In the frame: the introduction of a regulatory cyber security framework for Indian insurers
The Indian insurance sector has historically been highly regulated. Despite this, until recently, there were no specific regulatory norms prescribed by the Insurance Regulatory and Development Authority of India (IRDAI) pertaining to protection of information and data received and created by insurers.
Insurers were, albeit, required to maintain data security and confidentiality in accordance with the provisions of the Information Technology Act 2000 and the rules made thereunder.
However, with the increase in the number, frequency and impact of cyber-attacks in India, especially in the financial sector, it has become crucial to have in place sector specific norms to enhance data security and prevent data breaches.
Cyber Security Guidelines
In June 2016 — following the increase in large-scale, organised cyber-attacks in the banking sector — the Indian banking regulator, the Reserve Bank of India (RBI), issued a circular prescribing the cyber security framework for the scheduled commercial banks of India.
Following the footsteps of the RBI, the IRDAI announced “Guidelines on Information and Cyber Security of Insurers” (Cyber Security Guidelines) on 7 April 2017.
The Cyber Security Guidelines prescribe the regulatory framework for insurers registered in India in relation to cyber security and data protection for all information:
by insurers during the course of carrying out their designated duties and functions.
The Cyber Security Guidelines prescribe the norms with respect to:
- Cloud security
- Mobile and application security
- Network security
- Cyber security
- Platform/infrastructure security
- Information security risk management
All Indian insurers are required to formulate a Board approved Cyber Security Policy in agreement with the norms prescribed under the Cyber Security Guidelines.
In this regard, insurers are also required to:
- Set up an information security management team for exclusively overseeing the implementation of cyber security and data protection norms.
- Appoint a chief information security officer, responsible for articulating and enforcing the policies to protect the information assets of the insurers.
- Effectively train and educate their officers, employees and vendors regarding the cyber security policy framed by the particular Insurer in accordance with the provisions of the Cyber Security Guidelines.
Insurers are also required to execute service level agreements with vendors to specifically include:
- Information security requirements/controls
- Service levels
- Liability of the suppliers in case of violation/non-mitigation of information
- Security vulnerabilities
- Information security incidents
In addition, to ensure effective implementation of the Cyber Security Guidelines, insurers are required to have an independent assurance audit conducted annually with respect to the information security governance framework of the insurer.
All insurers are required to ensure complete compliance with the Cyber Security Guidelines within one year of notification of the said guidelines.
At this juncture, the norms on cyber security under the Cyber Security Guidelines are exhaustive and may therefore result in a significant overhaul of the existing systems and processes of Indian insurers.
As regards effectiveness, if one draws a parallel with the Indian banking sector — for which the cyber security norms were issued back in June 2016 — it appears from recent press reports that, despite the implementation of the cyber security norms, banks continue to be at high risk from an insurance security standpoint.
Therefore, one would have to wait and watch to conclusively ascertain the effectiveness of the Cyber Security Guidelines to combat cyber security threats in the Indian insurance sector.