Introduction
On September 14, 2023, the Insurance Regulatory and Development Authority of India (“IRDAI”) set up an inter-disciplinary standing committee on cyber security, tasked with regularly reviewing the threats inherent in the existing or emerging technologies and suggest appropriate changes to the IRDAI Information and Cyber Security framework to further strengthen the insurance industry’s cyber security posture and resilience.[1] This is in furtherance to the IRDAI having notified the Information and Cyber Security Guidelines on April 24, 2023 (“CS Guidelines 2023”).
We have previously written [internal note: insert link to the 2019 post accessible at: Data Protection in the Indian Insurance Sector – Regulatory Framework Part II | India Corporate Law (cyrilamarchandblogs.com)] on the erstwhile Information and Cyber Security Guidelines that were notified on April 7, 2019, and were applicable only to insurers (“CS Guidelines 2017”). However, with all major processes shifting online and the insurance sector embracing newer technologies, cyber security has emerged as a very real threat for the industry. As a result, in 2022, the IRDAI extended the applicability of the guidelines to all insurance intermediaries, including brokers, foreign reinsurance businesses (FRBs), corporate agents, web aggregators, third-party administrators (TPAs), insurance marketing firms (IMFs), insurance repositories, insurance self-network platforms (ISNPs), corporate surveyors, motor insurance service providers (MISPs), common service centers (CSCs), and the Insurance Information Bureau of India (IIB) (collectively with insurers, the “Regulated Entities”).[2]
Supersession of the CS Guidelines 2017
Since 2017, there has been a concerted government push towards digitisation, catalysed by the COVID-19 pandemic-led remote arrangements, along with a marked change in the manner of data handling and processing by the Indian insurance industry. Notwithstanding that this has enabled the insurance industry to streamline their operations, increase business efficiencies and enhance customer experience, it has also exposed the insurance sector to greater vulnerabilities of cyber-attacks and data leaks. Recognising this, the IRDAI has reinforced its information and cyber security framework and replaced the CS Guidelines 2017 with the CS Guidelines 2023. The primary emphasis of the CS Guidelines 2023 is on data-centric security, i.e., securing the data itself rather than just the network or system it is stored in. They also mandate Regulated Entities to adopt a risk-based approach, take necessary measures to secure data management and mitigate cyber threats against loss, misuse, or leak of sensitive customer information in any form (received or shared by the Regulated Entities with their employees, third-party vendors, business distributors, etc.).
This entails recognising and evaluating risks, developing contingency plans for handling incidents, conducting periodical security audits, maintaining data confidentiality, information integrity and availability. Although insurance agents, micro-insurance agents, point of sale persons and individual surveyors are not covered under the ambit of the CS Guidelines, insurers are required to ensure that these entities follow the minimum-security framework prescribed under such insurers’ board approved policies per the CS Guidelines.
Key highlights of the CS Guidelines 2023
Organisational structure and governing body:
- All Regulated Entities are mandated to establish and maintain an organisation structure for governance, implementation and monitoring of information security, comprising the board of directors (“Board”), risk management committee (“RMC”) and Information Security Risk Management Committee (“ISRMC”).
- The ultimate responsibility for information security (“IS”) of an organisation vests with the Board, in addition to quarterly review of the organisation’s IS matters and approving its information and cyber security policy (“CS Policy”).
- The ISRMC is the body governing the CS Policy of the organisation and shall comprise the Chief Technology Officer (“CTO”), Chief IT Security Officer (“CITSO”), Chief Risk Officer (“CRO”), Chief Security Officer (“CSO”), Chief Information Security Officer (“CISO”) and the Chief Human Resource Officer (“CHRO”). The CRO is tasked with the overall risk management functions of the organisation (including IS risk).
- The ISRMC will be responsible for all policy revisions and approvals, including updating the CS Policy, maintaining internal controls, formulating the IT continuity/ disaster recovery plan and reporting IS risks to the relevant committees. The CISO and at least two members must attend the ISRMC meeting, with all members meeting at least twice a year. The ISRMC may refer any matter pertaining to IS risk management that are relevant for the RMC.
- The IRDAI Guidelines for Corporate Governance for insurers stipulate all insurers in India to constitute an RMC under the overall guidance and supervision of the CRO. Additionally, the top 1000 listed entities (basis market capitalisation at the end of the immediately preceding financial year), under the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, are mandated to establish an RMC.
- Presently, the Companies Act, 2013, does not specifically contain any provisions with respect to the constitution of an RMC.[3] However, it appears that by extending the applicability of the CS Guidelines 2023 to entities beyond insurers, all Regulated Entities are required to constitute an RMC.
- The CS Guidelines 2023 also mandate constitution of various internal committees/ sub-committees such as the IS team, control management committee and the crisis management committee, with detailed roles and responsibilities for each function head and committee/ sub-committee.
Data localisation: Regulated Entities (other than insurers) are required to store all ICT infrastructure logs, critical and business data in India. Although excluded from this requirement under these guidelines, insurers are mandated to store their primary data in India under the IRDAI Guidelines on insurance e-commerce[4], IRDAI (Maintenance of Insurance Records) Regulations 2015[5], and IRDAI (Minimum Information Required for Investigation and Inspection) Regulations 2020[6].
Acceptable usage of social media: While the CS Guidelines 2017 only require that an organisation’s acceptable-use policy should cover ‘social media’, the CS Guidelines 2023 now provide specific standards on such acceptable use, including on how employees may use social media for corporate or personal purposes. The CS Guidelines 2023 prescribe that personal use of social media by employees shall not in any way be assigned to the organisation or be interpreted as corporate organisation communications,. Further, employees are to refrain from using social media for business purposes unless they have obtained the organisation’s approval and undergone appropriate training in this regard.
Conclusion
Besides a continuous push by the government towards greater insurance penetration, the insurance sector has undergone substantial FDI liberalisation in the last few years, thereby opening the market to various smaller players and market participants. Data now plays a dynamic and important role in modern businesses and the insurance industry has rapidly adopted digital technology as a more viable option. With data now becoming the lifeline of every organisation operating in the insurance sector, there has been an increase in cyber threats and attacks, which raises the risks for both individuals as well as organisations as sensitive data breaches can adversely affect individuals and cause significant financial losses for organisations. Extension of the applicability of the more robust and sophisticated CS Guidelines 2023 to entities beyond insurers was not only imperative, but also allowed smaller players in the sector to adopt measures that are tailored to their needs and competences, obviating the burden of one-size-fits-all compliance. While these are likely to shore up the sector’s preparedness against cyber security risks, only regular assessments, ongoing monitoring, critical updates and regulatory guidance will ensure protection of policyholders’ wealth and data.
[1] Notification dated September 14, 2023, accessed at: https://irdai.gov.in/document-detail?documentId=3857996
[2] Notification dated October 11, 2023, accessed at: https://irdai.gov.in/document-detail?documentId=1446431
[3] The Company Law Committee Report of 2022 has recommended the constitution of an RMC for such class or classes of companies, as may be prescribed by the Central Government, page 47, paragraph 14.5, accessed at: https://www.mca.gov.in/bin/dms/getdocument?mds=bwsK%252FBEAFTVdpdKuv5IR5w%253D%253D&type=open
[4] Paragraph 14(a)(x), accessed at: https://irdai.gov.in/document-detail?documentId=384512
[5] Paragraph 3(9), accessed at: https://irdai.gov.in/document-detail?documentId=604674
[6] Paragraph 24, accessed at: https://irdai.gov.in/document-detail?documentId=604838
