IRDAI has issued its Guidelines on Information and Cybersecurity for Indian insurers, that among other things, mandate the insurers to appoint/ designate a Chief Information Security Officer (CISO) by 30 April.
The CISO would articulate and enforce policies to protect the company's information assets. The CISO would also be responsible for providing advice and support to management and information users in the implementation of information and cyber security policy.
These Guidelines, released last Friday, follow the decision by the Authority last October to formulate a comprehensive information and cybersecurity framework for Indian insurance companies. Subsequently in March this year, the Authority issued an exposure draft on the framework. These guidelines are based on the feedback received on the exposure draft from various stakeholders.
IRDAI has said that all insurance companies will also have to put in place a cyber crisis management plan by 30 June this year. The insurers are also required to finalise a Board approved Information and cyber security policy for the company by 31 July. The first comprehensive assurance audit of information and cyber security framework would have to be completed and report submitted to IRDAI by 31 March 2018.
These Guidelines are applicable to all insurers. Where policyholder information is being shared with intermediaries and other regulated entities, it would be the responsibility of insurers to ensure that adequate mechanisms are put in place to ensure that the issues related to information and cyber security are addressed.
The Guidelines are applicable to all data created, received or maintained by insurers wherever these data records are and whatever form they are in, in the course of carrying out their designated duties and functions.
Insurers which have not completed three years from the date of commencement of business are exempted from the requirement of a full-time person to be appointed as a CISO. However, the CISO responsibility may be taken care of by any of the functionaries reporting to the Board. All other requirements stipulated in the Guidelines shall be applicable to these insurers as well.