The Insurance Regulatory and Development Authority of India (Irdai) has set up a standing committee on cyber security to consistently assess the risks associated with both current and emerging technologies in the sector.
The committee has been formed in response to the issuance of the information and cyber security guidelines in April this year and is tasked with recommending necessary enhancements to the framework in order to bolster the cyber security preparedness and resilience of the insurance sector.
With more processes go online, cyber security has emerged as a big threat in the insurance sector, which is embracing newer technologies.
Irdai said in a statement: “Further, the committee will consider the suggestions received from the regulated entities in implementation of Irdai Information and Cyber Security guidelines for suggesting appropriate changes in the current framework.”
The cyber security regulations require insurers and intermediaries to embrace a risk-centric approach and implement essential safeguards to protect their systems and data from cyber threats. This encompasses tasks, such as recognising and evaluating risks, putting in place suitable security measures, developing contingency plans for handling incidents, and conducting routine security audits.
The 10-member committee comprises technology experts from the field of academia, industry professionals, and delegates from the insurance brokerage sector. Additional external members may be invited to join the committee as needed. The committee will be headed by P.S. Jagannatham, CGM, GA &HR, as chairperson, with Deenak Gaikwad, general manager, CISO as convenor. The other members of the committee are: Professor Sandeep K Shukla, IIT Kanpur; Ashutos Sanuguna, scientist, MoMHA; R Sheshadri, chief manager, CISO, NIACL; Murl Nambiar, DISO, SBI; Shradha Vyas, CISO, Munich Re - India Branch; Steve D’Souza, Meatio, ICICI Lombard General Insurance; Kalpesh Bharat Doshi, CISO, HDFC Life Insurance; and Sumit Bohra, president, Insurance Brokers Association of India.
Previously, in a circular dated June 2023, Irdai had instructed all regulated entities to promptly report any incident of cybersecurity breach.
According to the guidelines, regulated entities must report cybersecurity incidents to Cert-In (Indian Computer Emergency Response Team) within six hours of becoming aware of such incidents, whether through detection or notification. Additionally, they are required to share a copy of this report with Irdai and other relevant regulatory bodies.
However, it has come to Irdai’s notice that several regulated entities are not adhering to these timelines and are failing to keep it informed about their interactions with Cert-In. To address this concern, Irdai has now mandated that all regulated entities strictly adhere to the reporting provisions outlined in its Information and Cyber Security guidelines.
These entities must furnish available details of a cybersecurity incident to the authority in a specified format within 24 hours of being informed about the incident. Furthermore, the reporting format should be updated as additional information is obtained through forensic analysis. Whenever new information becomes accessible, regulated entities must submit updated versions of the report to the authority within 24 hours.
The new circular further underscores the importance of timely reporting and compliance with Irdai’s information and cyber security guidelines.