Insurance firms will be required to a Chief Information Security Officer (CISO) by 30 April whose main job would be ensuring data protection.
This is part of measures outlined in the industry regulator IRDAI's cyber security guidelines released earlier this month, that will be implemented in phases from 30 April to the end of next year, reported Press Trust of India.
The Guidelines on Information and Cyber Security for Insurers entail data, applications, operating systems and network layers. Security audit and legal aspects of cyber security are other aspects of the guidelines.
Insurance companies which have been operating for less than three years, however, have been exempted from the requirement of appointing a full-time CISO. They can instead appoint an executive who reports to the board of directors to undertake the functions of a CISO.
"While information sharing is essential in conducting the business operations, it is essential to ensure that adequate systems and procedures are in place for ensuing that there is no leakage of information, and information is shared only on a need-to-know basis," IRDAI said.
Other measures that IRDAI wants insurance firms to implement include having in place a cyber crisis management plan by 30 June; finalising a board-approved information and cyber security policy by 31 July as well as an information and cyber security assurance programme by 30 September. By 31 March next year, insurers are to have completed an information and cyber security assurance audit.