The IRDAI has issued a circular to insurance companies, stating that it has observed that insurers are not complying with timelines stipulated for the reporting of cyber security threats.
The circular, released by Mr Deepak Gaikwad, IRDAI’s Chief Information Security Officer, says that IRDAI-regulated entities are also not keeping the Authority in the loop in their communications with CERT-IN (Indian Computer Emergency Response Team).
The IRDAI had issued a notification on cyber security which states that “organisations shall mandatorily report cyber incidents to CERT-IN within six hours of noticing or being brought to notice about such incidents with a copy to IRDAI and other concerned regulators/authorities”. The notification is part of IRDAI’s Information and Cyber Security Guidelines, 2023, published in April 2023.
Mr Gaikwad said, “In view of the above, all regulated entities are directed to scrupulously follow the provisions regarding reporting of incidents to IRDAI and CERT-IN.”
The regulated entities are required too to submit available details of cyber security incidents to the Authority in a report format within 24 hours of intimation of the incident. The report needs to be updated with forensic analysis information as and when obtained and submitted to the Authority within 24 hours of such information being made available.
In January 2023, a total of 49,844,877 cyber attacks were recorded on 114 insurance-related websites in India, according to Indusface, an application security SaaS Company funded by Tata Capital.