“From a regulator’s perspective, IRDAI is making sure that insurers have a certain cybersecurity risk management posture in place," says Manoj Nayak, Chief Information Security Officer at SBI Life Insurance
Even insurance companies aren't insured against cyber attacks.
On 7th April 2017, the Insurance Regulatory and Development Authority of India (IRDAI) issued a circular to CEOs and CMDs of all insurance firms, titled Guidelines on Information and Cyber security for Insurers. According to this new circular, the IRDAI gives insurers a period of about a year to ensure that adequate mechanisms are put in place to address the issues related to information and cyber security.
In the United States, Anthem, a health insurance plan provider, is infamously known for its security breach that exposed over 80 million customers' medical data in 2015. This stolen data, as indicated by several stories reporting the breach, was used "to engage in very sophisticated kinds of identity theft."
India is the prime target of hackers, according to a study by IBM and Ponemon Institute -- even more than the United States of America. The average cost incurred by Indian enterprises for a data breach is 9.73 crore in 2016. The last few breaches in the country have underscored not just the huge risk that consumers are at but also how valuable this information - especially insurer's data - is to cyber criminals.
As a response to the growing cyber risk, the Reserve Bank of India drafted a 'Cyber Security Framework in Banks' in June 2016. The framework highlighted on the "urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis."
In September 2016, Sebi also asked commodity derivatives exchanges to put in place a framework to safeguard systems, networks and databases from cyber attacks. It also announced the appointment of a new Chief Security Officer also who will be responsible for strengthening SEBI's regulatory policy framework in the area of cybersecurity. Till now, no such position has been publicly announced.
Also read: The new data guy in insurance
However, the new circular by IRDAI is only an extension of what regulators in India are already getting ready for. According to Parag Deodhar, Chief Information Security Officer - Asia, Japan and Business Services at AXA Group - AXA, "there has been an increase in the overall risk."
According to CERT-In data from 2016, between December 9 and 12, at least 80,000 cyber attacks targeted Indian networks. This is a clear indication why Indian organizations are proactively driving the cybersecurity agenda.
“The regulations in India are also evolving and they promise tighter data protection rules and this move by GDPR is a positive step in the same direction,” says Deodhar.
And why not?
Insurance companies typically store a lot more information than banks or other financial institutions. Whether it is credit card information, customer information or health records (in the case of health insurance companies) – all of this is critical data that must be protected against a breach.
By March 31, IRDAI mandates all insurance companies to appoint a Chief Information Security Officer (CISO) who will be responsible for articulating and enforcing the policies to protect their information assets and formation of Information Security Committee (ISC).
According to Manoj Nayak, Chief Information Security Officer at SBI Life Insurance, “Insurance companies must ensure that a skilled security professional takes the responsibility of carrying out information security practices.”
“From a regulator’s perspective, IRDAI is making sure that insurers have a certain cybersecurity risk management posture in place,” added Nayak.
In early 2016, IRDAI announced that it will set up a working group CTOs to set up standards for data and cyber security. At the time, IRDAI executive, Nilesh Sathe said, that there have been instances of data pilferage in the insurance sector. "We are receiving complaints of spurious calls where policyholders are being asked to surrender their existing policies and get new ones," said Sathe.
Siphoning of funds and spurious calls are just one part of the problem. The other issue is the increasing risk to data. According to Manish Anand, Corporate Vice President, Head - Information Technology Services/Operations at Max Life Insurance Company Limited, “the more digital you become, the more is the risk to your customer’s data.”
“A lot of insurers today are focusing on the risk part and not on the protection of data. These guidelines by the IRDAI will help organizations to chart shorter goals and implement a cybersecurity framework within a span of one year,” says Anand.
Anand says it won’t be difficult to implement the guidelines in the circular within a period of one year. “Most insurers have already created an information security role in the organization.”
The new circular by the IRDAI only makes the Chief Security Officer role more official in insurance organizations.