IRDA Cybersecurity

Insurers collect, store, and share data with multiple third-parties (e.g., service providers, reinsurers etc.), and aggregate substantial amounts of personal and confidential policyholder information. The repositories like call centers etc have access to policyholders’ data and sensitive health information. The information needs to be shared only on a need to know basis, ensuring that there is no leakage of the information. Exposure of the personal data can cause severe harm for all the policyholders and well as reputational damages.

Hence the Insurance Regulatory and Development Authority of India (IRDAI) formulated a unique framework for information and cyber security for insurers and an in-built governance mechanism for regulated entities to address all the security issues from time to time.

Key Objectives of the IRDA Cybersecurity framework

To ensure that a Board approved Information and Cyber Security policy is in place with all insurers.
To ensure that necessary implementation procedures are laid down by insurers for Information and Cyber Security related issues.
To ensure that insurers are adequately prepared to mitigate Information and cyber security related risks.
To ensure that an in-built governance mechanism is in place for effective implementation of the Information and cyber security framework (Cyber Crisis Management Plan).

The guidelines are applicable to all insurers regulated by IRDA and to all data created, received or maintained by insurers wherever these data records are and whatever form they are in, in the course of carrying out their designated duties and functions.

For more details, read the following document :

https://www.aicofindia.com/AICEng/General_Documents/Notices And Tenders/IRDAI-GUIDELINES.pdf

The guidelines mandate that the Insurers’ Risk Management Committee should be responsible for an annual comprehensive assurance audit, including conducting of Vulnerability Assessment & Penetration Test (VAPT) and should report the findings to IRDA.

As a CERT-IN empanelled body, QRC will help you understand, manage, and comply with IRDA’s Cyber Security requirements as published in the IRDA’s guidelines on information and cyber security for insurers.

Audit Approach

The IRDA Cybersecurity Audit is conducted as an in-depth technical assessment, including the audit of the information security process and applicability of cyber security controls in the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security :