Guidelines on Information and Cyber Security for insurers

Reference is drawn to IRDAI’s circular No: IRDA/IT/ CIR/MISC/ 216/10/2016 dated October 31, 2016 on formulation of a comprehensive Information and Cyber Security framework for Insurance Sector.

Consequently, the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security:

Group-1: All four layers of security (Data, Applications, Operating systems and Network layers)

Group-2: Security Audit 

Group-3: Legal aspects on Cyber Security

IRDAI issued an exposure draft containing the draft framework on 2nd March 2017. Having considered the feedback received from the stakeholders to the Exposure draft, IRDAI now issues the attached ‘Guidelines on Information and Cyber Security for insurers’ by exercising the powers vested with the Authority under Sub-section (1) of Section 14 of IRDA Act 1999.

A detailed control checklist for the effective implementation of these guidelines is enclosed vide

Annexure A 

These guidelines are applicable to all insurers. In case of intermediaries and other regulated entities with whom the policyholder information is being shared, it would be the responsibility of insurers to ensure that adequate mechanisms are put in place to ensure that the issues related to information and cyber security are addressed.

Insurers who have not completed three years from the date of commencement of business are exempted from the requirement of a full-time person appointed as Chief Information Security Officer (CISO). However, the CISO responsibility may be taken care of by any of the functionaries reporting to the Board. All other requirements stipulated in the guidelines document shall be applicable to these insurers.