The Insurance Regulatory and Development Authority of India (IRDAI) has in a circular issued on June 13, 2023, directed all insurers to promptly report cyber security incidents.
According to the circular, insurers are required to report cyber incidents to Cert-In (Indian Computer Emergency Response Team) within six hours of noticing or being notified about such incidents. Additionally, a copy of the report should be sent to IRDAI and other relevant regulators and authorities.
The circular assumes significance as it has been observed that many insurers are not adhering to these timelines and have failed to keep the regulator informed on their communications with Cert-In.
Accordingly, IRDAI has now directed all insurers to strictly follow the reporting provisions outlined in the IRDAI Information and Cyber Security Guidelines. Now, insurers have been directed to submit the available details of a cyber security incident to the regulator in a prescribed format within 24 hours of the incident’s intimation.
In addition, the reporting format must be updated with the flow of information obtained from forensic analysis. As and when new information becomes available, insurers are required to submit subsequent versions of the report to the authority within 24 hours.
The IRDAI’s directive aims to enhance cyber security measures and create a more secure environment for the insurance sector along with protecting the interests of the policyholders.
By enforcing these reporting guidelines, the IRDAI further seeks to ensure that insurers promptly report any incidents to the relevant authorities. Timely reporting plays a crucial role in addressing cyber threats and prevent further damage or unauthorised access to sensitive data. Prompt reporting allows for a swift response, thus enabling authorities to take necessary actions to mitigate risks and prevent any potential breaches.
Insurers have also been advised to familiarise themselves with the IRDAI information and cyber security guidelines and ensure strict compliance with the reporting requirements. Failure to adhere to these guidelines could result in regulatory consequences, including penalties or sanctions.
IRDAI further said that it would continue to monitor the compliance by the insurers.