Recent Cyber-attacks have forced to formulate the IRDAI Guidelines on Cyber Security, IRDAI (Insurance Regulatory & Development Authority of India) had to design a framework which can provide ultimate security and protection against breach of customer data. Customer data is what on which an Insurance Industry runs, and any breach to the same would impose a threat to the personal data of customers.
For the formulation of Cyber-security guidelines– IRDAI asked all the 54 Insurance companies in India to nominate their CIOs to participate in two working groups. One of them was for the life Insurers and another one was for all other insurers including health insurers as well.
We have pioneered the cybersecurity practice by educating all industries to install SSL Certificates on their websites, here is the list of SSL Certificate for you to check.
The suggestions/framework designed by the two groups were presented before IRDAI in January 2017 which then compiled into Cyber-security guidelines by IRDAI on April 7, 2017. Given below are few of the key highlights:
The guidelines were applicable to all the insurers. In case there is any third party with whom personal data of the customer is being shared, it would be the responsibility of insurers to ensure the adequate protection techniques to save the confidentiality of data.
The IRDAI asked all the insurers to appoint a suitable and experienced officer as CISO who would be responsible for implementation of all the data security policies and formation of Information Security Committee (ISC)
The IRDAI had asked for the gap analysis report by June 30, 2017. This is a method to analyze the difference between performances of existing software’s/applications. This report generally gives an overview on where we are currently standing in the race of Cyber-security plans and where we should be at present.
As per the circular- IRDAI has asked insurers to take the necessary steps to identify and resolve data security issues and network infrastructure to protect the sensitive data from any external or internal threat. The circular further said- The insurers must ensure that their Information and Computer Technology (ICT) infrastructure is up to date.
We must say that it is the right time for insurance companies to analyze the abyss in their security framework and existing strategies. A need of dedicated security team has already been recognized that can work with the other departments of the organization and may address any issues with the data privacy on a high priority basis.
The regulator needs to emphasize the importance of data encryption and enhanced user authentication as part of the proposed framework and direct companies to adopt common data standards to establish a secure infrastructure, some security experts say.