The spectre of cybercrime increasingly shadows Hong Kong’s status as a global financial hub. The city’s businesses, regulators, and insurers are locked in a high-stakes battle against sophisticated fraudsters, with the Hong Kong Police reporting a 25% year-on-year surge in cybercrime cases in 2024, totalling over 5,000 incidents. Ransomware attacks, phishing scams, and insider threats dominate this alarming trend, prompting a regulatory crackdown and a seismic shift in cyber insurance practices.
Cybercrime surge: A catalyst for regulatory action
Hong Kong remains a global hotspot for digital fraud and cybercrime. According to TransUnion’s 2024 State of Omnichannel Fraud report, Hong Kong ranked third globally in average fraud losses, with residents suffering average financial losses exceeding HK$260,000 (approximately US$33,500), which is nearly 2.5 times the global average.
The city’s suspected digital fraud rate stood at 6.2% in 2024, 15% above the global average, marking the fifth consecutive year Hong Kong has exceeded global levels of fraud risk.
The retail sector was the most severely impacted, with a staggering 17.8% suspected fraud rate, representing a 113% year-over-year increase — the most significant jump among all industries surveyed. Other heavily targeted sectors include online communities (such as dating sites and forums) and financial services, although the latter experienced an 18% decline in fraud despite increased digital activity.
Supporting these findings, the Hong Kong Police Force reported a 50% increase in technology crimes in 2023 compared to 2022, with 34,112 cases recorded.
The main categories of cyber incidents handled by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) also surged by 39% in the past year, with phishing incidents increasing by 83% and malicious software (including ransomware) cases rising by 354%. These figures underscore the growing sophistication and volume of cyber threats facing businesses and individuals in Hong Kong.
Regulatory Landscape and Compliance in Cybersecurity and Insurance
Data protection and cyber insurance alignment
Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) remains the cornerstone of data protection compliance in the region. Tow Lu Lim, partner at Johnson Stokes & Master explains that cybersecurity insurance policies in Hong Kong generally align with PDPO obligations by covering costs related to data breaches, such as notification, legal fees, and public relations expenses.
However, he emphasises that most policies exclude coverage for fines or penalties imposed by regulatory authorities, including those under the PDPO, due to the illegality principle, which prevents indemnifying fines intended as deterrents. Lim cites the English case of Safeway v Twigger [2010] EWCA Civ 1472 as a leading authority on this principle.
Regulatory requirements on insurers
Lim reiterates that the Hong Kong Insurance Authority (HKIA) does not impose specific underwriting requirements for cyber risk policies but expects authorised insurers to be licensed for the relevant business class and to adopt appropriate underwriting practices.
He notes that the increasing adoption of technologies such as artificial intelligence (AI) and the Internet of Things (IoT) complicates the risk landscape, requiring insurers to incorporate these emerging risks into their assessments.
Conversely, these technologies also aid in risk management, for example, through AI-driven cybersecurity defences and threat intelligence.
“Common exclusions in cyber insurance policies include acts of war or terrorism, natural disasters, pollution, wilful misconduct, breach of sanctions, bodily injury, and property damage,” points out Lim. These exclusions pose legal risks for corporate policyholders, especially when claims involve third-party liabilities.
Breach reporting and cross-border challenges
Hong Kong currently lacks a mandatory data breach notification regime under the PDPO, but it is recommended to notify the Privacy Commissioner for Personal Data (PCPD) as best practice. Lim states that failure to notify generally does not invalidate insurance coverage, providing some flexibility for insured parties.
In cases involving cross-border data transfers and conflicting jurisdictional laws (such as GDPR versus PDPO), cyber insurance policies typically cover notification expenses, legal fees, and damages. However, “the extent of coverage can vary depending on the policy wording and the jurisdictions involved,” cautions Lim.
National security law and policy exclusions
Cyber insurance policies in Hong Kong commonly exclude coverage for losses arising from criminal acts or wilful misconduct, which can include violations of the National Security Law (NSL). Lim clarifies that insurers are permitted to exclude coverage for NSL-related incidents, effectively denying claims linked to such abuses.
On the question of how it would affect claims, Lim clarifies that there “would be no cover to begin with.”
“That said, the relevance of the question is not clear because it is not apparent how a cyber breach suffered by a company (say ransomware attack) is related to violation of the NSL,” he elaborates.
Dispute resolution and regulatory investigation costs
Disputes over cyber insurance coverage in Hong Kong typically proceed through arbitration, favoured for its speed and confidentiality. “Like other insurance policies, cyber insurance contracts in Hong Kong often prescribe specific mechanisms for resolving coverage disputes, and usually that would be arbitration, which is faster and confidential,” says Lim.
Cyber insurance policies also cover legal expenses incurred during regulatory investigations by the PCPD, HKMA, Securities and Futures Commission (SFC), or Hong Kong Exchanges and Clearing Limited (HKEX), including costs related to responding to inquiries and compliance with investigation requirements.
Adaptation to regulatory changes
How should organisations approach their cyber insurance strategy, given the evolving nature of cybersecurity laws?
According to Lim, how insurers and cyber insurance policies account for future changes may include the use of specific endorsements to update policy terms in response to new legal obligations, as well as regular review of the policy wording and schedule to ensure it remains aligned with current laws and best practices.
He reminds us that these policies typically have a one-year policy period, so the review is essentially built into the process.
Recent enforcement and anti-fraud efforts
The ICAC continues to play a critical role in combating fraud and corruption in Hong Kong. Recent operations have uncovered significant fraudulent schemes, including a $1.6 million commission fraud by an insurance agent and a $7 million fraud involving falsified accounts at the Hong Kong Productivity Council. These cases highlight the ongoing risks of internal fraud and the importance of robust compliance and insurance mechanisms.
Implications for businesses and cyber insurance in 2025/2026
Hong Kong’s fast-paced digital economy, coupled with sophisticated cyber threats, demands heightened vigilance from companies and insurers alike. The steep rise in fraud and technology crimes underscores the necessity for comprehensive cyber insurance policies that cover not only the direct costs of breaches but also legal and regulatory expenses.
While cyber insurance in Hong Kong aligns with key data protection laws, exclusions—particularly regarding fines, penalties, and NSL-related incidents—require careful consideration by policyholders. The absence of mandatory breach notification laws offers some flexibility but also calls for prudent incident management aligned with PCPD guidance.
Insurers must continually evolve their underwriting practices to address emerging risks from AI, IoT, and cross-border data flows while balancing risk assessment with the deployment of advanced cybersecurity technologies. Arbitration remains the preferred dispute resolution mechanism, ensuring efficient handling of coverage disagreements.
In summary, Hong Kong’s cybersecurity and insurance landscape in 2025 reflects a complex interplay of rising cyber threats, evolving regulatory expectations, and the critical role of robust insurance solutions.
Lim advises businesses to “stay informed of regulatory changes and carefully navigate policy terms to optimise protection in this challenging environment.”