×
Free AI Assessment Test
×

5 Questions Every Insurer Should Ask Before Starting Their GL20 Journey

By /

The Hong Kong Insurance Authority’s GL20 Guideline on Cybersecurity is a landmark regulation reshaping how insurers demonstrate operational resilience. Unlike tick-box compliance standards, GL20 is evidence-driven and scenario-based. It requires insurers to prove, through documented risk assessments, maturity benchmarking, and red-team style simulations, that their cyber resilience measures can withstand real-world threats.

For CISOs, compliance officers, and boards, the biggest challenge isn’t just ‘getting ready’ but knowing where to start and how to prioritize resources. Before embarking on a GL20 program, insurers must pause and ask the right questions, questions that reveal capability gaps, clarify board accountability, and prevent wasted effort.

Here are the five critical questions every insurer should ask before starting their GL20 journey.

1. Do we clearly understand GL20’s three assessment pillars, and what they mean for us?

At the core of GL20 lies the Cyber Resilience Assessment Framework (CRAF), structured around three mandatory assessments:

  1. Inherent Risk Assessment (IRA): Evaluates the insurer’s exposure to cyber risk based on business model, technology footprint, and external factors. It’s not subjective; it follows an IA scoring formula that classifies firms into low, medium, or high inherent risk categories. 
  2. Maturity Assessment (MA): Benchmarks the effectiveness of cybersecurity controls against baseline, intermediate, and advanced control principles. Importantly, the MA is sampling-based; the IA expects insurers to select representative systems and controls for validation. 
  3. Threat-Intelligence Based Attack Simulation (TIBAS): A red-team style exercise simulating sophisticated attacks informed by current threat intelligence. For firms with medium or high inherent risk, TIBAS must be performed by a competent third party.

Industry fact: According to EY’s briefing on GL20 readiness, most Hong Kong insurers underestimate the scale of evidence collection for MA and the technical demands of TIBAS, often leaving insufficient time to build remediation plans before submission deadlines.

Takeaway: Before starting, ask whether your leadership and operational teams understand exactly what IRA, MA, and TIBAS involve, not just in concept, but in terms of evidence, frequency, and external validator involvement.

2. Is our board and senior management prepared for their accountability under GL20?

GL20 makes board and senior management accountability explicit. The IA requires boards to:

  • Approve the IRA and MA results. 
  • Review and sign off on TIBAS’ scope and outcomes. 
  • Endorse the cyber resilience roadmap.

This is more than governance optics. Regulators increasingly hold boards accountable for cyber lapses. In global markets, fines and personal liability for directors are becoming the norm.

Data point: In 2024, 35% of global regulators surveyed by Deloitte identified board accountability for cyber risk as their top supervisory priority, a trend mirrored in Hong Kong’s GL20.

Takeaway: Ask whether your board understands their personal role in GL20 compliance. If the answer is no, plan immediate education sessions and formalize a governance RACI where board approvals are clearly documented.

  1. Do we have the right evidence collection and sampling processes in place?

The Maturity Assessment (MA) is one of the most misunderstood components of GL20. Unlike ISO or internal audits, where you can flood assessors with artifacts, GL20 requires representative sampling with a documented rationale.

Common mistakes include:

  • Submitting ‘everything’ instead of a justified sample. 
  • Failing to capture the evidence trail (policies, logs, configurations, test results). 
  • Missing the linkage between controls and business impact.

Fact: IA guidance stresses that MA submissions without a transparent sampling methodology are likely to be rejected or trigger follow-up queries.

Takeaway: Ask whether your current audit and evidence collection processes can support GL20’s sampling-based expectations. If not, you’ll need automation and version control to avoid costly rework.

4. Are we realistically prepared for TIBAS and its operational impact?

GL20’s TIBAS requirement separates it from traditional compliance frameworks. It’s not a checkbox penetration test; it’s an intelligence-driven attack simulation that tests real-world resilience.

Key elements insurers often overlook:

  • External expertise: Medium/high IRA firms must use competent third-party red teams. 
  • KPIs: Regulators expect metrics like time-to-detect, time-to-contain, and impact on critical services. 
  • Remediation cycle: TIBAS doesn’t end with a report; you must show how findings were addressed.

Industry fact: A PwC study on cyber resilience found that organizations conducting annual red-team exercises reduced mean time to detect incidents by 27% compared to peers relying only on vulnerability scans. This aligns directly with GL20’s intent for TIBAS.

Takeaway: Ask whether your organization has a TIBAS playbook, red-team partners, and internal processes to capture and remediate simulation findings without business disruption.

5. Do we have a strategy to integrate GL20 with other frameworks (ISO, NIST, APRA CPS 234)?

For global insurers, GL20 is rarely the only requirement. Many already maintain ISO/IEC 27001 certification, align with NIST CSF, or meet APRA CPS 234 standards for Australian operations.

Without integration, you’ll duplicate effort, create fragmented evidence, and increase audit fatigue.

Data point: SecurityScorecard’s 2025 report found that firms managing multiple frameworks in silos spent 40% more staff hours on compliance preparation compared to those using harmonized control catalogues.

Takeaway: Ask whether your GL20 roadmap is designed to integrate with existing frameworks. A unified control catalogue and evidence pipeline can slash audit prep time and strengthen regulator trust.

Putting It All Together: From Questions to Action

Asking these five questions forces insurers to confront capability gaps before they derail GL20 compliance:

  1. Do we understand IRA, MA, and TIBAS requirements? 
  2. Is our board prepared for accountability? 
  3. Can we support evidence sampling with audit-grade rigor? 
  4. Are we operationally ready for TIBAS? 
  5. Is our GL20 program integrated with ISO, NIST, APRA, and other standards?

The answers will shape your GL20 readiness roadmap, determining budget allocations, staffing, board engagement, and technology choices.

How ComplyNexus Helps Insurers Get GL20-Ready

ComplyNexus is designed as the compliance backbone for GL20. Instead of manually piecing together spreadsheets, audit trails, and red-team evidence, insurers can rely on a central AI-driven platform:

  • IRA Automation: Implements IA’s scoring formula, linking results directly into the enterprise risk register. 
  • MA Sampling Engine: Auto-generates sampling plans, pulls evidence from connected systems, and produces validator-ready audit packs. 
  • TIBAS Orchestration: Coordinates red-team exercises, captures KPIs (time-to-detect, containment time, service impact), and generates regulator-ready reports. 
  • Unified Framework Mapping: Maps GL20 controls to ISO 27001, NIST CSF, and APRA CPS 234, eliminating duplication. 
  • Immutable Evidence Store: Version-controlled, tamper-evident, and exportable in IA submission formats.

Result: Insurers using ComplyNexus cut GL20 preparation cycles from months to weeks, with fewer regulator queries and stronger cyber resilience outcomes.

GL20 compliance isn’t just a regulatory requirement; it’s a resilience milestone for Hong Kong’s insurance industry. Insurers that prepare early, ask the right questions, and invest in automation will not only satisfy the IA but also strengthen trust with customers and regulators.

Start your GL20 journey with confidence. 

Book a demo with ComplyNexus to see how we automate IRA, MA, and TIBAS for faster, smarter compliance.

FAQs

  1. Is GL20 mandatory for all insurers in Hong Kong?
    Yes, GL20 applies to all authorized insurers in Hong Kong, regardless of size. Smaller insurers may have proportionate requirements, but all must complete IRA, MA, and (if applicable) TIBAS.
  2. How often must assessments be conducted?
    IRAs and MA are annual, while TIBA’s frequency depends on the inherent risk tier (medium/high IRA firms must conduct it at least every two years).
  3. Can in-house teams conduct TIBAS?
    For medium/high IRA firms, TIBAS must involve competent external red-team providers. Low IRA firms may use internal teams with adequate capabilities.
  4. How long does GL20 readiness take?
    Most insurers need 6–12 months to prepare for their first GL20 submission, depending on their baseline maturity.

5. Can GL20 compliance improve cyber insurance premiums?
Yes. Demonstrating strong GL20 alignment can strengthen risk posture and lead to more favorable insurance underwriting outcomes.

Read Further

Scroll to Top