Reference is drawn to IRDAI’s circular No: IRDA/IT/ CIR/MISC/ 216/10/2016 dated October 31, 2016 on formulation of a comprehensive Information and Cyber Security framework for Insurance Sector.
Consequently, the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security:
Group-1: All four layers of security (Data, Applications, Operating systems and Network layers)
Group-2: Security Audit
Group-3: Legal aspects on Cyber Security
IRDAI issued an exposure draft containing the draft framework on 2nd March 2017. Having considered the feedback received from the stakeholders to the Exposure draft, IRDAI now issues the attached ‘Guidelines on Information and Cyber Security for insurers’ by exercising the powers vested with the Authority under Sub-section (1) of Section 14 of IRDA Act 1999.
A detailed control checklist for the effective implementation of these guidelines is enclosed vide
Annexure A
These guidelines are applicable to all insurers. In case of intermediaries and other regulated entities with whom the policyholder information is being shared, it would be the responsibility of insurers to ensure that adequate mechanisms are put in place to ensure that the issues related to information and cyber security are addressed.
Insurers who have not completed three years from the date of commencement of business are exempted from the requirement of a full-time person appointed as Chief Information Security Officer (CISO). However, the CISO responsibility may be taken care of by any of the functionaries reporting to the Board. All other requirements stipulated in the guidelines document shall be applicable to these insurers.
Item No. | Task | Deadline |
---|---|---|
1 | Appointment/designation of a suitably qualified and experienced Senior Level Officer exclusively as Chief Information Security Officer (CISO) and formation of Information Security Committee (ISC). | 30th Apr 2017 |
2 | Preparation of Gap Analysis report (AS-IS vs. requirements stated in the guidelines document). | 30th Jun 2017 |
3 | Formulation of Cyber Crisis Management Plan. | 30th Jun 2017 |
4 | Finalization of Board-approved Information and Cyber Security Policy. | 31st Jul 2017 |
5 | Formulation of Information and Cyber Security assurance programme (implementation plan/guidelines) in line with Board-approved Information and Cyber Security policy. | 30th Sep 2017 |
6 | Completion of the first comprehensive Information and Cyber Security assurance audit. | 31st Mar 2018 |