What Hong Kong businesses need to know about cyber insurance — what policies cover, critical exclusions to understand, how to assess your coverage needs, and how to navigate the claims process after an incident.
Cyber insurance policies cover financial losses arising from cybersecurity incidents — including ransomware attacks, data breaches, business email compromise fraud, and other cyber-enabled crimes. Coverage typically divides into first-party losses (costs incurred directly by your business) and third-party liability (claims made against your business by affected customers or partners). First-party coverage commonly includes: incident response costs (forensic investigation, legal counsel, public relations), business interruption losses (revenue lost while systems are offline), data recovery and system restoration costs, ransom payment coverage (subject to conditions and legal review), and regulatory fines and penalties related to the incident.
Third-party liability coverage in cyber policies protects against claims made by customers, partners, or regulators arising from a breach of your systems that affects them. For Hong Kong businesses that hold customer personal data, credit card data, or trade secrets, third-party liability is significant — a data breach affecting thousands of customers can generate substantial notification costs, class action exposure, and regulatory investigation expenses. Third-party cyber liability coverage typically covers: legal defence costs for claims arising from a data breach, settlement costs, regulatory investigation costs and penalty coverage, and notification costs for breach notification to affected individuals.
The HK cyber insurance market has grown substantially as cyber incidents have become more frequent and more costly. Major insurers offering cyber products in Hong Kong include AIG, Zurich, AXA XL, CNA, Chubb, and specialist cyber insurers including Cowbell (focused on SMEs) and Coalition. Insurance brokers including Marsh, Aon, and Willis Towers Watson have dedicated cyber insurance practices in Hong Kong. For SMEs, many insurers now offer simplified SME cyber products with streamlined application processes and pre-set coverage tiers at affordable annual premiums — the cost of cyber coverage for a well-secured SME has become accessible, and the cost of an uninsured incident substantially exceeds the annual premium in most cases.
Cyber insurance exclusions define what the policy does not cover — and understanding exclusions is as important as understanding coverage. Many Hong Kong businesses have purchased cyber insurance and then discovered that their specific incident falls within a policy exclusion, leaving them without coverage when they needed it most. The most commercially significant exclusion in cyber policies is the war or nation-state exclusion, which excludes losses attributable to acts of war or cyber operations by nation-state actors. The NotPetya attack of 2017 — attributed to Russian state actors — triggered coverage disputes when insurers sought to apply war exclusions. Insurers have sought to broaden this exclusion in response to increased state-sponsored cyber activity.
Other common exclusions that HK businesses should scrutinise in cyber policies include: prior known circumstances exclusions (incidents that began before policy inception are typically excluded — if you had an undetected breach before buying the policy, losses from that breach may not be covered); inadequate security exclusions (some policies exclude claims arising from failure to maintain minimum specified security controls — if you claimed to have MFA enabled on all accounts and did not, a breach exploiting that gap may be excluded); social engineering and BEC fraud (business email compromise wire transfer fraud is sometimes sublimited or excluded from standard cyber policies — some policies require a separate crime or BEC endorsement for this coverage); and infrastructure failure exclusions (losses from failure of your internet provider or cloud provider may be excluded as not meeting the "cyber incident" definition).
The application and warranty process for cyber insurance creates important coverage obligations. When applying for cyber insurance, you typically certify that your organisation maintains specified security controls — MFA on all remote access and cloud applications, functioning endpoint protection, regular patching, and backup capability. These representations may become warranties in the policy — meaning that if they were inaccurate at the time of policy inception or became inaccurate during the policy period and you did not notify the insurer, the insurer may rescind coverage for claims arising from the uncertified gap. Understanding exactly what security controls you are certifying to maintain, and ensuring those controls are actually in place and maintained, is a condition of valid coverage.
Determining the right cyber insurance coverage limit for your Hong Kong business requires quantifying your realistic maximum probable loss from a significant cyber incident. Key factors in this assessment include: your revenue (business interruption coverage should reflect the revenue you would lose during a realistic recovery period — typically 30 to 90 days for a significant ransomware incident); the volume and sensitivity of personal data you hold (determining notification costs and third-party liability exposure); your exposure to BEC wire transfer fraud (finance businesses and those with high-value payables are higher risk); the cost of incident response services in HK (forensic investigation and legal counsel for a significant incident typically runs into hundreds of thousands of HKD); and your regulatory context (HKMA-regulated firms face different regulatory investigation exposure than unregulated SMEs).
Cyber insurance also serves as a procurement driver for incident response preparedness. Many cyber insurance policies include pre-arranged access to approved forensic investigation firms, legal counsel, and crisis communications specialists at pre-negotiated rates as part of the policy. These insurer-panel providers bring experience handling hundreds of cyber incidents and can respond faster and more effectively than hiring ad hoc in the middle of an incident. Reviewing the incident response panel provided by your cyber insurer before purchasing — understanding who these firms are and whether they have Hong Kong capability — is a valuable factor in policy selection beyond the financial coverage terms alone.
For regulated businesses in Hong Kong — banks, insurance companies, and securities firms regulated by the HKMA and SFC — cyber insurance requirements may be specified in regulator guidance. The HKMA's cyber resilience guidelines include expectations around risk transfer, and SFC circular guidance on cybersecurity recommends cyber insurance as part of a comprehensive cybersecurity programme. Even for unregulated businesses, the HKPC's SME cybersecurity guidance includes cyber insurance as a recommended control. Reviewing sector-specific regulator guidance for your industry before purchasing coverage ensures your policy addresses the specific expectations applicable to your business.
When a cyber incident occurs, how you engage with your cyber insurer in the first hours significantly affects coverage outcomes. Most cyber policies require prompt notification to the insurer — typically within 24-72 hours of discovering the incident, with some policies requiring notification "as soon as practicable." Delayed notification can create coverage disputes. Your incident response plan should include your insurer's emergency notification contact number (most cyber insurers provide a 24/7 incident notification hotline) and the initial information required to report a claim. Call your insurer before engaging external forensic investigators — your policy may require the use of approved panel providers, and engaging non-panel firms without insurer pre-approval can create coverage complications.
Documentation discipline from the first moment of an incident protects your insurance claim. Record all actions taken from the point of discovery — timestamped logs of what was discovered, when, by whom, what actions were taken, and what their outcomes were. Preserve evidence appropriately — do not immediately wipe or rebuild compromised systems before forensic imaging, as this destroys the evidence that establishes the nature, scope, and timeline of the incident. Collect and preserve financial records of losses incurred — staff hours spent on incident response, replacement hardware and software costs, third-party service invoices — as these support your business interruption and recovery expense claims. Your insurer's incident response panel forensic firm will guide evidence preservation if engaged promptly.
Ransom payment decisions in ransomware incidents require particular care in the Hong Kong context. Before paying any ransom, notify your insurer — most policies require insurer pre-approval for ransom payments and will not cover payments made without authorisation. Consult legal counsel on whether the specific ransomware group is subject to sanctions (paying ransomware groups on OFAC or equivalent sanctions lists can create legal liability). Engage a specialist ransomware negotiation firm — insurer panels typically include such firms — who can verify data recovery capability before payment, negotiate payment amount, and manage cryptocurrency payment logistics. The HKPF CSTCB should also be notified, and police notification does not prevent payment but provides law enforcement awareness and potential investigative assistance.
