• About
  • Subscribe
  • Contact
Wednesday, May 28, 2025
    Login
FutureCISO
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
No Result
View All Result
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
No Result
View All Result
FutureCISO
No Result
View All Result
Home Process Compliance and Governance

Hong Kong 2025: Cyber defence meets insurance innovation

allantan by allantan
May 28, 2025
Hong Kong 2025: Cyber defence meets insurance innovation

Cyber defence meets insurance innovation

Share on FacebookShare on Twitter

The spectre of cybercrime increasingly shadows Hong Kong’s status as a global financial hub. The city’s businesses, regulators, and insurers are locked in a high-stakes battle against sophisticated fraudsters, with the Hong Kong Police reporting a 25% year-on-year surge in cybercrime cases in 2024, totalling over 5,000 incidents. Ransomware attacks, phishing scams, and insider threats dominate this alarming trend, prompting a regulatory crackdown and a seismic shift in cyber insurance practices.

Cybercrime surge: A catalyst for regulatory action

Hong Kong remains a global hotspot for digital fraud and cybercrime. According to TransUnion’s 2024 State of Omnichannel Fraud report, Hong Kong ranked third globally in average fraud losses, with residents suffering average financial losses exceeding HK$260,000 (approximately US$33,500), which is nearly 2.5 times the global average. 

The city’s suspected digital fraud rate stood at 6.2% in 2024, 15% above the global average, marking the fifth consecutive year Hong Kong has exceeded global levels of fraud risk.

The retail sector was the most severely impacted, with a staggering 17.8% suspected fraud rate, representing a 113% year-over-year increase — the most significant jump among all industries surveyed. Other heavily targeted sectors include online communities (such as dating sites and forums) and financial services, although the latter experienced an 18% decline in fraud despite increased digital activity.

Supporting these findings, the Hong Kong Police Force reported a 50% increase in technology crimes in 2023 compared to 2022, with 34,112 cases recorded. 

The main categories of cyber incidents handled by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) also surged by 39% in the past year, with phishing incidents increasing by 83% and malicious software (including ransomware) cases rising by 354%. These figures underscore the growing sophistication and volume of cyber threats facing businesses and individuals in Hong Kong.

Regulatory Landscape and Compliance in Cybersecurity and Insurance

Data protection and cyber insurance alignment

Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) remains the cornerstone of data protection compliance in the region. Tow Lu Lim, partner at Johnson Stokes & Master explains that cybersecurity insurance policies in Hong Kong generally align with PDPO obligations by covering costs related to data breaches, such as notification, legal fees, and public relations expenses.

However, he emphasises that most policies exclude coverage for fines or penalties imposed by regulatory authorities, including those under the PDPO, due to the illegality principle, which prevents indemnifying fines intended as deterrents. Lim cites the English case of Safeway v Twigger [2010] EWCA Civ 1472 as a leading authority on this principle.

Related:  Customers need more reassurance about data privacy

Regulatory requirements on insurers

Lim reiterates that the Hong Kong Insurance Authority (HKIA) does not impose specific underwriting requirements for cyber risk policies but expects authorised insurers to be licensed for the relevant business class and to adopt appropriate underwriting practices.

He notes that the increasing adoption of technologies such as artificial intelligence (AI) and the Internet of Things (IoT) complicates the risk landscape, requiring insurers to incorporate these emerging risks into their assessments.

Conversely, these technologies also aid in risk management, for example, through AI-driven cybersecurity defences and threat intelligence.

“Common exclusions in cyber insurance policies include acts of war or terrorism, natural disasters, pollution, wilful misconduct, breach of sanctions, bodily injury, and property damage,” points out Lim. These exclusions pose legal risks for corporate policyholders, especially when claims involve third-party liabilities.

Breach reporting and cross-border challenges

Hong Kong currently lacks a mandatory data breach notification regime under the PDPO, but it is recommended to notify the Privacy Commissioner for Personal Data (PCPD) as best practice. Lim states that failure to notify generally does not invalidate insurance coverage, providing some flexibility for insured parties.

In cases involving cross-border data transfers and conflicting jurisdictional laws (such as GDPR versus PDPO), cyber insurance policies typically cover notification expenses, legal fees, and damages. However, “the extent of coverage can vary depending on the policy wording and the jurisdictions involved,” cautions Lim.

National security law and policy exclusions

Cyber insurance policies in Hong Kong commonly exclude coverage for losses arising from criminal acts or wilful misconduct, which can include violations of the National Security Law (NSL). Lim clarifies that insurers are permitted to exclude coverage for NSL-related incidents, effectively denying claims linked to such abuses.

On the question of how it would affect claims, Lim clarifies that there “would be no cover to begin with.”

“That said, the relevance of the question is not clear because it is not apparent how a cyber breach suffered by a company (say ransomware attack) is related to violation of the NSL,” he elaborates.

Dispute resolution and regulatory investigation costs

Disputes over cyber insurance coverage in Hong Kong typically proceed through arbitration, favoured for its speed and confidentiality. “Like other insurance policies, cyber insurance contracts in Hong Kong often prescribe specific mechanisms for resolving coverage disputes, and usually that would be arbitration, which is faster and confidential,” says Lim.

Related:  Commentary: Businesses must address AI transparency now even as governments take their time

Cyber insurance policies also cover legal expenses incurred during regulatory investigations by the PCPD, HKMA, Securities and Futures Commission (SFC), or Hong Kong Exchanges and Clearing Limited (HKEX), including costs related to responding to inquiries and compliance with investigation requirements.

Adaptation to regulatory changes

How should organisations approach their cyber insurance strategy, given the evolving nature of cybersecurity laws?

According to Lim, how insurers and cyber insurance policies account for future changes may include the use of specific endorsements to update policy terms in response to new legal obligations, as well as regular review of the policy wording and schedule to ensure it remains aligned with current laws and best practices.

He reminds us that these policies typically have a one-year policy period, so the review is essentially built into the process.

Recent enforcement and anti-fraud efforts

The ICAC continues to play a critical role in combating fraud and corruption in Hong Kong. Recent operations have uncovered significant fraudulent schemes, including a $1.6 million commission fraud by an insurance agent and a $7 million fraud involving falsified accounts at the Hong Kong Productivity Council. These cases highlight the ongoing risks of internal fraud and the importance of robust compliance and insurance mechanisms.

Implications for businesses and cyber insurance in 2025/2026

Hong Kong’s fast-paced digital economy, coupled with sophisticated cyber threats, demands heightened vigilance from companies and insurers alike. The steep rise in fraud and technology crimes underscores the necessity for comprehensive cyber insurance policies that cover not only the direct costs of breaches but also legal and regulatory expenses.

While cyber insurance in Hong Kong aligns with key data protection laws, exclusions—particularly regarding fines, penalties, and NSL-related incidents—require careful consideration by policyholders. The absence of mandatory breach notification laws offers some flexibility but also calls for prudent incident management aligned with PCPD guidance.

Insurers must continually evolve their underwriting practices to address emerging risks from AI, IoT, and cross-border data flows while balancing risk assessment with the deployment of advanced cybersecurity technologies. Arbitration remains the preferred dispute resolution mechanism, ensuring efficient handling of coverage disagreements.

In summary, Hong Kong’s cybersecurity and insurance landscape in 2025 reflects a complex interplay of rising cyber threats, evolving regulatory expectations, and the critical role of robust insurance solutions.

Lim advises businesses to “stay informed of regulatory changes and carefully navigate policy terms to optimise protection in this challenging environment.”

Tags: cyber insurancedata privacyJohnson Stokes & Master
allantan

allantan

Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events. Previous Roles He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role. He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications. He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer. He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific. He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific. He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.

No Result
View All Result

Recent Posts

  • Hong Kong 2025: Cyber defence meets insurance innovation
  • APAC accounts for a third of cyberattacks in 2024
  • Commentary: Businesses must address AI transparency now even as governments take their time
  • Tenable enhances AI-driven exposure management with unified dashboards
  • Thales: AI is top security risk in 2025

Categories

  • Blogs
  • Compliance and Governance
  • Culture and Behaviour
  • Cybersecurity careers
  • Data Protection
  • Endpoint Security
  • Incident Response
  • Network Security
  • People
  • Process
  • Resources
  • Risk Management
  • Technology
  • Training and awarenes
  • Videos
  • Webinars and PodChats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCISO serves the interests of the Chief Information Security Officer (CISO) and the information security profession. Its purpose is to provide relevant and timely industry insights around all things important to security professionals and organisations that recognize and value the importance of protecting the organisation’s data and its customers’ privacy.

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2024 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
Login

Copyright © 2024 Cxociety Pte Ltd | Designed by Pixl