All insurers regardless of size, complexity, or lines of business, collect, store, and share with various third-parties (e.g., service providers, reinsurers etc.), substantial amounts of personal and confidential policyholder information, including in some instances sensitive health-related information.
Insurance repositories, call centers, Common Service Centers etc. also have access to policyholders’ data.
While Information sharing is essential for conducting the business operations, it is essential to ensure that adequate systems and procedures are in place for ensuing that there is no leakage of information and information is shared only on need-to-know basis.
Further, due to rapid development Information Technology, there are many challenges in maintaining confidentiality of information. The technology even though has many advantages, brings in risks associated with it like any other technology. With the fast growth of web based applications, cyber threat landscape has been growing and there is concern across all sectors. Cyber risks have grown and cyber criminals have become increasingly sophisticated. For insurers, cyber security incidents can harm the ability to conduct business, compromise the protection of personal and proprietary data, and undermine confidence in the sector. It is observed that the level of awareness of cyber threats and cyber security within the insurance sector, as well as supervisory approaches to combat the risks, appear to vary across organizations.
Information obtained from regulated entities through cyber-crime may be used for financial gain through extortion, identity theft, misappropriation of intellectual property, or other criminal activities. Exposure of personal data can potentially result in severe harm for the affected policyholders, as well as reputational damage to insurance sector participants. Similarly, malicious cyber-attacks against an insurer’s and Insurance Intermediaries’ critical systems may impede its ability to conduct business.
Such security related issues have the potential to undermine public confidence and may lead to reputation risks to insurers. Hence, it is essential to ensure that a uniform framework for information and cyber security is implemented for insurers and an in-built governance mechanism is in place within the regulated entities in order to make sure that all such security related issues are addressed time to time.
Vision and Objective
(i) To ensure that a Board approved Information and Cyber Security policy is in place with all insurers.
(ii) To ensure that necessary implementation procedures are laid down by insurers for Information and Cyber Security related issues.
(iii) To ensure that insurers are adequately prepared to mitigate Information and cyber security related risks.
(iv) To ensure that an in-built governance mechanism is in place for effective implementation of Information and cyber security frame work.
Information Asset Management
Objective: To identify organizational assets, define appropriate protection and responsibilities. Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. The asset inventory should be accurate, up to date.
For each of the identified assets, ownership of the asset should be assigned and the classification should be identified.
The asset owner should:
a. Ensure that assets are inventoried;
b. Ensure that assets are appropriately classified and protected;
c. Define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies;
d. Ensure proper handling when the asset is deleted or destroyed.
All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement.
The termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization.
In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment.
An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization.
Media should be disposed of securely when no longer required, using formal procedures. Guidelines on Information and Cyber Security for Insurers
Physical and environmental security
Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
- Security perimeters should be defined and used to protect areas that contain either sensitive or critical information, and information processing facilities.
- Physical barriers should, where applicable, be built to prevent unauthorized physical access.
- Surveillance systems shall be in place and regularly monitored to cover all major areas
- Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
- Access rights to secure areas should be regularly reviewed and updated, and revoked when necessary.
- Appropriate controls shall be implemented to manage calamities like fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster.
- Mock drills shall be conducted periodically to test the effectiveness of the controls.
- IT equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.
- Users should ensure that unattended equipment has appropriate protection.
- Secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use.
- A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. Guidelines on Information and Cyber Security for Insurers
Human resource security
Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Information security roles and responsibilities should be communicated to job candidates during the pre-employment process.
A code of conduct may be used to state the employee’s or contractor’s information security responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization.
Awareness, education and training activities should be suitable and relevant to the individual’s roles, responsibilities and skills.
There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. Guidelines on Information and Cyber Security for Insurers
System acquisition, development and maintenance
Objective: To ensure that information security is an integral part of information systems across the system development lifecycle.
Identification and management of information security requirements and associated processes should be integrated in early stages of information systems projects. Early consideration of information security requirements, e.g. at the design stage can lead to more effective and cost efficient solutions.
Criteria for accepting products (software & solutions) should be defined e.g. in terms of their functionality, which will give assurance that the identified security requirements are met. Products should be evaluated against these criteria before acquisition. Guidelines on Information and Cyber Security for Insurers
Information Security Risk Management
Objective: To enable individuals who are responsible for target environments to identify key information risks and determine the controls required to keep those risks within acceptable limits.
Policy Procedure and Guidelines: The Organization should have a risk management program to undertake information security risk assessment for target environments (e.g. critical business environments, business processes, business applications, computer systems and networks) on a periodic basis.
Objective: Organizations shall recognize that the efficient management of its data security is necessary to support its core functions, to comply with its statutory and regulatory obligations and to contribute to the effective overall management.
Scope: Organizations need to define and implement procedures to ensure the Confidentiality, Integrity, Availability and Consistency of all data stored in different forms. These guidelines are applicable to all information/records/data created, received or maintained by all permanent and temporary employees and consultants (collectively “the employees”), third party vendors of the organization and business distributors who have access to the organization’s data, wherever this data records are and whatever form they are in, in the course of carrying out their designated duties and functions.
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle and also includes the requirements for information systems which provide services over public networks.
- Each application to have an owner
Some of the roles of application/business owners shall include:
a) Prioritizing any changes to be made to the application and authorizing the changes
b) Deciding on data classification/de-classification and archival/purging procedures for the data pertaining to an application as per relevant policies/regulatory/statutory requirements in agreement with business owners
c) Ensuring that adequate controls are built into the application through active involvement in the application design, development, testing and change process
d) Ensuring that the Change Management process is followed for any changes in the application
e) Ensuring that the application meets the business/functional needs of the users
f) Ensuring that the security of the application has been reviewed
g) Taking decisions on any new applications to be acquired / developed or any old applications to be discarded
h) Informing the information security team regarding purchase of an application and assessing the application based on the security policy requirements
i) Ensuring that the new applications being purchased/developed follow the Information Security policy
j) Ensuring that logs or audit trails, as required, are enabled and monitored for the applications. Logs should at least meet who-when-what-where criteria based on criticality.
k) Maintain last login details for all internet portal applications
l) Ensure review of access and roles are conducted periodically
Objective: Organization’s IT infrastructure including servers, applications, and network and security devices shall be configured to ensure security, reliability and stability.
- Secure Configuration Documents & Periodic Assessments
The configuration shall be based on Secure Configuration Documents (SCD). Organization shall develop baseline SCD based on OEM’s recommendations and industry best practices. SCDs should be prepared for the following list (but not limited to) of components
- Operating Systems (Servers & End points – Laptop, Desktops)
- Web Server software (Tomcat, IIS, Apache HTTP, IBM HTTP and Oracle HTTP, etc.)
- Application Server software (Weblogic, etc.)
- Database Servers (Oracle, MS-SQL, MySQL, PostgreSQL, etc.)
- Network Components (Routers, Wireless Access Points, etc.)
- Security Devices (Firewalls, VPNs, IDS, IPS, etc.)
SCD should be reviewed for currency on a periodic basis by Information Security Team. The exceptions to configurations as recommended in SCDs owning to certain business requirements/limitations should be approved through formal exception process after adequate risk assessment.
The IT infrastructure should be subject to configuration review (vulnerability assessment/penetration tests) against defined SCDs on a periodic basis.
Regular scheduled assessments, such as internal and external vulnerability scans should be conducted for the IT Infrastructure including but not limited to software, applications, server, network, database, operating system, wireless devices, and other network equipment.
Frequency of conducting vulnerability assessment shall depend upon the criticality of the Information Asset (application, software, database, operating system, network devices and wireless networks). All Internet facing applications shall undergo vulnerability assessments before deployment in the production environment.
Objective: The information transmitted across the Organization through its network shall be protected by deploying adequate network security controls.
Policy, Procedures & Guidelines:
a. Network shall be segmented into zones/subnets based on function and possibly location. Each of the zone/subnet may be further segregated into separate VLANs based on business and security requirements.
b. All network devices should be HARDENED based on their respective secure configuration documents before being deployed in production.
c. Logical position of firewall in network architecture should ensure that firewall is not bypassed. Defence-in-depth through placement of IDS/IPS solution shall be implemented to further control the internet traffic passing through these networks. These solutions shall be regularly updated with current signatures / characteristics of threats.
d. Remote access to organization’s network resources over an un-trusted network (Internet/Extranet) shall be integrated into the overall network security management.
e. Clocks of all relevant information processing systems within an organization or security domain shall be synchronized with an agreed accurate time source.
f. Routing controls should be implemented for networks to ensure that computer connections and information flows do not breach the access control system of the business applications.
g. There should be segregation of duties for approval and implementation of configurations for network devices.
h. Adequate redundancy should be provided for network links and network devices. REDUNDANT NETWORK LINKS AND DEVICES SHOULD HAVE THE SAME LEVEL OF SECURITY AS THE PRIMARY LINKS. All single points of failure within the organization network shall be identified and the risks in such a design shall be assessed. Where possible, failover technologies shall be in place to address network failure. Network diagram (including wireless network) shall be documented and kept up to date.
i. Logs generated by critical network devices shall be collected and analyzed to identify threats and exceptions. Network security shall be monitored through a Security Operations Centre (SOC) to provide immediate response to threats.
Cryptography & Key Management
Objective: Organization shall protect the confidentiality, authenticity and integrity of information by cryptographic means wherever necessary. The level of protection applied using cryptographic keys shall be commensurate with the sensitivity and frequency of use of the information along with the environment where it resides/used.
Policy, Procedures & Guidelines:
- General directives on keys
a. Digital signatures/certificates shall be acquired from the Certificate Authority (CA) licensed by the Controller of Certifying Authorities (CCA) India.
b. Accountability / responsibility for management of master keys shall be formally assigned within the organization in case of internal CA.
c. Key custodians must be made aware of their role and they shall formally acknowledge their obligations in administering the security of the keys.
d. Master keys for symmetric key/asymmetric key pair generation must be secured in a manner such that no one individual party is privy to the entire master key, wherever
f. Keys/asymmetric key pairs shall be changed whenever a compromise occurs (or thought to occur), and whenever a party who is privy to a key/the private key component of the key pair, leaves the organization or changes role. A formal process must exist to revoke symmetric keys/asymmetric key pairs in a timely and effective manner. Revoked keys shall be destroyed.
g. Key backup process shall enable key recovery, but should not compromise key confidentiality and integrity. Request for recovery of keys/key pairs shall be made via a formal process that includes approval from competent authority.
- Retention of electronic keys
a) Data encryption keys – symmetric/asymmetric keys used for encryption shall be available as long as any information protected (encrypted) by the keys needs to be decrypted.
b) Digital certificate verification – a public key shall be available as long as any information signed with the associated private key is maintained.
c) Master key used to derive other keys – master keys shall be available as long as there is a requirement to recreate derived keys in the future.
d) Keys used to generate hash algorithms – keys used to generate hash algorithms shall be available as long as there is a requirement to prove or otherwise the validity of a previously generated hash value.
Security Logging & Monitoring
Objective: Organizations shall establish logging and monitoring capabilities to detect security events in timely manner.
Policy, Procedures & Guidelines
- Logging & Monitoring
a. Security logs shall be enabled on all critical information assets. A centralized approach to logging & monitoring (SOC set up) should be implemented.
b. Security Logs generated by different systems and devices shall be collected such that linking (correlating) events generated across these systems and devices is possible and should be maintained for a minimum period of six months and meet other specific regulatory stipulations as applicable.
c. Security logs shall be made available to the Law enforcement agencies, IRDAI and Cert-Fin as and when required.
d. Logging shall be enabled to track critical system activities which shall include:
- User account management
- Privileged user activities
- Changes in OS configuration
- Multiple authentication failures/simultaneous logins
- Access to audit trail
e. All information systems including application, operating system, database, network and security devices shall maintain time synchronization with a standard time device/ server (NTP) to provide an accurate and traceable record of logged events.
f. Log Retention schedule should be compliant with Organization’s record retention policy. All the logs and logging facilities should be protected against tampering and unauthorized access.
g. Monitoring reports should be published based on the management requirements. Periodic review of logs and monitoring reports for adequacy and contents should be performed.
h. Incidents reported should be closed within defined timelines.
Objective: To ensure information security and cyber security events and weaknesses associated with the information systems are communicated and corrective actions are taken in a timely manner.
i. Policy, Procedures and Guidelines for information security and cyber security incident management shall be prepared and implemented to discover, record, response, escalate and prevent information security events and weaknesses effectively.
ii. There should be a system in place to ensure information security events and weaknesses associated with the information assets are communicated and corrective actions are taken in a timely manner.
iii. An incident management process shall be established, documented, implemented and maintained by the organization. It shall include security Incident and weakness identification, reporting, recording, analysis, response, recovery and mitigation procedures. Roles and responsibilities of all the stakeholders of the incident management process shall be defined.
iv. Incident management team shall be established to take all incident related decisions. A communication channel shall be set up with internal parties and external organizations (e.g., regulator, media, law enforcement, customers).
v. Monitoring system should be in place so that proactive action is taken to avoid security incidents and malfunctions.
vi. The Information security and Cyber security incident classification criteria shall be documented. Security incidents shall be classified based on the criticality and severity.
vii. A process to assess the root cause of the incident and identifying the corrective and preventive measures shall be defined.
viii. For Incident and Cyber Crisis; a comprehensive cyber security response plan needs to be developed and referred.
ix. For Incident and Cyber Crisis; a comprehensive cyber crisis management plan (CCMP) needs to be developed and referred. The Organization will need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover/ contain the fall out.
x. CERT-In/NCIIPC guidance may be referred by the organizations while formulating the CCMP.
Policy, Procedures & Guidelines: Policy, Standards, Procedures and Guidelines shall be developed to address the threats to endpoints in information system infrastructure and to prevent unauthorized access to endpoints.
Objective Endpoint Security
a. To ensure that endpoint has an updated (patched) operating system and anti-virus software has the latest virus definitions, etc.
b. To ensure system configurations are accurate and do not compromise the security requirements.
c. To prevent unauthorized external users and network traffic from gaining access to network.
d. To prevent unauthorized devices and other portable storage devices connecting to endpoint.
e. To prevent/detect any unauthorized software on the endpoints.
f. To address technical system and software vulnerabilities quickly and effectively.
g. Build capability to quarantine systems / devices if found to be non-compliant or infected.
Objective: To ensure protection of information during use of virtual environment within the IT infrastructure of the company.
Policy, Procedures & Guidelines: Approved Policy, Procedures & Guidelines for Virtualization of the systems shall be in place, which will detail, at least, the following:
- Centralized Administration of virtualized systems
- Provisioning and allocation of resources between different systems in virtualized machine
- Securing information resides in the host and virtualized machines
Objective: To ensure that information processed, transmitted and stored on the cloud architecture is secure.
Policy, Procedures & Guidelines: Policy, Procedures & Guidelines shall be framed to provide direction for hosting the type of information, its criticality and the level of security controls to be adopted, on cloud or on any external hosting infrastructure
- With reference to the Electronic maintenance of core business records, records shall be hosted within India.
- The selection of cloud hosting model shall depend on the criticality of the information being hosted
- Wherever application/data/system hosting in a cloud is considered inevitable -for commercial, business, regulatory, legal or other reasons, approvals should be obtained by the organization from their respective senior management.
- Business justification for considering inevitable to host the data and system in Cloud. Classification of data to be hosted on Cloud Viz. Secret/Highly Confidential, Confidential, Public, Internal, etc.
- It should cover:
- Security Control measures to be implemented by Cloud service provider/ Application Service Provider/Any Third-Party/Company for guarding against Data leakage / Data corruption /Security breach etc. as well as control measures in place to prevent, detect and react to breaches including data leakage
- Due diligence process for selecting a suitable service provider
Objective: To ensure the security of information assets while tele-working and using the mobile devices by implementation of appropriate security measures to manage the risks associated with the usage of mobile computing devices and communication facilities.
Policy, Procedures & Guidelines:
Policy, Procedures and Guidelines shall be prepared and implemented to provide direction to the users of mobile computing so that corporate network remains secure.
The Policy, Procedures and Guidelines shall also cover:
a. Security measures for the organization’s information processed using BYOD (Bring Your Own Device) and tele-working sites.
b. All employees, interns and externals using devices falling into the category “mobile devices” such as mobile phones, smart phones, portable devices, etc. shall acknowledge the security policy and the associated procedures & guidelines before they are allowed to use organization’s network using mobile devices.
Information System Audit
- Eligibility & Selection of Auditor:
Independent Assurance Audit shall be carried out by qualified external systems Auditor holding certifications like CISA/ DISA/Cert-in empaneled Auditor.
- Scope/Type Audit:
a. Scope of Audit shall include controls defined as per the annexure enclosed with this document.
b. Annual IS Audits should also cover branches on sample basis, with focus on large and medium branches, in critical areas like password controls, control of user ids, operating system security, anti-malware controls, maker-checker controls, Identity & Access management, physical security, review of exception reports/audit trails, BCP policy and testing etc.
c. This Assurance Audit shall be driven by the Information Security Team.
Audit shall be carried out for every financial year.
- Executing IS Audit
During audit, auditors should obtain evidences, perform test procedures, appropriately document the findings, and conclude a report.
- Reporting and Follow-up actions
a. There should be proper reporting of the findings of the auditors. For this purpose, each Organization should prepare a structured format.
b. The major deficiencies/aberrations noticed during audit should be highlighted in a special note and given immediately to the ISC and IT Department.
c. Minor irregularities pointed out by the auditors are to be rectified immediately.
d. Follow-up action on the audit reports should be given high priority and rectification should be done without any loss of time.
e. Audit reports need to be presented to the Risk Management Committee of the Board.
f. A copy of executive summary of the Audit report along with action taken note should be submitted to IRDAI within 30 days of completion of Audit
Legal References on Information and Cyber Security
This section may provide the organizations a broad idea about various statutory provisions available for Information and Cyber Security. An attempt has been made here to consolidate various legal provisions available on Information Technology, Cyber Security and Information Security for reference. The Organizations are requested to refer the relevant Act/regulation/rules/Amendments for updates/latest provisions.