The insurance industry has been rapidly adopting digital technologies to enhance customer experience and streamline operations. However, there has also been an increase in cyber attacks, which compromised sensitive data and caused significant financial losses to companies and their clients.
Hence, the Insurance Regulatory and Development Authority of India (IRDAI) has issued guidelines to enable the industry to strengthen its defenses and improve its governance mechanisms to deal with cyber threats.
The initial guidelines covering information and cybersecurity practices for insurers were issued in 2017. These guidelines aimed to ensure that insurers are adequately prepared to manage any cyber threat to their systems, processes, and data. The guidelines were then extended to all insurance intermediaries in 2022, including brokers, corporate agents, web aggregators, third-party administrators (TPAs), insurance marketing firms (IMFs), insurance repositories, insurance self network platform (ISNP), corporate surveyors, motor insurance service providers (MISPs), common service centres (CSCs), and the Insurance Information Bureau of India (IIB).
The revised guidelines were issued considering the widespread adoption of digital technologies and the concurrent increase in cybersecurity incidents. The new guidelines require insurers and intermediaries to take necessary measures to secure their systems and data against cyber threats. These include the implementation of appropriate security controls, incident response plans, and regular security audits.
These guidelines emphasise the importance of adopting a risk-based approach to information and cyber security, which involves identifying and assessing
risks, implementing appropriate controls, and regularly monitoring and testing the effectiveness of these controls.
Let us look at a couple of guidelines to understand what they deal with.
One guideline specifies that third-party entities should only have access to an insurer's internal systems for viewing purposes, such as accessing data, proposals, and reports. They should not be able to upload or edit data but only have the ability to view products, proposals, documents, and reports.
Another guideline indicates that entities that store an insurer's non-public data related to policyholders, investments, and other such information should not have the right to access the insurer's systems to edit or maintain such data. Their role is only to store the data, not modify it, and they should not have any additional access to the insurer's systems beyond what is necessary for storing the data.
All insurers and intermediaries are required to comply with these guidelines to ensure the security and confidentiality of sensitive data and protect against potential cyber threats. Entities that have already completed a security audit for FY 2022-23 must ensure compliance with these guidelines from the next financial year. The implementation of these guidelines will go a long way in strengthening the information and cyber security posture of the insurance industry and enhancing trust and confidence among customers