.Industry-experienced assessors from the worldwide DQS network.

DQS HK can provide below services following CRAF in GL20:

  • Inherent risk assessment,
  • Cybersecurity maturity assessment, and/or
  • Threat Intelligence and Cyber Attack Simulation (TIBAS) Testing.

Depending on the scope of a particular project, the assessment team will be assigned experts with suitable professional IT security qualifications, such as CISA, CISSP, CISM, CEH, OSCP, or OSEP.

Note:

The information on this webpage is for reference only and may not be kept up-to-date. It's not intended to be a legal advice. The readers shall seek professional advice from other associated parties before making decisions on any matters arising from this Guideline.

Content businesswoman smiling at camera. Portrait of beautiful happy young businesswoman standing wi

Request for quotation

Your local contact person

We will be happy to provide you with a tailor-made offer for CRAF.

Your inquiry