In the wake of recent cyber attacks on the financial sector, the Hyderabad-based Insurance Regulatory Authority of India has issued a comprehensive cyber security framework offering guidance for insurers.
A detailed control check list for the effective implementation of these guidelines is also been issued.
These guidelines are applicable to all insurers. In case of intermediaries and other regulated entries with whom the policyholder information is being shared, it would be the responsibility of insurers to ensure that adequate mechanisms are put in place to ensure that the issues related to information and cyber security are addressed.
Insurers who have not completed three years from the date of commencement of business are exempted from the requirement of a full-time person appointed as Chief Information Security Officer (CISO). However, the CISO responsibility may be taken care by any of the functionaries reporting to Board. All other requirements stipulated in the guidelines document shall be applicable to these insurers.
IRDAI also mandates information system audit for all the insurance company with following details:
Eligibility & Selection of Auditor:
Independent Assurance Audit shall be carried out by qualified external systems Auditor holding certifications like CISA/ DISA/Cert-in empaneled Auditor.
a. Scope of Audit shall include controls defined as per the annexure enclosed with this document.
b. Annual IS Audits should also cover branches on sample basis, with focus on large and medium branches, in critical areas like password controls, control of user ids, operating system security, anti-malware controls, maker-checker controls, Identity & Access management, physical security, review of exception reports/audit trails, BCP policy and testing etc.
c. This Assurance Audit shall be driven by the Information Security Team.
Audit shall be carried out for every financial year.
Executing IS Audit
During audit, auditors should obtain evidences, perform test procedures, appropriately document the findings, and conclude a report.
Reporting and Follow-up actions
a. There should be proper reporting of the findings of the auditors. For this purpose, each Organization should prepare a structured format.
b. The major deficiencies/aberrations noticed during audit should be highlighted in a special note and given immediately to the ISC and IT Department.
c. Minor irregularities pointed out by the auditors are to be rectified immediately.
d. Follow-up action on the audit reports should be given high priority and rectification should be done without any loss of time.
e. Audit reports need to be presented to the Risk Management Committee of the Board.
f. A copy of executive summary of the Audit report along with action taken note should be submitted to IRDAI within 30 days of completion of Audit