IRDAI’s INFORMATION AND CYBER SECURITY GUIDELINES: AN ATTEMPT TO STRENGTHEN THE CYBER SECURITY FRAMEWORK IN INSURANCE SECTOR
In an era of rapid digital transformation, the insurance industry has become increasingly reliant on technology to streamline operations and enhance customer experiences. However, this digital advancement has also exposed insurers to new risks, particularly in the form of cyber threats. Recognizing the importance of safeguarding sensitive data and maintaining trust, Insurance Regulatory and Development Authority of India (“IRDAI”) has issued Information and Cyber Security Guidelines (“Guidelines”) on April 24, 2023, in order to enable the insurance industry to strengthen their cyber security framework for dealing with the potential cyber threats. These Guidelines have superseded the erstwhile ‘Guidelines on Information and Cyber Security for Insurers’ issued by IRDAI on April 7, 2017, and various other circulars on the same.
The Guidelines are applicable to all insurers including foreign reinsurance branches (FRBs), insurance intermediaries covering brokers, corporate agents, web aggregators, third party administrators (TPAs), insurance marketing firms (IMFs), insurance repositories, insurance self-network platform (ISNP), corporate surveyors, motor insurance service providers (MISPs), common services centres (CSCs) and insurance information bureau of India (IIB) (“Regulated Entities”). The insurance agents, micro-insurance agents, point of sale person and individual surveyors are not covered under the purview of the Guidelines, however, the insurers are required to ensure that these entities follow the minimum-security framework prescribed under Insurer’s board approved various policies as set out under the Guidelines. The Guidelines cover within its ambit all data created, received or maintained by the Regulated Entities, in any form, in the course of carrying out their duties and functions.
Key Takeaways:
- Regulated Entities are required to create an organization structure for governance, implementation and monitoring of information security which comprises of Board of Directors, Risk Management Committee and Information Security Risk Management Committee (“ISRMC”). The ISRMC shall comprise of Chief Technology Officer, Chief IT Security Officer, Chief Risk Officer, Chief Security Officer, Chief Information Security Officer, and Chief Human Resource Officer.
- Regulated Entities are required to formulate and adopt various organizational level policies such as Information and Cyber Security Policy, Data Classification Policy, Asset Management Policy, Access Control Policy, Information Systems Acquisition and Development Policy, Information Systems Maintenance Policy, Mobile Security Policy, Incident and Problem Management Policy, Network Security Policy, Legal and Regulatory Compliance Policy, Email Security Policy, Policy in terms of Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 etc., in order to ensure that they have a robust cyber security framework within their organization.
- Regulated Entities shall conduct annual risk assessments prior to introducing any major technology and initiative within the organization, by using the services of an external service provider, permitting access to organization’s critical systems, granting access from external locations, in order to identify potential vulnerabilities and threats to their systems and networks. Such risk assessment shall be performed for the business environments, business processes, business applications, information systems, employees, staffs, third party vendors etc.
- Regulated Entities shall ensure compliance with the directions issued by Indian Computer Emergency Response Team (“CERT-In”) with respect to the information security practices, procedures, preventions and reporting of cyber incidents. In this regard, it is pertinent to note that on April 28, 2022, CERT-In issued certain directives on cybersecurity wherein the covered entities are mandatorily required to report cyber incident of specific nature within 6 hours of noticing such incidents amongst others. Further, these directions also require the entities to designate a point of contact to liaise with CERT-In with respect to the compliance of the provisions thereof.
- Regulated Entities shall implement measures such as encryption, access control mechanism, consent of provider of information, limitation on collecting sensitive personal information, amongst others, in order to align with the extant data protection framework in India.
- Regulated Entities shall provide regular training and awareness programs to their employees about potential risks, threats and data protection measures.
- Regulated Entities shall ensure that the personal use of social media by their employees shall be in such a way that it adds value to the business of the organization. Further, the use of social media for business purposes shall be permitted only after obtaining approval from the corporate communication team and the employees need to undergo appropriate training in this regard.
- Regulated Entities shall undertake appropriate due diligence on the shortlisted vendor in case of outsourcing of an activity, in order to assess the capability of such vendor to comply with the information security obligations under the contractual agreement.
- The insurers shall ensure that the insurance intermediaries engaged by them comply with the Guidelines during the period of their engagement. Further, the insurers are also required to obtain necessary self-certification on an annual basis from such intermediaries which store the insurer’s data in physical form.
- The insurers will be required to submit their audit report, duly signed by the auditor along with the comments of their board of directors, to the IRDAI within 90 (Ninety) days from the end of financial year or within 30 (Thirty) days of completion of audit, whichever is earlier.