Mumbai, April 10, 2017

The Insurance Regulatory and Development Authority of India has asked insurance companies to have board approved information/cyber security policy by 31 July 2017.

The regulator has asked companies to have a cyber security assurance program to be approved by the Board by 30 September 2017. It has asked insurers to appoint chief information security officer who would be responsible for enforcing policies to protect information assets. CISO would be head of risk management and will have working relationship with CIO.

The regulator laid down cyber security guidelines classifying critical systems, cyber resilience program, identification, detection and protection.

The regulator has asked insurers to segregate IT & Information Security functions. Also, information security as a function cannot be outsourced.

 It has asked insurers to form information security committee comprising of operations, IT, legal, finance, compliance etc. – headed by a senior official reporting into Board.

[The Economic Times]