Higher premiums loom under Hong Kong’s stricter cyber law

Insurers will play a more active role in clients’ pre-breach cybersecurity strategies.

Hong Kong’s tighter cybersecurity law is expected to prompt insurers to reassess coverage, tighten underwriting, and push up premiums, analysts said.

Jonathan Crompton, a partner at law firm Reynolds Porter Chamberlain LLP in Hong Kong, said the changes would likely not immediately overhaul cyber policy wording but will drive gradual structural shifts in how insurers evaluate risk and engage with clients.

“If the market remains soft and more insurers enter into the cyber market, then we may see more requests from insureds and brokers to cover certain costs specific to the new law,” he told Insurance Asia.

“This could potentially extend to certain proactive measures that are necessary under the Critical Infrastructures Ordinance (Cap. 653),” he added.

The ordinance mandates that critical infrastructure operators strengthen cyber defences and remain responsible for cybersecurity even when third-party vendors are involved. Whilst most policies already respond to breaches caused by service providers, Crompton said underwriting will become more probing.

“We’ve seen incidents where the insured has confirmed in the underwriting questionnaire that it has multi-factor authentication, and then the forensic investigators found out that they did not,” he said.

Insurers are likely to tighten questionnaires, verify security measures, and refuse coverage if misrepresentations are found, he added.

Simon McConnell, a partner at law firm Clyde & Co. LLP, said premiums are expected to rise, particularly for high-risk sectors, reflecting increased compliance costs and regulatory exposure.

Insurers are reviewing policy terms to cover regulatory investigations, legal fees, public relations management, customer notification, cybersecurity experts, and information technology forensic costs.

Cyber insurance rates in Asia fell 7% in the second quarter, driven by demand from first-time buyers, according to New York-based insurance broker Marsh. Hong Kong rates declined 8%, slightly softer than previous quarters. Third-party cyber risk remains a key focus for underwriters as companies assess digital supply chains, it said.

Analysts said the new law would encourage insurers to play a more active role in clients’ pre-breach cybersecurity strategies. 

Both Crompton and McConnell expect wider adoption of services such as security posture reviews, staff training, and simulated breach exercises.

Crompton said UK insurers now offer brief consultations and traffic-light reviews of data governance and breach policies, whilst McConnell predicted the emergence of dedicated cybersecurity advisory units. Such services cut claim frequency and help clients meet legal obligations.

Over the next three to five years, the ordinance is expected to strengthen market maturity. McConnell foresees broader coverage and incident response services evolving alongside regulatory and threat developments.

Crompton said improved security practices are likely to spread beyond critical infrastructure to large corporations, including retailers and hotel chains, as insurers start to apply the same checks across their client base.