Document Detail
Title: To CEOs/ CMDs of All Insurers
Reference No.: IRDA/IT/GDL/MISC/ 082/04/2017
Date: 07/04/2017
Guidelines on Information and Cyber Security for insurers
IRDA/IT/GDL/MISC/ 082/04/2017 Dt. 07/04/2017
To
All insurers
Sub: Guidelines on Information and Cyber Security for insurers
Reference is drawn to IRDAI’s circular No: IRDA/IT/CIR/MISC/216/10/2016 dated October 31, 2016 on formulation of a comprehensive Information and Cyber Security framework for Insurance Sector.
Consequently, the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security:
Group-1: All four layers of security (Data, Applications, Operating systems and Network layers)
Group-2: Security Audit
Group-3: Legal aspects on Cyber Security
Group-3: Legal aspects on Cyber Security
IRDAI issued exposure draft containing the draft framework on 2nd March 2017. Having considered the feedback received from the stakeholders to the Exposure draft, IRDAI now issues the attached ‘Guidelines on Information and Cyber Security for insurers’ by exercising the powers vested with the Authority under Sub-section (1) of Section 14 of IRDA Act 1999.
A detailed control check list for the effective implementation of these guidelines is enclosed vide
Annexure A.
These guidelines are applicable to all insurers. In case of intermediaries and other regulated entries with whom the policyholder information is being shared, it would be the responsibility of insurers to ensure that adequate mechanisms are put in place to ensure that the issues related to information and cyber security are addressed.
Insurers who have not completed three years from the date of commencement of business are exempted from the requirement of a full-time person appointed as Chief Information Security Officer (CISO). However, the CISO responsibility may be taken care by any of the functionaries reporting to Board. All other requirements stipulated in the guidelines document shall be applicable to these insurers.
Timelines for implementation
1
|
Appointment/ designation a suitably qualified and experienced Senior Level Officer exclusively as Chief Information Security Officer (CISO) who will be responsible for articulating and enforcing the policies to protect their information assets and formation of Information Security Committee (ISC)
|
30th Apr 2017
|
2
|
Preparation of Gap Analysis report (AS-IS Vs requirements stated in this guidelines document)
|
30th Jun 2017
|
3
|
Formulation of Cyber Crisis Management Plan
|
30th Jun 2017
|
4
|
Finalization of Board approved Information and Cyber Security Policy
|
31st Jul 2017
|
5
|
Formulation of Information and Cyber Security assurance programme (implementation plan / guidelines) in line with Board approved Information and Cyber security policy
|
30th Sep 2017
|
6
|
Completion of first comprehensive Information and Cyber Security assurance audit
|
31st Mar 2018
|
Insurers are expected to take suitable steps to become fully compliant by 31st March 2018 as per the above timelines. The first audit report as stipulated under Chapter no: 23 of the guidelines shall be submitted to IRDAI by 31st March 2018. Some of the activities stated in Sr.No. 1 – 5 above, may be carried out in parallel in order to ensure that the same are completed in the stipulated time frames.
Sd/-
Nilesh Sathe
Member(Life)