The Insurance Regulatory and Development Authority of India (IRDAI) recently issued revised Information and Cyber Security Guidelines “IRDAI Information and Cyber Security Guidelines” on 24th April 2023.These guidelines refer to the wide-spread adoption of digital technologies and the concurrent increase in cyber security incidents. The revised guidelines are aimed at enabling the insurance industry to strengthen their defenses as well as related governance mechanisms to deal with such emerging cyber threats.
It indicates that all Insurers including FRBs, Insurance Intermediaries covering Brokers, Corporate Agents, Web Aggregators, TPAs, IMFs, Insurance Repositories, ISNP, Corporate Surveyors, MISPs, CSCs and Insurance Information Bureau of India (IIB) shall adhere to these guidelines. Those entities who have already completed the security audit for FY 2022-23 shall ensure compliance with these guidelines from next financial year.
Read the Complete Guideline here : IRDA Information and Cyber Security Guideline 2023
The IRDAI has taken a proactive step in issuing these revised guidelines to ensure that the insurance industry is well-equipped to deal with the increasing threat of cyber-attacks. It is important for all entities in the insurance industry to adhere to these guidelines and take necessary measures to protect themselves and their customers from cyber threats.
Key Highlights of IRDAI Information and Cyber Security Guidelines, 2023
- The new guidelines are aimed at improving the cybersecurity practices of insurance companies and intermediaries
- Primary objective of the guidelines is to bolster the industry's defenses against cyber threats and enhance its governance mechanisms.
- Insurers and intermediaries are mandated to deploy suitable security controls, prepare incident response plans, and conduct frequent security audits. The guidelines stress the significance of adopting a risk-based approach to information and cyber security.
- Entities that have undergone a security audit for the fiscal year 2022-23 must ensure that they comply with the guidelines from the upcoming financial year.
One of the guidelines states that third-party entities are allowed to access an insurance company's internal systems solely for viewing purposes. This includes accessing data, proposals, and reports, but not uploading or editing any information. They are only permitted to view products, proposals, documents, and reports. Another guideline specifies that entities that store an insurer's non-public data, including policyholder and investment information, should not have authorization to access the insurer's systems for the purpose of editing or maintaining such data.
By adhering to these guidelines, companies can ensure that they are taking all necessary steps to protect themselves and their customers from cyber-attacks. This includes implementing strong security measures such as firewalls and encryption, regularly updating software and systems, and training employees on cyber security best practices.
To ensure the security and confidentiality of sensitive data and to mitigate potential cyber threats, all insurance companies and intermediaries must adhere to these guidelines. If an entity has already undergone a security audit for the fiscal year 2022-23, they are obligated to comply with these guidelines starting from the following financial year.
As Stephane Nappo said: "Cyber-Security is much more than a matter of IT. It is essential for all entities in the industry to take necessary measures to protect themselves and their customers from cyber threats.
In today’s digital age, cyber security is a major concern for all industries, including the insurance industry. With the increasing use of digital technologies and the growing threat of cyber-attacks, it is essential for companies to have robust cyber security measures in place.  The IRDAI’s revised Information and Cyber Security Guidelines provide a framework for companies in the insurance industry to strengthen their defenses against cyber threats. It is essential for all entities in the industry to adhere to these guidelines and take necessary measures to protect themselves and their customers from cyber threats.