Irdai forms committee to review security guidelines to deal with cyber-attacks

The Insurance Regulatory and Development Authority of India (Irdai) has formed a committee to review its information and security guidelines due to exponential increase in cyber-attacks across the globe in the wake of COVID-19. The economic situation owing to the pandemic has seen an exponential increase in cyber-attacks across the globe and in particular, the financial sector. This situation has necessitated regulators to re-look into their Cyber Security Guidelines applicable to all regulated entities in an effort to protect the financial systems. The Irdai had issued guidelines on cyber security in April 2017 as a part of its governance mechanism.

An Information Security Commission (ISC), board-approved information and cyber security policy, appointment of chief information security officer and cyber crisis management plan are part of its mandate. The guidelines also mandate that the insurers' risk management committee should be responsible for an annual comprehensive assurance audit including conducting of Vulnerability Assessment & Penetration Test (VA&PT) and should report the findings to the Authority. It said ‘In the light of cyber-attacks which the financial sector has been witnessing and in the process of having a structured reporting to analyse the issues to be addressed in a holistic manner at the industry level, it is considered necessary to review IRDAI''s Information & Cyber security Guidelines’.

The review will encompass to understand if there is a need to extend the guidelines for insurers to other entities which are regulated by IRDAI, with or without modification. It will also see how to apply these guidelines to entities which access insurers' IT systems and how to ascertain minimum security standards are followed by those who access insurers' IT systems but are not regulated by Irdai. Among others, it will see if the guidelines need to be updated to cover cyber security issues of fintech solutions, mobile-based applications, work from remote location and cloud sourcing, among others.

The 14 member committee is to be headed by Institute for Development and Research in Banking Technology (IDRBT) Chairman Janakiram. Other members of the committee include professionals from insurance companies, Irdai, Data Security Council of India, IISc, IIT Mumbai and ICAI. A R Nithiyanantham, CGM-IT, Irdai shall be member convenor of the working group. Irdai said the Committee shall submit its report in two months.