CMDs/ CEOs – LIFE INSURERS, GENERAL INSURERS, HEALTH INSURERS AND REINSURERS

Ref: IRDA/IT/CIR/MISC/232/10/2017                                                                                  12th October, 2017
 
TO,
CMDs/ CEOs – LIFE INSURERS, GENERAL INSURERS, HEALTH INSURERS AND REINSURERS
Re: Compliance on Guidelines related to Information and Cyber Security.

We draw your attention to IRDAI Circular Ref: IRDA/IT/GDL/MISC/082/04/2017dated 7th April, 2017 setting out guidelines on Information and Cyber Security for Insurers. From the feedback/ updates received from Insurers, it is observed that many of the insurers still have not finalised their Gap Analysis report, Cyber Crisis Management Plan and Board approved Information & Cyber Security Policy. Ensuring that Information and Computer Technology (ICT) infrastructure of insurers are fully secured is of paramount importance. Any Vulnerabilities to ICT may result in compromise on confidentiality of policyholder related information and exposure to sensitive information of the insurance sector and the financial markets in general. This would have serious repercussions not only for the Insurance sector but for the financial system of the country as a whole.
Therefore, Insurers are advised to take immediate steps for conducting Security Audit for their ICT infrastructures including Vulnerability Assessment and Penetration Tests (VAPT) through Cert-in empanelled Auditors, identify the gaps and ensure that audit findings are rectified swiftly. Insurers are also requested to firm-up their Cyber Crisis Management Plan (CCMP) for handling cyber incidents more effectively. The recently registered insurers and Reinsurers also must ensure that steps are taken for implementation of the Guidelines. In case CISOs have not yet been appointed by the recently registered entities, they are advised to ensure that they are appointed immediately. Further, in case of insurers who have not kept up the timelines given in the Guidelines referred above, they are advised to ensure to scale up their activities to comply with them.
Confirmation of having noted the above and plan of action proposed may be submitted to it@irda.gov.in by 17th October, 2017.

(Dr. Maruthi Prasad Tangirala)
Executive Director (IT)