IRDAI Floats Draft CyberSec Framework for InsurersFramework Drafted By Regulator in Collaboration With Industry
The Insurance Regulatory and Development Authority of India has released a draft information and cybersecurity framework, aimed at mitigating cyber risk and threats posed by the increasing use of technology in the Indian insurance sector.
The IRDAI intends this to be a comprehensive document designed to ensure that a uniform framework for information and cybersecurity is implemented across the industry; and that an in-built governance mechanism is in place within the regulated entities with respect to information and cybersecurity, including legal issues and cyber fraud. The framework, which has been formulated with input from a working group of experts from the industry, is likely to be finalized soon.
According to IRDAI, the proposed framework draws from best practices and standards being followed by insurers, through working groups set up for this purpose. The framework will be applicable to all organizations regulated by the IRDAI, and to entities or individuals dealing with the regulated organizations to a certain extent. Information created, received or maintained by insurers, intermediates and other registered entities who have access to the policyholder or customer information will be expected to adhere to the guidelines.
This is not IRDAI's first major move with respect to security. In September 2016, the IRDAI mandated that insurance companies conducting business in India store all critical customer data locally within a six-month period from datacenters outside India, and take stringent measures to safeguard indigenous servers (see: India's Insurers Face New Security Mandates).
In a circular to the industry unveiling the exposure draft of the framework, IRDAI's chief general manager IT, A.R. Nithiyanantham, said that IRDAI formed a working group of CIOs from the insurance industry on 31 Oct 2016, with the express mandate of formulating a comprehensive framework for Information and cybersecurity for the sector.
This group thereafter met in Nov 2016 and formed three sub-groups to work on various issues relating to security, including all layer of security viz. data, applications, operating systems and network layers (group 1); Security audit (group 2); and legal issues (group 3). These sub-groups met on various dates and prepared the draft framework, after multiple rounds of discussions.
A tentative audit checklist as well as best practices have also been prepared, says Sharad Sadadekar, CISO and Vice President - Information Security, Governance and Technical Services at HDFC Life, who is also a member of the first working group. "The documented framework and guideline is comprehensive enough and has managed to cover almost all critical domains along with new technological advancement[sic] risk," he says.
The insurance sector's need to significantly increase its focus on data protection, especially of sensitive personally identifiable information, is well established, and the framework is being seen as a welcome move by observers and experts.
Says KK Mookhey, founder and principal consultant at Mumbai-based NII Consulting, who reviewed the framework: "The framework itself is comprehensive, but also avoids being too prescriptive. So it covers cloud security, mobile security, the legal aspect of cybersecurity in the Indian context and other aspects, which would help insurance companies holistically address cybersecurity," he says. "Also, a lot of insurance companies are engaged in fairly serious digital transformation exercises, and this framework helps address the risks arising out from those as well."
The framework defines its vision objectives as seeking to ensure that a board-approved Information and cybersecurity policy is in place with all regulated entities; and to ensure necessary processes to account for information security risk management, enterprise risk management and cybersecurity related issues.
The 90-page document is divided into 20 separate headings dealing with the above and a significant portion of the document details information on the technology aspects of security, including application security, infrastructure security, key management, virtualization, endpoint, cloud, mobile security and BYOD, among others.
The remaining sections address information systems audit and legal aspects, including intermediary liability. There is also a section mapping penal provisions under the IT Act 2000 in the event of lapses in security. The complete document is available for download and review here.
Implications for the Sector
Insurance organizations will need to ensure that a governance mechanism is in place for effective implementation of Information and cybersecurity framework. Per the guidelines, organizations need to be prepared to adequately mitigate cybersecurity risks and report incidents in a timely manner. The document clearly defines mandatory reporting of certain defined types of cybersecurity incidents to CERT-In as a whole separate section in the document.
From a governance perspective, HDFC Life's Sadadekar believes cybersecurity will be one of the board's most important tasks, with a clear perspective of how the business would continue without being seriously impacted. "Organizations will need to ensure that there are teams - a CISO function to monitor and technology team to manage - with appropriate skills, resources, and approach in place to minimize the likelihood of a cyber incident; and the ability to mitigate or recover from any potential damages," he says (see: Breach Management: Security Governance is Critical).
The implementation across the regulated entities will take some amount of time to come to a level which is acceptable, Sadadekar believes. "This time will vary as each organization is at a different level of maturity while some don't even have a nominated CISO." But with the IRDAI taking keen interest in security, he is confident that it is only a matter of time before the insurance industry sets standards for other sectors to follow.
To the industry and peers falling within the purview of the framework, Sadadekar recommends:
- Document and communicate a vendor risk management model so that you are ready to manage the risk arising from outsourcing activities;
- Formulate a data security section with regulatory requirements clearly spelled out to be included in the agreement with the business and IT service providers;
- Define and implement controls for SMAC - Social. Mobility, Analytics and Cloud;
- Keep the audit checklist ready with evidence;
Going by first impressions, the initiative sets an effective precedent that other sectors can emulate, with the regulator actively seeking input and amalgamating best practices and standards from industry itself, experts say.