Home >> Guidelines
Visitors Count:7841
 Guidelines
Zoom OutDefaultZoom In
Print Print Document  Pdf Download PDF    Word Download Zip
To CEOs/ CMDs of All Insurers
Ref: IRDA/IT/GDL/MISC/ 082/04/2017 Date: 07-04-2017
Guidelines on Information and Cyber Security for insurers
 
 
IRDA/IT/GDL/MISC/ 082/04/2017                                                                            Dt. 07/04/2017
 
To

All insurers
Sub:   Guidelines on Information and Cyber Security for insurers
 
Reference is drawn to IRDAI’s circular No: IRDA/IT/CIR/MISC/216/10/2016 dated October 31, 2016 on formulation of a comprehensive Information and Cyber Security framework for Insurance Sector.
Consequently, the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security:
 
Group-1: All four layers of security (Data, Applications, Operating systems and Network layers)
Group-2: Security Audit
Group-3: Legal aspects on Cyber Security
 
IRDAI issued exposure draft containing the draft framework on 2nd March 2017. Having considered the feedback received from the stakeholders to the Exposure draft, IRDAI now issues the attached ‘Guidelines on Information and Cyber Security for insurers’ by exercising the powers vested with the Authority under Sub-section (1) of Section 14 of IRDA Act 1999.
 
A detailed control check list for the effective implementation of these guidelines is enclosed vide
Annexure A.    
These guidelines are applicable to all insurers. In case of intermediaries and other regulated entries with whom the policyholder information is being shared, it would be the responsibility of insurers to ensure that adequate mechanisms are put in place to ensure that the issues related to information and cyber security are addressed.
Insurers who have not completed three years from the date of commencement of business are exempted from the requirement of a full-time person appointed as Chief Information Security Officer (CISO). However, the CISO responsibility may be taken care by any of the functionaries reporting to Board. All other requirements stipulated in the guidelines document shall be applicable to these insurers.
Timelines for implementation
1
Appointment/ designation a suitably qualified and experienced Senior Level Officer exclusively as Chief Information Security Officer (CISO) who will be responsible for articulating and enforcing the policies to protect their information assets and formation of Information Security Committee (ISC)
30th Apr 2017
2
Preparation of Gap Analysis report (AS-IS Vs requirements stated in this guidelines document)
30th Jun 2017
3
Formulation of Cyber Crisis Management Plan
30th Jun 2017
4
Finalization of Board approved Information and Cyber Security Policy
31st Jul 2017
5
Formulation of  Information and Cyber Security assurance programme (implementation plan / guidelines) in line with  Board approved Information and Cyber security policy
30th Sep 2017
6
Completion of first comprehensive Information and Cyber Security assurance audit
31st Mar 2018

Insurers are expected to take suitable steps to become fully compliant by 31st March 2018 as per the above timelines.
The first audit report as stipulated under Chapter no: 23 of the guidelines shall be submitted to IRDAI by 31st March 2018.  Some of the activities stated in Sr.No. 1 – 5 above, may be carried out in parallel in order to ensure that the same are completed in the stipulated time frames.
 
 Sd/- 
Nilesh Sathe
Member(Life)
All Copy Rights Reserved. 2013 IRDAI