Insurance Bulletin - Hong Kong Summer 2025

Hong Kong's "Inward Re-domiciliation Regime" Goes Live: Key Takeaways for Insurance Market

Following a preview in our Autumn 2024 Insurance Bulletin, the Hong Kong inward re-domiciliation regime ("Regime") is now in force pursuant to the Companies (Amendment) (No.2) Ordinance, effective 23 May 2025. Non-Hong Kong incorporated entities, such as foreign insurance companies with regional operations in Asia, may relocate their legal domicile to Hong Kong, provided they meet the stated requirements. This can be done without winding up the existing entity or the need to assign/novate/transfer its assets and contracts to a new Hong Kong company.

With effect from the date of re-domiciliation, the re-domiciled entity will be regarded as a company incorporated in Hong Kong. The re-domiciled entity must then be deregistered in its place of incorporation within 120 days after the re-domiciliation date, failing which an order might be issued to revoke its registration as a re-domiciled company. The Hong Kong Companies Registry accepts and processes the applications – relevant guidance on the regime and application process is available on a thematic section of the Companies Registry website.

Of interest for the insurance market – while the Insurance Ordinance (Cap. 41) ("IO") itself has only had minor amendments, it now specifies certain requirements for becoming a re-domiciled insurer for: (i) a Hong Kong licensed non-Hong Kong insurer ("Overseas Insurer") and (ii) a non-Hong Kong company that is not yet a Hong Kong authorized insurer.

An Overseas Insurer becomes a re-domiciled insurer when it is registered as a re-domiciled company under the Companies Ordinance and is deregistered from its original place of incorporation. Before applying for registration with the Companies Registry, the Overseas Insurer must first obtain a letter of no objection from the Insurance Authority ("IA") by submitting a specified form (Form IC-N01) along with other information and documents required by the IA. These include (but are not limited to) – an implementation plan of the proposed re-domiciliation process and an indicative timetable, legal opinion(s) on various matters issued by law firm(s) qualified in the Overseas Insurer's place of incorporation, details of an assessment of any adverse impact to policyholders and corresponding measures or safeguards to mitigate the impact.

The IA will then consider, among other factors, the viability of the Overseas Insurer's implementation plans, its ability to comply with applicable legal and regulatory requirements, communications with policyholders and any foreseeable material impact on the Overseas Insurer's business operations or policyholders as a result of a re-domiciliation. Failure to obtain the letter of no objection may lead to regulatory actions, but it will not invalidate or revoke the re-domiciliation.

A non-Hong Kong company that is not yet authorised by the IA will become a re-domiciled insurer only after obtaining authorisation from the IA post re-domiciliation.

Re-domiciled insurers will be subject to Hong Kong's legal and regulatory framework applicable to locally incorporated insurers, such as (for example): solvency and capital requirements, corporate governance standards and on-going reporting and notification obligations.

The re-domiciliation regime marks a transformative milestone, positioning Hong Kong as an even  more effective hub for international insurers. Insurers with substantial operations in Hong Kong stand to benefit significantly, including with – cost efficiencies, business opportunities in Hong Kong and the Greater Bay Area, as well as a supportive and robust insurance regulatory environment and access to professional services in Hong Kong. Notably, insurance giants AXA and Manulife have already utilised the Regime in applying to re-domicile certain Bermuda group entities, with a stated aim to enhance operational alignments and respond more effectively to local market needs.

Early engagement with regulators in the Overseas Insurer's original domicile and with the IA is essential. Professional legal and regulatory advice is also strongly recommended to assess the implications of re-domiciliation. We would be glad to discuss any queries regarding re-domiciliation with you.

Finally, the Regime is also open to insurance intermediaries who may utilise the process solely through the Companies Registry and are only then required to notify the IA once the process is completed.

Revised Guideline on Cybersecurity ("Revised GL20")

The IA has issued a Revised GL20, effective 1 January 2025.

Revised GL20 provides: (i) the cybersecurity standards expected of authorized insurers; and (ii) general guiding principles in the form of a Cyber Resilience Assessment Framework ("CRAF"), which the IA will use to assess the effectiveness of cybersecurity strategies and frameworks implemented by authorized insurers.

CRAF adopts a three-tier approach, consisting of an Inherent Risk Assessment ("IRA"), Cybersecurity Maturity Assessment ("CMA") and Threat Intelligence-Based Attack Simulation ("TIBAS").

1. Inherent Risk Assessment ("IRA")

An IRA evaluates the inherent cyber risk exposure of an authorized insurer. The rating is determined with reference to 40 assessment criteria across five categories of risk indicators: technologies and connection types, delivery channels, products and technology services, organizational characteristics and external threats. One assessment criterion is the use of new technologies, including artificial intelligence, blockchain and machine learning.

If the insurer receives a low inherent risk rating, it may proceed to conduct a CMA (section 2 below), and there is no need to conduct TIBAS.

If the rating is medium or high, the insurer must also carry out TIBAS (section 3 below).

2. Cybersecurity Maturity Assessment ("CMA")

After establishing an inherent risk rating, an authorized insurer must carry out a CMA to assess: (i) the cybersecurity maturity level it is expected to achieve based on its inherent risk rating; and (ii) whether its actual cybersecurity maturity meets that expected level.

The assessment is based on prescribed control principles across several areas, including:

• Governance of the insurer
• Identification of IT assets and cyber risks
• Protection measures safeguarding access, infrastructure, data, systems, and software
• Detection capabilities for antivirus, antimalware, anomalous activity and suspicious system activities
• Incident response and recovery procedures
• Threat intelligence integration
• Third-party risk management

Insurers must identify any gaps in relation to the control principles and submit a remediation plan outlining action items and target completion dates.

3. Threat Intelligence-Based Attack Simulation ("TIBAS")

An authorized insurer with a medium or high inherent risk rating must simulate at least three end-to-end real-world cyberattacks carried out by competent adversaries. The simulation process should include multiple phases, such as scoping critical functions, identifying likely threat actors and common attack methods and capturing the outcomes of the simulations.

Conclusion

CRAF is a prescriptive framework designed to help authorized insurers evaluate their exposure to cybersecurity risks and maintain an appropriate cybersecurity maturity level. Upon completing the relevant assessments, insurers must submit the results of the IRA, CMA and/or TIBAS, along with any applicable remediation plan, within:

• 12 months (for insurers with a high inherent risk rating); or
• 18 months (for insurers with a low or medium inherent risk rating)

...... from the effective date of CRAF: 1 January 2025.

Aside: On 19 March 2025, Hong Kong's Legislative Council passed the Protection of Critical Infrastructures (Computer Systems) Ordinance. In brief, the legislation imposes statutory requirements on designated operators of critical infrastructures to protect their computer systems and essential services from being disrupted or compromised due to cyberattacks. The Ordinance is expected to take effect on 1 January 2026.

Conduct Requirements for Licensed Insurance Broker Companies

The IA recently delivered a webinar on the conduct requirements for licensed insurance broker companies, as set out in section 90 of the IO. This serves as a timely reminder of the duties of a licensed insurance intermediary to:

• act in the best interests of the client, honestly, fairly, and with integrity;
• exercise due care, skill, and diligence;
• advise only on matters on which they are competent to advise;
• disclose sufficient information to allow the client to make an informed decision;
• tailor advice to the client’s specific circumstances;
• properly manage or avoid conflicts of interest; and
• safeguard the client’s assets.

"Section 90 Conduct Requirements"

It is worth reviewing these in more depth:

1. To carry out "regulated activities" in the course of business or for reward, one must obtain the appropriate insurance intermediary licence.

2. Here, "regulated activities" includes selling, negotiating, arranging and giving advice on insurance.

3. Applicants must be "fit and proper" to obtain such a licence. The IA’s Guideline on Fit and Proper Criteria for Licensed Insurance Intermediaries sets out these standards.

4. A licensed insurance broker company must conduct regulated activities in accordance with the:

• Section 90 Conduct Requirements;
• Code of Conduct for Licensed Insurance Brokers issued by the IA; and
• other relevant guidelines issued by the IA from time-to-time.

5. In addition, the broker company must comply with requirements under:

• sections 71 to 73 of the IO; and
• the Insurance (Financial and Other Requirements for Licensed Insurance Broker Companies) Rules (Cap. 41L) (“Broker Rules”), including but not limited to:
  • maintaining a minimum share capital of at least HK$500,000;
  • maintaining minimum net assets of at least HK$500,000;
  • maintaining professional indemnity insurance that covers liabilities arising from breaches of duty in the course of its conducting regulated activities;
  • keeping proper books and accounts;
  • preparing financial statements in accordance with section 73(1) of the IO and section 8 of the Broker Rules; and
  • providing an auditor’s report in accordance with section 73(1) of the IO and section 9 of the Broker Rules.

6. The broker company must establish and maintain proper internal controls and procedures to ensure compliance with the Section 90 Conduct Requirements by itself and its technical representative(s).

7. Each licensed insurance broker company must appoint a representative, approved by the IA, to act as its Responsible Officer ("RO") with sufficient experience to oversee the company’s compliance with regulatory obligations, including conduct requirements and internal controls.

8. The RO may be personally liable for the company’s non-compliance with the Broker Rules, including the financial and operational obligations in item 5 above.

9. An RO may also face disciplinary action or prosecution for failure to fulfil their duties. The IA may revoke the RO’s approval in such circumstances.

Ultimately, these requirements are designed to protect policyholders and promote trust, integrity, and fairness among insurance market participants and within the broader financial system – in respect of which the insurance industry is a vital pillar. 

Hong Kong as a Rising ILS Hub

Hong Kong is establishing itself as a key market for insurance-linked securities ("ILS"). The successful issuance of two catastrophe bonds in 2021 and 2022 laid critical groundwork: these landmark deals, which covered typhoon risks in Mainland China and Japan, were enabled by a robust regulatory framework launched in 2021, supported by the IA's Pilot ILS Grant Scheme. With momentum building and investor interest deepening, Hong Kong is now poised to become Asia’s premier ILS domicile.

This framework has been the culmination of deliberate, phased reform. The 2020 passage of the Insurance (Amendment) Ordinance set the legislative foundation, followed by the Insurance (Special Purpose Business) Rules, which restricted ILS sales to qualified institutional investors. The IA provided further clarity through Guideline GL-33, which established rigorous criteria for Special Purpose Insurers ("SPIs"), including – full funding, bankruptcy remoteness and strong governance standards. The result is a well-structured, investor-conscious ILS ecosystem, ready to scale.

These steps have been reinforced by a broader national policy alignment. China’s State Council has identified Hong Kong as a strategic risk management centre under the Greater Bay Area scheme, with cross-border reinsurance and innovative insurance elements as core pillars. Mainland China regulators have also expressed support for domestic insurers to utilise Hong Kong’s ILS regime to access global capital markets. Notably, the 2024 ILS Asia Conference showcased cross-border collaborations and emphasised government commitment to long-term sector growth.

Investor appetite is reportedly steadily growing, driven by ILS’s ability to diversify portfolio risk and offer uncorrelated returns. "Cat bonds" are increasingly becoming attractive in a time of economic uncertainty and climate-driven volatility, with yields outpacing many traditional asset classes. Sponsors, in turn, benefit from a capital-efficient, flexible mechanism to transfer tail risk. Hong Kong is also investing in local risk modeling capabilities and actuarial talent, further enhancing market maturity.

Since the launch of the Hong Kong framework, five issuances have been completed (at the time of writing). The most recent – the multi-peril, multi-territory Silk Road Re bond sponsored by Taiping Re in 2025 – underlines Hong Kong’s viability as an alternative to established ILS domiciles like Bermuda and Singapore. Market participants expect further innovation in areas such as parametric triggers, tokenised settlements and ESG-linked "cat bonds". With regulatory clarity, strong public-private alignment and rising global interest, Hong Kong’s ILS ambitions are gaining real traction. As natural catastrophe events intensify and capital markets evolve, the city’s role as a regional hub for risk transfer and alternative reinsurance looks set to grow.