Insurers will soon have to adopt a comprehensive framework for information and cyber security.
The Insurance Regulatory and Development Authority of India (IRDA) has readied the framework, which is likely to be finalised soon.
“Cyber security in the financial sector has gained importance, more so with the advent of technological innovations. In this connection, IRDAI has planned to come out with a comprehensive information and cyber security framework,’’ AR Nithiyanantham, Chief General Manager (IT), IRDAI, said in a circular to insurers.
The proposed framework will cover all layers of security such as data, applications, operating systems and network layers, besides legal aspects pertaining to cyber crimes, the official said.
According to the proposed guidelines, insurers will have to focus on stringent data security, among a host of other issues.
In view of the high consumerism, the rise of cloud computing, increased importance of business continuity, persistence of cyber crime and increased exposure to internal threats, data protection will continue to be a significant challenge, the regulator said.
“Hence, at every stage of data life-cycle, organisations shall ensure due care of security... consistency and accuracy of data entered into the system should be verified through a maker-checker process,” it said.
The audit trail of data access shall be maintained and secured to ensure the integrity of the information captured, including preservation of evidence. Retention of audit trails should be in line with business, as well as regulatory and legal requirements, the guidelines state.
Role of board
The boards of the insurers should endorse the overall approach to information security policy and strategy and information security assurance programme, including cyber security.
Every organisation should appoint/designate a suitably qualified and experienced senior level officer exclusively as Chief Information Security Officer (CISO) who will be responsible for articulating and enforcing the policies.
The new framework will be made applicable to all organisations regulated by the IRDAI besides other entities/individuals dealing with regulated organisations.
The draft framework has been prepared by a working group of industry and technology experts formed by the regulator in October 2016.