Insurance Regulatory and Development Authority of India (“IRDAI”) came up with the first set of guidelines in 2017, which covered information and cybersecurity practices for insurers. These guidelines were designed to ensure that insurers have sufficient resources to manage any cyber threat to their systems, processes, and data. In 2022, the guidelines were extended to all insurance intermediaries, including brokers, corporate agents, web aggregators, third-party administrators (TPAs), insurance marketing firms (IMFs), insurance repositories, insurance self-network platforms (ISNP), corporate surveyors, motor insurance service providers (MISPs), common service centres (CSCs), and the Insurance Information Bureau of India (IIB). The revised guidelines were issued in response to the increased usage of digital technology and the corresponding increase in issues related to cybersecurity.
The Recent guidelines require insurers and intermediaries to take the appropriate precautions to protect their systems and data from cyber threats. These include the adoption of proper security measures, incident response strategies, and regular security audits. These guidelines emphasize on the significance of using a risk-based approach to information and cyber security, which includes identifying and analysing risks, establishing suitable controls, and frequently monitoring and testing the effectiveness of these controls.
APPLICABILITY OF THE GUIDELINES
These guidelines apply to all insurers, including foreign reinsurance branches (FRBs) and insurance intermediaries authorized by the Insurance Regulatory and Development Authority of India (IRDAI) including FRBs, Insurance Intermediaries (Brokers, Corporate Agents, Web Aggregators, TPAs, IMFs, Insurance Repositories, ISNP, Corporate Surveyors, MISPs, CSCs, and the Insurance Information Bureau of India (IIB). Insurance agents, micro-insurance agents, point-of-sale personnel, and individual surveyors are exempted from these guidelines. Those institutions that have already completed a security audit for FY 2022-23 must assure compliance with these guidelines beginning with the next fiscal year.
These guidelines apply to all data created, received, or maintained by regulated entities in the course of carrying out their authorised tasks and activities, regardless of where these data records are or what form they take.
The Organization’s Information and Cyber Security Policy (ICSP) will be governed by the Information Security Risk Management Committee (ISRMC), which will be made up of the Chief Risk Officer (CRO), Chief Information Security Officer (CISO), Chief IT Security Officer (CITSO), Chief Security Officer (CSO), Chief Human Resource Officer (CHRO), Chief Technology Officer (CTO), and function heads from Operations, Finance, Legal, and Compliance. The ISRMC will be in charge of policy revisions and approvals. It is also responsible for keeping the policy up to date. The CISO and at least two members must attend the ISRMC meeting, with all members meeting at least twice a year. The CISO will support and govern the ICSP’s implementation and enforcement. This policy will be reviewed annually and, if necessary, modified by the CISO and approved by the ISRMC.
- Organizations shall ensure that employees, contractors, and third parties follow the criteria for the acceptable use of any information assets provided by the Organisation.
- Assets must be utilized for commercial purposes only and may not be used for unlawful purposes such as hacking, cyber theft, identity theft, piracy, or pornography.
- Appropriate controls must be created to ensure compliance with statutory, regulatory, and contractual requirements for intellectual property rights and the use of proprietary software products.
- Employees should not use social media for business purposes unless they have received proper training that has been recommended or approved by the corporate communication team.
- Employees must refrain from posting any unverified or confidential material about the organisation on any Blogs/Chat forums/Discussion forums/Messenger sites/Social networking sites.
- Employees are not permitted to utilize social media sites to report a service defect, file a complaint, or publish anonymously or under a pseudonym. Employees are also not permitted to disclose anything received on their official email ID without prior consent from the insurer’s compliance staff, even if the email’s contents are intended to be posted online.
- While utilising social media for personal reasons, employees should act in a way that adds value to the company’s business and promotes its reputation.
- Any personal online posting or communication that implies you work for Organisation must contain a short and visible disclaimer such as “The postings on this service are my own personal views, not those of Organisation, and are not to be interpreted as such.”
- Employees of the Organisation are not permitted to use their Organisation email address or other Organisation details when signing up for or uploading content to an online networking service, unless use is necessary for legitimate business and professional purposes.
- Every year, the Auditor shall conduct an independent Assurance Audit. The annual audit plan and reports must be provided to the organization’s Audit Committee / Board of Directors / Principal Officer.
- The Insurer shall guarantee that the Insurance Intermediaries with whom they have contracted comply with these rules during the period of their employment. The insurer must have a Board-approved policy in this regard.
- The insurer must annually obtain the necessary self-certifications in this regard before beginning or continuing business with insurance intermediaries who only keep the insurer's data in physical form and do not maintain any electronic databases of the insurer's data or have access to the insurer’s systems.
- Insurers must submit their Audit Report to IRDAI within 90 days of the end of the fiscal year or within 30 days of completion of the audit, whichever is earlier.
With the increase in cyber security incidents and the increasing usage of digital technologies, the IRDAI has changed the rules to build a governance system that allows the insurance business to strengthen its defences and deal more effectively with emerging cyber threats. The IRDAI has taken a proactive step in releasing these modified guidelines in order to guarantee that the insurance industry is well-prepared to deal with the growing threat of cyber-attacks. It is thus, important that all insurance companies follow these guidelines and take the appropriate precautions to safeguard themselves and their customers against cyber threats.