Several insurers have failed to apply IT and cyber security measures, six months after the industry regulator, the IRDAI, provided guidelines on the matter.
In a statement the IRDAI said: “From the feedback/updates received from insurers, it is observed that many of the insurers still have not finalised their Gap Analysis report, Cyber Crisis Management Plan and board approved Information & Cyber Security Policy.”
The regulator said: “Insurers are advised to take immediate steps to conduct a security audit of their ICT infrastructures including Vulnerability Assessment and Penetration Tests (VAPT) through Cert-in empanelled auditors, identify the gaps and ensure that audit findings are rectified swiftly.”
Insurers are also asked to firm up their Cyber Crisis Management Plan (CCMP) for handling cyber incidents more effectively.
For those insurers who have not abided by the timelines issued in April this year, the IRDAI has advised them to scale up their activities in order to follow them.
The regulator said that any vulnerabilities to ICT systems might compromise policyholder related information resulting in exposure of sensitive information of the insurance sector and the financial markets which would in turn have serious consequences for “not only for the insurance sector but for the financial system of the country as a whole.’’