new-iso-iec-27001-2022-blog-dqs-project managers converse when using a tablet in a central room

CRAF for Insurers

DQS HK

Blog Author
Jan 13 , 2025

GUIDELINE ON CYBERSECURITY (GL20) was revised and released by the Insurance Authority of Hong Kong in Dec 2024. This Guideline shall take effect from 1 January 2025.

This Guideline sets the minimum standard for cybersecurity that authorized insurers are expected to have in place and the general guiding principles, which the IA uses in assessing the effectiveness of an insurance company’s cybersecurity framework. The  Cyber Resilience Assessment Framework (CRAF) is defined in this guideline. CRAF is designed to help authorized insurers evaluate their inherent risks and maturity levels in cyber resilience. The assessment framework utilizes established risk indicators, control principles, and calculation methodologies to deliver insights that enhance the organization's cyber risk management.

The Hong Kong Monetary Authority (HKMA) has issued a similar CRAF for use by banks in Hong Kong. This article introduces the CRAF issued by the Insurance Authority (IA) for use by insurance companies in Hong Kong.

What is CRAF ?

CRAF is a structured assessment tool designed for authorised insurers to assess their inherent risk and maturity in cyber defence. The CRAF provides a comprehensive set of risk metrics, control principles and methodologies to guide organizations in identifying vulnerabilities and implementing effective cyber security measures. By utilizing both qualitative and quantitative assessment criteria, CRAF gives insurers insight into the state of their cyber defenses, ensuring that they are able to proactively manage risk and protect their critical assets from evolving cyber threats.

 

What are the benefits of CRAF?

CRAF offers numerous benefits to authorized insurers seeking to strengthen their cybersecurity posture:

  • System Risk Assessment: The CRAF provides a structured approach to identifying and assessing inherent cyber risks, enabling organizations to effectively prioritize their security efforts.
  • Regulatory Compliance: The framework facilitates compliance with regulatory requirements, helping insurers avoid potential penalties and maintain their operational integrity.
  • Practical insights: CRAF provides customized recommendations that enable organizations to implement effective cybersecurity controls and improve their overall resilience.
  • Enhanced Reputation: By adopting CRAF, insurers can build trust with their customers and enhance their reputation in the marketplace.
  • Business Continuity: Ultimately, CRAF will result in a more secure operating environment, ensuring business continuity in the face of evolving cyber threats.

 

Who is CRAF for?

CRAF is suitable for authorized insurers operating in or from Hong Kong, including those involved in various types of insurance businesses. This framework is particularly beneficial for organizations that are looking to enhance their cyber resilience and comply with regulatory requirements set by the Insurance Authority (IA). CRAF is designed for both large insurance firms and smaller entities, providing a flexible approach to assessment that caters to the specific needs and complexities of each organization. Additionally, it serves as a valuable resource for risk management and cybersecurity teams, helping them make informed decisions to strengthen their overall cyber risk management strategies.

 

What documentation is required for CRAF?

Authorized insurers are required to submit their assessment results to the Insurance Authority (IA) of Hong Kong within a specified period of time: 12 months for insurers with high inherent risk ratings and 18 months for insurers with low or medium risk ratings, starting from the effective date of the CRAF. After the initial submission, the assessment needs to be submitted every three years. The submission should include:

  1. Inherent Risk Assessment: Provide ratings and associated supporting documentation using the prescribed template;
  2. Cybersecurity maturity assessment: maturity level for each control principle and a detailed improvement plan for identified gaps, including clear action points and target completion dates;
  3. Medium/High Risk Insurer: gaps identified from Threat Intelligence Based Attack Simulation (TIBAS) exercises, including review findings and risk ratings;
  4. Other information: Any other relevant information requested by the IA.

All submitted results, including completed templates, must be reviewed and signed off by the CEO or Senior Executive, as well as the assessors and validators involved in the assessment.

 

Related Services by DQS

DQS HK provides Cyber Resiliance Assessment service for insurers in accordance with the CRAF, including one or all of the following:

  • Inherent Risk Assessment,
  • Cybersecurity Maturity Assessment, and
  • Threat Intelligence Based Attack Simulation (TIBAS).
Author

DQS HK

"In everything we do, we set the highest standards for quality and competence in every project. This makes our actions the benchmark for our industry, but also our own mission statement, which we renew every day"

You Might Also Enjoy These Reads

Discover more articles that dive deep into related themes and ideas.
Blog

AWS and Azure Are ISO 27001 Certified — But That Doesn't Mean Your Company Is

Read more
Blog

NIS-2 for Managing Directors: Duties, Liability, and Implementation

Read more
Blog

Why ISO 42001 is the Essential Strategic Upgrade to Your ISO 27001 Certification

Read more