IRDAI forms panel to review information and cyber security guidelines

The insurance regulator, the IRDAI, yesterday announced that it has constituted a 15-member committee to review its information and cyber security guidelines.

In a statement, the IRDAI said, “The economic situation owing to COVID-19 pandemic has seen an exponential increase in cyber attacks across the globe and in particular, the financial sector. This situation has necessitated regulators to re-look into their cyber security guidelines applicable to all regulated entities in an effort to protect the financial systems.”

To address the issues in a holistic manner at the Industry level, the IRDAI says that it is considered necessary to review guidelines for the following:

1.    Whether to extend the applicability of the information and cyber security guidelines for insurers to other entities, which are regulated by the IRDAI, with or without modification.

2.    Whether and how to apply the guidelines to the extent applicable to entities which access insurers' IT systems.

3.    How to ascertain that minimum security standards are followed by those entities which access insurers' IT systems, though those are not regulated by IRDAI.

4.    Whether to update the guidelines to cover cyber security issues in FinTech solutions, mobile based applications, work from remote locations and cloud sourcing.

5.    To address baseline requirements for critical information infrastructures (CIIs) to sync with NCSI (National Security Council of India) guidelines.

6.    To specifically address the applicability of guidelines to foreign reinsurance branches (FRBs) which have an interface with overseas parent companies and other global reinsurers.

7.    To prepare a comprehensive audit checklist and certification model

The new committee is to deliberate these issues, make recommendations and submit a report in two months' time. The members of the panel are from organisations such as the Data Security Council of India, Indian Institute of Science, Indian Institute of Technology, Institute of Chartered Accountants of India, life insurers, general insurers, health insurers, and the IRDAI.

Current system

At present, the insurance industry observes the IRDAI's Guidelines on Cyber Security, issued in 2017 as a part of the governance system which amongst other requirements mandate insurers to:

1.    establish an Information Security Committee (ISC)

2.    issue a board approved information and cyber security policy

3.    appoint a chief information security officer (CISO),

4.    formulate a cyber crisis management plan (CCMP)

The existing guidelines also mandate that insurers’ risk management committees to be responsible for an annual comprehensive assurance audit including conducting of vulnerability assessment & penetration test (VA&PT) and report the findings to the IRDAI.

Source: Asia Insurance Review