Reference is drawn to IRDAI’s circular No: IRDA/IT/ CIR/MISC/ 216/10/2016 dated October 31, 2016 on formulation of a comprehensive Information and Cyber Security framework for Insurance Sector.

Consequently, the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security:

Group-1: All four layers of security (Data, Applications, Operating systems and Network layers)

Group-2: Security Audit 

Group-3: Legal aspects on Cyber Security

IRDAI issued an exposure draft containing the draft framework on 2nd March 2017. Having considered the feedback received from the stakeholders to the Exposure draft, IRDAI now issues the attached ‘Guidelines on Information and Cyber Security for insurers’ by exercising the powers vested with the Authority under Sub-section (1) of Section 14 of IRDA Act 1999.

A detailed control checklist for the effective implementation of these guidelines is enclosed vide

Annexure A 

These guidelines are applicable to all insurers. In case of intermediaries and other regulated entities with whom the policyholder information is being shared, it would be the responsibility of insurers to ensure that adequate mechanisms are put in place to ensure that the issues related to information and cyber security are addressed.

Insurers who have not completed three years from the date of commencement of business are exempted from the requirement of a full-time person appointed as Chief Information Security Officer (CISO). However, the CISO responsibility may be taken care of by any of the functionaries reporting to the Board. All other requirements stipulated in the guidelines document shall be applicable to these insurers.

Item No. Task Deadline
1 Appointment/designation of a suitably qualified and experienced Senior Level Officer exclusively as Chief Information Security Officer (CISO) and formation of Information Security Committee (ISC). 30th Apr 2017
2 Preparation of Gap Analysis report (AS-IS vs. requirements stated in the guidelines document). 30th Jun 2017
3 Formulation of Cyber Crisis Management Plan. 30th Jun 2017
4 Finalization of Board-approved Information and Cyber Security Policy. 31st Jul 2017
5 Formulation of Information and Cyber Security assurance programme (implementation plan/guidelines) in line with Board-approved Information and Cyber Security policy. 30th Sep 2017
6 Completion of the first comprehensive Information and Cyber Security assurance audit. 31st Mar 2018
Insurers are expected to take suitable steps to become fully compliant by 31st March 2018 as per the above timelines. The first audit report as stipulated under Chapter no: 23 of the guidelines shall be submitted to IRDAI by 31st March 2018.  Some of the activities stated in Sr.No. 1 – 5 above, may be carried out in parallel in order to ensure that the same are completed in the stipulated time frames.

Series Navigation<< Contact details of Surveyor Department at DelhiInformation to be submitted as part of the Annual Actuarial Valuation and related reports submission >>

Author

This entry is part 17 of 19 in the series May 2017

Byadmin

Leave a Reply

Your email address will not be published. Required fields are marked *