Cyber Insurance
Cyber insurance in Hong Kong has become a vital risk management tool as cyber threats surge amid rapid digitalization and regulatory change. Sophisticated cyberattacks, rising fraud, and evolving compliance requirements have driven demand for robust cyber protection among businesses of all sizes
Saving You Time & Money While Shopping For Insurance
Get Free Insurance Quotes
Fill out our inquiry form, and we'll identify the perfect policy to suit your requirements and lifestyle.
Emergency Hotline: +852 2530 2530
Cyber insurance Insights
Wide Coverage Scope
- Modern cyber insurance policies in Hong Kong commonly protect organizations from direct costs of data breaches (e.g., data loss, incident response, and system repair), business interruption, cyber extortion, and cover legal and regulatory expenses.
- Coverage often specifically includes costs related to third-party claims and regulatory investigations, though exclusions still apply, particularly for fines and penalties, especially those linked to national security law (NSL) issues
Regulatory Environment and Guidelines
- The Hong Kong Insurance Authority (IA) revised its Guideline on Cybersecurity (GL20), effective from 1 January 2025, imposing new standards for insurers operating in the territory.
- Insurers must conduct regular Inherent Risk Assessments and Cybersecurity Maturity Assessments at least every three years, and after significant business or technological changes. Threat Intelligence Based Attack Simulation (TIBAS) is also mandated to test resilience against evolving threats.
- New cybersecurity legislation, most notably the Protection of Critical Infrastructure (Computer System) Ordinance, takes effect 1 January 2026. It will mandate enhanced cybersecurity measures for key operators in sectors like finance, healthcare, energy, and transport, overseen by a newly established Commissioner
Policyholder Considerations
- Careful policy review is critical: Exclusions regarding regulatory fines, certain cyber events, and NSL-related incidents require close scrutiny, as these could leave businesses partially exposed.
- Breach notification laws are not yet mandatory in Hong Kong, but businesses should align response practices with Office of the Privacy Commissioner for Personal Data (PCPD) guidance for prudent incident management.
Cyber insurance FAQs
All companies operating digitally—including SMEs, major enterprises, financial institutions, healthcare providers, and especially those managing sensitive data or critical infrastructure—should secure cyber insurance as part of their core risk management strategy
Policies typically cover direct costs of a cyber breach (data loss, forensics, notification, public relations), business interruption, cyber extortion payments, third-party legal liability, and regulatory investigation costs. Product details and exclusions, such as coverage for government fines or NSL incidents, should be checked with each insurer
The revised IA Guideline GL20 (effective Jan 2025) and the upcoming Protection of Critical Infrastructure Ordinance (effective Jan 2026) are elevating cyber risk management standards via mandatory risk assessments, simulation exercises, and supervision for critical sectors
At least every three years or following any significant changes in business nature, technology, or systems. Threat simulation exercises are also required at similar intervals
Yes. Most policies exclude coverage for regulatory fines and penalties, with particular attention to those tied to the National Security Law. Organizations must review policy wording carefully to understand all coverage limits and exclusions
