Insurance regulator IRDAI has directed insurers to appoint a Chief Information Security Officer (CISO) each by April 30.

Permitting them to either appoint or designate a suitably qualified and experienced senior level officer, the Authority said the CISO would be responsible for “articulating and enforcing the policies to protect their information assets and formation of Information Security Committee.”

The directive on the CISO is one of the measures the regulator has mandated in the Guidelines on Information and Cyber Security for Insurers that it released on Friday.

The directive follows an October decision of the Insurance Regulatory and Development Authority of India (IRDAI) to formulate a comprehensive information and cybersecurity framework and last month’s exposure draft on the framework.

Noting that the guidelines were based on the feedback received to the draft, the other measures that IRDAI wants insurance firms to implement include having in place a Cyber Crisis Management Plan by June 30. It wants them to also finalise a board-approved Information and Cyber Security Policy by July 31 as well as an Information and Cyber Security assurance programme (implementation plan / guidelines) by September 30.