A Sponsor's Verification and Assessment of Cybersecurity Insurance Coverage for the Applicant

The SFC’s 2024-25 enforcement priorities, as articulated in the SFC Enforcement Report 2024 (published April 2025), explicitly flagged sponsor due diligence on technology risk and data governance as a key area of scrutiny, a direct consequence of the rising frequency and severity of cyber incidents affecting Hong Kong-listed companies. This shift is not theoretical. In 2024, the Hong Kong Monetary Authority (HKMA) recorded a 25% year-on-year increase in reported cybersecurity incidents across the banking and finance sector, according to its Cyber Security Surveillance Report 2024. For a sponsor assessing an applicant’s internal controls under HKEX Listing Rules Chapter 11 (Equity Securities) and the SFC Code of Conduct for Persons Licensed by or Registered with the SFC (the “Code”), the adequacy of cybersecurity insurance coverage is no longer a peripheral risk transfer consideration. It has become a direct indicator of the applicant’s operational resilience, disclosure accuracy, and the robustness of its risk management framework. A sponsor that fails to verify the scope, exclusions, and aggregate limits of an applicant’s cyber policy—particularly for applicants in fintech, e-commerce, or data-intensive sectors—risks missing a material control weakness that could directly impact the prospectus’s “Risk Factors” and “Business” sections. This article sets out the specific verification steps, assessment criteria, and documentation requirements a sponsor must execute to satisfy its due diligence obligations under the Code, Paragraph 17.6 (Sponsors) and HKEX Listing Rule 11.07.

The Regulatory Mandate for Cyber Insurance Verification

The Sponsor’s Duty Under the Code of Conduct

The SFC Code of Conduct for Persons Licensed by or Registered with the SFC (the “Code”), specifically Paragraph 17.6 (Sponsors), requires a sponsor to exercise due diligence to ensure that all material information in a listing application is accurate and complete. This obligation extends to the applicant’s risk management systems, internal controls, and, by extension, its insurance coverage. The SFC’s Guidance Note on Sponsor Due Diligence (June 2021) explicitly states that a sponsor must “obtain sufficient evidence to satisfy itself that the applicant has adequate systems and controls to manage its business risks,” a category that now unequivocally includes cyber risk.

The verification of cybersecurity insurance coverage is not a mere box-ticking exercise. It is a substantive assessment of whether the policy’s terms—including sub-limits, exclusions, and notification conditions—are consistent with the applicant’s disclosed risk profile. A policy with a HKD 10 million aggregate limit but a HKD 500,000 per-incident sub-limit for ransomware payments, for example, would be materially inadequate for an applicant generating HKD 500 million in annual digital transaction revenue. The sponsor must document this analysis in its due diligence work papers, as the SFC’s Thematic Inspection Report on Sponsor Due Diligence (2023) found that 40% of reviewed sponsor files lacked sufficient evidence of insurance policy review.

The 2024-25 SFC Enforcement Focus

The SFC’s Enforcement Report 2024 (published April 2025) identified “inadequate due diligence on technology-related risks” as a specific enforcement priority for the 2025-26 cycle. This follows a series of enforcement actions in 2023-24 where sponsors were sanctioned for failing to identify material weaknesses in applicants’ data security controls, including cases where the applicant’s cyber insurance policy was either non-existent or contained exclusions that rendered it effectively void for the disclosed business model.

The SFC’s Thematic Inspection of Sponsor Due Diligence on Technology Risks (February 2024) further clarified that a sponsor must assess whether the applicant’s cyber policy covers “first-party losses (data recovery, business interruption, ransomware payments)” and “third-party liabilities (regulatory fines, litigation costs, notification costs)” in a manner proportionate to the applicant’s disclosed risk exposure. A sponsor that relies solely on a broker’s summary without reviewing the full policy wording—including the “cyber exclusion” clause and the “failure to maintain minimum security standards” exclusion—is likely to be found in breach of its duty under Paragraph 17.6.

The Verification Framework: Scope, Exclusions, and Limits

Policy Scope and Sub-Limit Analysis

The first step in the verification process is a line-by-line review of the policy’s insuring clauses and sub-limits. The sponsor must obtain the full policy wording, not merely a certificate of insurance or a broker’s summary. The SFC Guidance Note on Sponsor Due Diligence (June 2021) requires that a sponsor “review the original documents” for material insurance policies, and a cyber policy is now considered material for any applicant with a material digital footprint.

The key sub-limits to verify include:

• Ransomware and extortion payments: Typically expressed as a sub-limit within the overall aggregate. A policy with a HKD 50 million aggregate but a HKD 2 million sub-limit for ransomware payments may be inadequate for an applicant whose business model depends on data availability.
• Business interruption (BI): The indemnity period (e.g., 30, 60, or 90 days) and the waiting period (e.g., 12, 24, or 48 hours). A 90-day indemnity period with a 12-hour waiting period is standard for most financial institutions; a 30-day period with a 48-hour waiting period may be insufficient for a fintech applicant where even 12 hours of downtime could trigger regulatory penalties under HKMA’s Supervisory Policy Manual SA-2 (2023).
• Data recovery and system restoration: The sub-limit for forensic investigation and data recovery costs. The sponsor must verify that this sub-limit is not exhausted by the deductible, which is typically HKD 250,000 to HKD 1 million for mid-market policies.
• Regulatory defence and penalties: Coverage for regulatory fines and defence costs, subject to the insurable interest principle under Hong Kong law. The HKMA’s Guideline on the Management of Cybersecurity Risks (December 2023) states that regulatory fines may be uninsurable in certain jurisdictions, but defence costs are typically covered.

Exclusion Clause Assessment

The exclusion clause is the most critical section of the policy. The sponsor must identify and assess the following standard exclusions:

• “Failure to maintain minimum security standards” exclusion: This exclusion voids coverage if the applicant failed to implement “industry-standard” security controls, such as multi-factor authentication (MFA), patch management, or data encryption. The sponsor must verify that the applicant’s disclosed controls (e.g., in the “Risk Factors” section of the prospectus) are consistent with the policy’s security requirements. A mismatch between the disclosed controls and the policy’s minimum standards is a material deficiency that must be disclosed.
• “Prior known breach” exclusion: This exclusion denies coverage for any breach that was known to the applicant before the policy’s inception date. The sponsor must request a written representation from the applicant’s board confirming that no prior breach has occurred that would trigger this exclusion, and must verify this against the applicant’s incident response logs and internal audit reports.
• “Acts of war” and “state-sponsored attacks” exclusions: Following the Merck v. ACE (2022) case in the US, many cyber policies now explicitly exclude “state-sponsored” attacks. The sponsor must assess whether this exclusion materially reduces coverage for the applicant’s disclosed risk profile, particularly for applicants with cross-border operations or those in sectors (e.g., critical infrastructure, financial services) that are frequent targets of state-sponsored actors.
• “Disruption of systems” exclusion: Some policies exclude coverage for “non-malicious” system disruptions, such as those caused by software bugs or configuration errors. The sponsor must verify that the policy covers both malicious and non-malicious events, as the HKMA’s Cyber Security Surveillance Report 2024 found that 35% of reported incidents in 2024 were non-malicious (e.g., human error, system failure).

Aggregate and Per-Incident Limits

The sponsor must assess whether the policy’s aggregate limit and per-incident limit are proportionate to the applicant’s disclosed risk exposure. The SFC’s Thematic Inspection Report on Sponsor Due Diligence (2023) found that 30% of reviewed sponsor files contained no analysis of whether the insurance limits were adequate for the applicant’s disclosed business operations.

The assessment methodology should include:

• Quantitative risk analysis: The sponsor should request the applicant’s most recent risk assessment (e.g., a quantitative risk analysis using the FAIR model or a qualitative assessment under ISO 31000) and compare the estimated maximum probable loss (MPL) from a cyber event to the policy’s aggregate limit. A policy with a HKD 100 million aggregate limit for an applicant with a HKD 500 million MPL is clearly inadequate.
• Industry benchmarking: The sponsor should benchmark the applicant’s policy limits against industry peers. For example, the Hong Kong Federation of Insurers (HKFI) Cyber Insurance Market Report 2024 states that the average aggregate limit for mid-market fintech companies in Hong Kong is HKD 50 million, with a per-incident limit of HKD 20 million. Any material deviation from this benchmark should be documented and justified.
• Regulatory minimums: For applicants in regulated sectors (e.g., banking, insurance, securities), the sponsor must verify that the policy meets the minimum coverage requirements set by the relevant regulator. The HKMA’s Guideline on the Management of Cybersecurity Risks (December 2023) requires authorised institutions to maintain cyber insurance coverage that is “commensurate with the scale and complexity of their operations,” but does not specify a minimum limit. The SFC’s Code of Conduct for Intermediaries (2024) requires licensed corporations to maintain “adequate” insurance, but again leaves the quantum to the sponsor’s professional judgment.

Documentation and Disclosure Requirements

Work Paper Documentation

The sponsor must document its verification and assessment of the applicant’s cyber insurance coverage in its due diligence work papers. The SFC Guidance Note on Sponsor Due Diligence (June 2021) requires that a sponsor “maintain a clear and complete record of the due diligence steps taken” and “the conclusions reached.” For cyber insurance, the work papers should include:

• A copy of the full policy wording (not just the certificate of insurance).
• A written analysis of the policy’s scope, sub-limits, exclusions, and aggregate limits, with specific reference to the applicant’s disclosed risk profile.
• A comparison of the policy’s terms to the applicant’s internal risk assessment and industry benchmarks.
• A written representation from the applicant’s board confirming that no prior breach has occurred that would trigger the “prior known breach” exclusion.
• A copy of the broker’s placement slip and any correspondence with the underwriter regarding policy terms.

Prospectus Disclosure

The sponsor must ensure that the prospectus accurately reflects the applicant’s cyber insurance coverage in the “Risk Factors” and “Business” sections. The SFC’s Thematic Inspection of Sponsor Due Diligence on Technology Risks (February 2024) found that 25% of reviewed prospectuses contained misleading or incomplete disclosures about cyber insurance coverage.

The disclosure should include:

• A clear statement of the policy’s aggregate limit and per-incident limit, expressed in HKD or USD.
• A description of the key exclusions, particularly any “failure to maintain minimum security standards” exclusion or “state-sponsored attacks” exclusion that could materially reduce coverage.
• A statement that the policy is subject to the terms, conditions, and exclusions set out in the policy wording, and that the applicant’s board has confirmed that no prior breach has occurred.
• A risk factor that states that the policy may not cover all potential losses or liabilities arising from a cyber event, and that the applicant may not be able to obtain or maintain adequate coverage in the future.

Practical Considerations for the Sponsor

Timing and Sequencing

The sponsor should initiate the cyber insurance verification process no later than the start of the “due diligence period” (typically 6-12 months before the expected listing date). The SFC’s Thematic Inspection Report on Sponsor Due Diligence (2023) found that sponsors who initiated insurance review late in the process (e.g., during the “pre-filing” period) were more likely to miss material deficiencies, as the applicant had limited time to remediate.

The verification should be sequenced as follows:

1. Month 1-2: Request the full policy wording and the applicant’s internal risk assessment.
2. Month 3-4: Conduct the line-by-line review of the policy’s scope, sub-limits, and exclusions.
3. Month 5-6: Benchmark the policy against industry peers and regulatory requirements.
4. Month 7-8: Document the analysis in the work papers and obtain board representations.
5. Month 9-12: Finalise the prospectus disclosure and submit to the HKEX.

Red Flags That Trigger Further Inquiry

The sponsor should treat the following as red flags that require further inquiry and, potentially, a qualified opinion or withdrawal from the mandate:

• The applicant refuses to provide the full policy wording, offering only a certificate of insurance or a broker’s summary.
• The policy contains a “failure to maintain minimum security standards” exclusion that is inconsistent with the applicant’s disclosed controls.
• The policy’s aggregate limit is less than 10% of the applicant’s estimated MPL from a cyber event.
• The applicant has experienced a prior breach that would trigger the “prior known breach” exclusion, but has not disclosed this in the prospectus.
• The policy is underwritten by a carrier with a financial strength rating below “A-” (A.M. Best) or “A3” (Moody’s), indicating a material risk of the carrier being unable to pay claims.

Actionable Takeaways

1. Obtain the full policy wording for the applicant’s cybersecurity insurance policy, not merely a certificate or broker summary, and conduct a line-by-line review of scope, sub-limits, and exclusions.
2. Compare the policy’s aggregate and per-incident limits to the applicant’s estimated maximum probable loss (MPL) from a cyber event, using the applicant’s own risk assessment or an industry benchmark such as the HKFI Cyber Insurance Market Report 2024.
3. Identify and assess all standard exclusions, particularly the “failure to maintain minimum security standards” exclusion and the “state-sponsored attacks” exclusion, and verify that the applicant’s disclosed controls are consistent with the policy’s minimum security requirements.
4. Document the entire verification process in the sponsor’s due diligence work papers, including a written analysis, board representations, and a copy of the policy wording, to satisfy the documentation requirements of the SFC Code of Conduct Paragraph 17.6 and the Guidance Note on Sponsor Due Diligence (June 2021).
5. Ensure the prospectus disclosure accurately reflects the policy’s terms, limits, and exclusions, and include a risk factor that the policy may not cover all potential losses, to avoid misleading investors and triggering SFC enforcement action.