GUIDELINES ON INFORMATION AND CYBER SECURITY FOR INSURERS

All insurers regardless of size, complexity, or lines of business, collect, store, and share with various third-parties (e.g., service providers, reinsurers etc.)substantial amounts of personal and confidential policyholder information, including in some instances sensitive health-related information.

Insurance repositories, call centers, Common Service Centers etc. also have access to policyholders’ data.

While Information sharing is essential for conducting the business operations, it is essential to ensure that adequate systems and procedures are in place for ensuring that there is no leakage of information and information is shared only on need-to-know basis.

Further, due to rapid development of Information Technology, there are many challenges in maintaining confidentiality of information. The technology even though has many advantages, brings in risks associated with it like any other technology. With the fast growth of web based applications, cyber threat landscape has been growing and there is concern across all sectors. Cyber risks have grown and cyber criminals have become increasingly sophisticated. For insurers, cyber security incidents can harm the ability to conduct business, compromise the protection of personal and proprietary data, and undermine confidence in the sector. It is observed that the level of awareness of cyber threats and cyber security within the insurance sector, as well as supervisory approaches to combat the risks, appear to vary across organizations.

Information obtained from regulated entities through cybercrime may be used for financial gain through extortion, identity theft, misappropriation of intellectual property, or other criminal activities. Exposure of personal data can potentially result in severe harm for the affected policyholders, as well as reputational damage to insurance sector participants. Similarly, malicious cyber-attacks against an insurer’s and Insurance Intermediaries’ critical systems may impede its ability to conduct business. Such security related issues have the potential to undermine public confidence and may lead to reputation risks to insurers. Hence, it is essential to ensure that a uniform framework for information and cyber security is implemented for insurers and an in-built governance mechanism is in place within the regulated entities in order to make sure that all such security related issues are addressed from time to time.

Vision and Objective

(i) To ensure that a Board approved Information and Cyber Security policy is in place with all insurers.

(ii) To ensure that necessary implementation procedures are laid down by insurers for Information and Cyber Security related issues.

(iii) To ensure that insurers are adequately prepared to mitigate Information and cyber security related risks.

(iv) To ensure that an in-built governance mechanism is in place for effective implementation of Information and cyber security framework.

Information Asset Management

Objective: To identify organizational assets, define appropriate protection and responsibilities. Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. The asset inventory should be accurate, up to date.

For each of the identified assets, ownership of the asset should be assigned and the classification should be identified.

The asset owner should:

1. Ensure that assets are inventoried;

2. Ensure that assets are appropriately classified and protected;

3. Define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies;

4. Ensure proper handling when the asset is deleted or destroyed.

Physical and environmental security

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

• Security perimeters should be defined and used to protect areas that contain either sensitive or critical information, and information processing facilities.
• Physical barriers should, where applicable, be built to prevent unauthorized physical access.
• Surveillance systems shall be in place and regularly monitored to cover all major areas
• Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
• Access rights to secure areas should be regularly reviewed and updated, and revoked when necessary.
• Appropriate controls shall be implemented to manage calamities like fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster.
• Mock drills shall be conducted periodically to test the effectiveness of the controls.
• IT equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.
• Users should ensure that unattended equipment has appropriate protection.
• Secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use.
• A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.

Human resource security

Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Information security roles and responsibilities should be communicated to job candidates during the pre employment process.

A code of conduct may be used to state the employee’s or contractor’s information security responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization.

Awareness, education and training activities should be suitable and relevant to the individual’s roles, responsibilities and skills.

There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

System acquisition, development and maintenance

Objective: To ensure that information security is an integral part of information systems across the system development life cycle.

Identification and management of information security requirements and associated processes should be integrated in early stages of information systems projects. Early consideration of information security requirements, e.g. at the design stage can lead to more effective and cost efficient solutions.

Criteria for accepting products (software & solutions) should be defined e.g. in terms of their functionality, which will give assurance that the identified security requirements are met. Products should be evaluated against these criteria before acquisition. Guidelines on Information and Cyber Security for Insurers

Information Security Risk Management

Objective: To enable individuals who are responsible for target environments to identify key information risks and determine the controls required to keep those risks within acceptable limits.

Policy Procedure and Guidelines: The Organization should have a risk management program to undertake information security risk assessment for target environments (e.g. critical business environments, business processes, business applications, computer systems and networks) on a periodic basis.

Data Security

Objective: Organizations shall recognize that the efficient management of its data security is necessary to support its core functions, to comply with its statutory and regulatory obligations and to contribute to the effective overall management.

Scope: Organizations need to define and implement procedures to ensure the Confidentiality, Integrity, Availability and Consistency of all data stored in different forms. These guidelines are applicable to all information/records/data created, received or maintained by all permanent and temporary employees and consultants (collectively “the employees”), third party vendors of the organization and business distributors who have access to the organization’s data, wherever this data records are and whatever form they are in, in the course of carrying out their designated duties and functions.

Application Security

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle and also includes the requirements for information systems which provide services over public networks.

Platform/Infrastructure Security

Objective: Organization’s IT infrastructure including servers, applications, and network and security devices shall be configured to ensure security, reliability and stability.

Secure Configuration Documents & Periodic Assessments

The configuration shall be based on Secure Configuration Documents (SCD). Organization shall develop baseline SCD based on OEM’s recommendations and industry best practices. SCDs should be prepared for the following list (but not limited to) of components

• Operating Systems (Servers & End points – Laptop, Desktops)
• Web Server software (Tomcat, IIS, Apache HTTP, IBM HTTP and Oracle HTTP, etc.)
• Application Server software (Weblogic, etc.)
• Database Servers (Oracle, MS-SQL, MySQL, PostgreSQL, etc.)
• Network Components (Routers, Wireless Access Points, etc.)
• Security Devices (Firewalls, VPNs, IDS, IPS, etc.)
• Wireless

SCD should be reviewed for currency on a periodic basis by the Information Security Team. The exceptions to configurations as recommended in SCDs owing to certain business requirements/limitations should be approved through a formal exception process after adequate risk assessment.

Network Security

Objective: The information transmitted across the Organization through its network shall be protected by deploying adequate network security controls.

Policy, Procedures & Guidelines:

1. Networks shall be segmented into zones/subnets based on function and possibly location. Each of the zone/subnet may be further segregated into separate VLANs based on business and security requirements.

2. All network devices should be HARDENED based on their respective secure configuration documents before being deployed in production.

3. Logical position of firewall in network architecture should ensure that firewall is not bypassed. Defence in- depth through placement of IDS/IPS solution shall be implemented to further control the internet traffic passing through these networks. These solutions shall be regularly updated with current signatures / characteristics of threats.

4. Remote access to organization’s network resources over an untrusted network (Internet/Extranet) shall be integrated into the overall network security management.

5. Clocks of all relevant information processing systems within an organization or security domain shall be synchronized with an agreed accurate time source.

6. Routing controls should be implemented for networks to ensure that computer connections and information flows do not breach the access control system of the business applications.

7. There should be segregation of duties for approval and implementation of configurations for network devices.

8. Adequate redundancy should be provided for network links and network devices.

9. Logs generated by critical network devices shall be collected and analyzed to identify threats and exceptions. Network security shall be monitored through a Security Operations Centre (SOC) to provide immediate response to threats.

Cryptography & Key Management

Objective: Organization shall protect the confidentiality, authenticity and integrity of information by cryptographic means wherever necessary. The level of protection applied using cryptographic keys shall be commensurate with the sensitivity and frequency of use of the information along with the environment where it resides/used.

Policy, Procedures & Guidelines:

• General directives on keys

1. Digital signatures/certificates shall be acquired from the Certificate Authority (CA) licensed by the Controller of Certifying Authorities (CCA) India.
2. Accountability / responsibility for management of master keys shall be formally assigned within the organization in case of internal CA.
3. Key custodians must be made aware of their role and they shall formally acknowledge their obligations in administering the security of the keys.
4. Master keys for symmetric key/asymmetric key pair generation must be secured in a manner such that no one individual party is privy to the entire master key, wherever applicable.
5. Keys/asymmetric key pairs shall be changed whenever a compromise occurs (or thought to occur), and whenever a party who is privy to a key/the private key component of the key pair, leaves the organization or changes role. A formal process must exist to revoke symmetric keys/asymmetric key pairs in a timely and effective manner. Revoked keys shall be destroyed.
6. Key backup process shall enable key recovery, but should not compromise key confidentiality and integrity. Request for recovery of keys/key pairs shall be made via a formal process that includes approval from competent authority.

Security Logging & Monitoring

Objective: Organizations shall establish logging and monitoring capabilities to detect security events in timely manner.

Policy, Procedures & Guidelines

• Logging & Monitoring

1. Security logs shall be enabled on all critical information assets. A centralized approach to logging & monitoring (SOC set up) should be implemented.
2. Security Logs generated by different systems and devices shall be collected such that linking (correlating) events generated across these systems and devices is possible and should be maintained for a minimum period of six months and meet other specific regulatory stipulations as applicable.
3. Security logs shall be made available to the Law enforcement agencies, IRDAI and Cert-Fin as and when required.
4. Logging shall be enabled to track critical system activities which shall include:
5. User account management
6. Privileged user activities
7. Changes in OS configuration
8. Multiple authentication failures/simultaneous logins
9. Access to audit trail
10. All information systems including application, operating system, database, network and security devices shall maintain time synchronization with a standard time device/ server (NTP) to provide an accurate and traceable record of logged events.
11. Log Retention schedule should be compliant with Organization’s record retention policy. All the logs and logging facilities should be protected against tampering and unauthorized access.
12. Monitoring reports should be published based on the management requirements. Periodic review of logs and monitoring reports for adequacy and contents should be performed.
13. Incidents reported should be closed within defined timelines.

Incident Management

Objective: To ensure information security and cyber security events and weaknesses associated with the information systems are communicated and corrective actions are taken in a timely manner.

i. Policy, Procedures and Guidelines for information security and cyber security incident management shall be prepared and implemented to discover, record, response, escalate and prevent information security events and weaknesses effectively.

ii. There should be a system in place to ensure information security events and weaknesses associated with the information assets are communicated and corrective actions are taken in a timely manner.

iii. An incident management process shall be established, documented, implemented and maintained by the organization. It shall include security Incident and weakness identification, reporting, recording, analysis, response, recovery and mitigation procedures. Roles and responsibilities of all the stakeholders of the incident management process shall be defined.

iv. Incident management team shall be established to take all incident related decisions. A communication channel shall be set up with internal parties and external organizations (e.g., regulator, media, law enforcement, customers).

v. Monitoring system should be in place so that proactive action is taken to avoid security incidents and malfunctions.

vi. The Information security and Cyber security incident classification criteria shall be documented. Security incidents shall be classified based on the criticality and severity.

vii. A process to assess the root cause of the incident and identifying the corrective and preventive measures shall be defined.

viii. For Incident and Cyber Crisis; a comprehensive cyber security response plan needs to be developed and referred.

ix. CERT-In/NCIIPC guidance may be referred to by the organizations while formulating the CCMP.

Endpoint Security

Policy, Procedures & Guidelines: Policy, Standards, Procedures and Guidelines shall be developed to address the threats to endpoints in information system infrastructure and to prevent unauthorized access to endpoints.

Objective Endpoint Security

1. To ensure that the endpoint has an updated (patched) operating system and anti-virus software has the latest virus definitions, etc.

2. To ensure system configurations are accurate and do not compromise the security requirements.

3. To prevent unauthorized external users and network traffic from gaining access to the network.

4. To prevent unauthorized devices and other portable storage devices connecting to the endpoint.

5. To prevent/detect any unauthorized software on the endpoints.

Virtualization

Objective: To ensure protection of information during use of virtual environments within the IT infrastructure of the company.

Policy, Procedures & Guidelines: Approved Policy, Procedures & Guidelines for Virtualization of the systems shall be in place, which will detail, at least, the following:

1. Centralized Administration of virtualized systems
2. Provisioning and allocation of resources between different systems in virtualized machine
3. Securing information resides in the host and virtualized machines

Cloud Security

Objective: To ensure that information processed, transmitted and stored on the cloud architecture is secure.

Policy, Procedures & Guidelines: Policy, Procedures & Guidelines shall be framed to provide direction for hosting the type of information, its criticality and the level of security controls to be adopted, on cloud or on any external hosting infrastructure :

1. With reference to the Electronic maintenance of core business records, records shall be hosted within India.

2. The selection of cloud hosting model shall depend on the criticality of the information being hosted

3. Wherever application/data/system hosting in a cloud is considered inevitable -for commercial, business, regulatory, legal or other reasons, approvals should be obtained by the organization from their respective senior management.

4. Business justification for considering the necessity to host the data and system in the Cloud. Classification of data to be hosted on Cloud Viz. Secret/Highly Confidential, Confidential, Public, Internal, etc.

It should cover:

• Security Control measures to be implemented by Cloud service provider/ Application Service Provider/Any Third-Party/Company for guarding against Data leakage / Data corruption /Security breach etc. as well as control measures in place to prevent, detect and react to breaches including data leakage
• Due diligence process for selecting a suitable service provider

Mobile Security

Objective: To ensure the security of information assets while tele-working and using the mobile devices by implementation of appropriate security measures to manage the risks associated with the usage of mobile computing devices and communication facilities.

The Policy, Procedures and Guidelines shall cover:

1. Security measures for the organization’s information processed using BYOD (Bring Your Own Device) and tele-working sites.

2. All employees, interns and externals using devices falling into the category “mobile devices” such as mobile phones, smart phones, portable devices, etc. shall acknowledge the security policy and the associated procedures & guidelines before they are allowed to use an organization’s network using mobile devices.

Information System Audit

• Eligibility & Selection of Auditor: Independent Assurance Audit shall be carried out by qualified external systems Auditors holding certifications like CISA/ DISA/Cert-in empaneled Auditor.
• Scope/Type Audit:
• Scope of Audit shall include controls defined as per the annexure enclosed with this document.
• Annual IS Audits should also cover branches on sample basis, with focus on large and medium branches, in critical areas like password controls, control of user ids, operating system security, antimalware controls, maker-checker controls, Identity & Access management, physical security, review of exception reports/audit trails, BCP policy and testing etc. This Assurance Audit shall be driven by the Information Security Team.
• Frequency:

Audit shall be carried out for every financial year.

• Executing IS Audit :

During audit, auditors should obtain evidence, perform test procedures, appropriately document the findings, and conclude a report.

• Reporting and Follow-up actions :

1. There should be proper reporting of the findings of the auditors. For this purpose, each Organization should prepare a structured format.

2. The major deficiencies/aberrations noticed during audit should be highlighted in a special note and given immediately to the ISC and IT Department.

3. Minor irregularities pointed out by the auditors are to be rectified immediately.

4. Follow-up action on the audit reports should be given high priority and rectification should be done without any loss of time.

5. Audit reports need to be presented to the Risk Management Committee of the Board.

6. A copy of executive summary of the Audit report along with action taken note should be submitted to IRDAI within 30 days of completion of Audit

Legal References on Information and Cyber Security

This section may provide the organizations a broad idea about various statutory provisions available for Information and Cyber Security. An attempt has been made here to consolidate various legal provisions available on Information Technology, Cyber Security and Information Security for reference. The Organizations are requested to refer to the relevant Act/regulation/rules/Amendments for updates/latest provisions.