The Insurance Regulatory and Development Authority of India (IRDAI) has directed the insurance companies to conduct security audit of their information and computer technology (ICT) infrastructure.
While calling for immediate steps in this direction, the IRDAI said feedback/updates from insurers, to a circular it had issued in April on cyber security guidelines, reveals that many of them had not finalised their Gap Analysis report, Cyber Crisis Management Plan and Board-approved Information and Cyber Security Policy.
Sensitive information
A fully-secure ICT infrastructure is of paramount importance. Any vulnerabilities may result in compromise on confidentiality of policyholders’ information, besides exposing sensitive information of the insurance sector and financial markets.
“This would have serious repercussions not only for the insurance sector, but for the financial system of the country as a whole,” the IRDAI said in a recent communication to life, general and health insurers as well as re-insurers.
It advised them to take immediate steps towards security audit of the ICT infrastructure, including Vulnerability Assessment and Penetration Tests (VAPT) through Cert-in empanelled auditors.
The companies should identify the gaps and ensure that the audit findings are rectified swiftly.
The insurers, the regulator said, should also firm up their Cyber Crisis Management Plan for more effective handling of cyber incidents.
The direction applies to recently-registered insurers and re-insurers and those of them who have not appointed Chief Information Security Officer (CISO) must do so immediately.
Plan of action
The communication from the Executive Director-IT of IRDAI, Maruthi Prasad Tangirala, said the insurers who have not kept up with the timelines given to them in the guidelines on cyber security need to scale up their activities to comply with them.
They need to submit their plan of action by October 17.
