According to the IRDAI (Insurance Regulatory and Development Authority of India), all insurance companies must safeguard sensitive information. While sharing information is essential, it is also crucial to ensure that adequate protocols and procedures are in place to prevent data leakage/theft. With the rapid growth of IT assets, the cyber threat landscape has grown exponentially. Cyber security recommendations become crucial in lessening current internal and external dangers to insurers, as well as chances to improve cyber fraud prevention procedures. On October 31, 2016, guidance for developing a comprehensive information and cyber security strategy for the insurance industry was released. Later revisions were introduced with the goal of providing adequate cyber risk mitigation mechanisms.
Insurers must develop a standardized framework for information and cyber security implementation, as well as a governance structure to ensure that all the security-related issues are addressed on a regular basis. The main purpose is to establish similar standards and procedures for everyone in the insurance business. According to these rules, anyone who wants to sell insurance online must create a digital platform called the Insurance Self Network (ISNP) and adhere to all the rules.
Guidelines for Insurers on Information and Cyber Security as per RDA/IT/GDL/MISC/ 082/04/2017
1. Appointment or designation of a sufficiently qualified and experienced Senior Level Officer as Chief Information Security Officer (CISO), for formulating and enforcing policies to secure their information assets.
2. Creating a report on GAP Analysis (AS-IS Vs requirements stated in this guidelines document).
3. Creating a Cyber Crisis Management Strategy.
4. Finalization of the Information and Cyber Security Policy, adopted by the Board.
5. Formulation of an information and cyber security assurance program (implementation plan/guidelines) in accordance with the information and cyber security policy approved by the Board of Directors.
6. Completion of first comprehensive Information and Cyber Security assurance audit.
7. Insurers should do a periodic VAPT on the entire ICT infrastructure annually.
8. Gaps in key applications should be closed within one month of their discovery.
9. A trained external auditor holding certification like CERT-In empanelled will conduct a yearly audit.
10. Documented audit gaps should be reported, and the impact on overall service delivery, usage, scope, and other factors should be considered.
Kratikal, as a VAPT Cert-In empanelled authorized security audit firm, can assist you safeguard against such vulnerabilities based on the following IRDAI guidelines. It assists the company by providing a variety of coverage alternatives to help protect data from data breaches and other cyber security vulnerabilities.
This compliance aims to
IRDAI aims to improve the insurance business, simultaneously improving its transparency and focus on protecting consumers' interests. The following are the reasons why the appropriate security recommendations must be followed:
1. To protect the policyholder's interests.
2. Fair regulation of the insurance industry and reduce the threat landscape.
3. To minimize loss due to cyber fraud.
Small and mid-size
Threats Recorded in
The objective of compliance is to guarantee that the company follows the authority's rules and byelaws, as well as to ensure that the company is registered according to the company's requirements.
a) A detailed security assessment report with appropriate remedial measures is completed.
b) Qualified Experts carry out the assessments.
c) The compliance and certification process entail a thorough understanding of various documents as well as verification of their implementation.
The essential element in preventing cyber hazards is to set standards, common language, and best practices, track technology advancement, and improve one's own analytical skills. To enable cyber insurance, data pools, insurance pools, existing policies, and new policies should all be developed.
The key insurability issues include a lack of data, the risk of change, accumulation hazards, risk capital availability, and many others.