IRDAI regulated entities not reporting cyber security incidents on time

Hyderabad, June 14, 2023 

Citing guidelines, insurance regulator directs them to scrupulously follow provisions on reporting of such incidents to the authority and CERT-In.

Insurance regulator IRDAI has directed all entities that come under its purview to scrupulously adhere to the provisions related to reporting of cyber security incidents.

Observing that the entities – insurers and others in the insurance space – were not adhering to the prescribed timelines, the Insurance Regulatory and Development Authority of India (IRDAI) said they were also not keeping the authority in loop in their communications to CERT-In.

It has cited the April 2023 IRDAI Information and Cyber Security guidelines under which such organisations need to mandatorily report cyber incidents to CERT-In within six hours of coming to their notice with a copy to IRDAI and other concerned regulators/authorities.

CERT-In is the national nodal agency for responding to cyber security incidents. While the trigger for the insurance regulator reiterating the norms was not immediately known, the communication assumes significance in the backdrop of recent reports of alleged CoWIN (Covid Vaccine Intelligence Network) data breaches.

“All regulated entities are directed to scrupulously follow the provisions regarding reporting of incident to IRDAI and CERT-In. Regulated entities are required to submit available details of cyber security incident to the authority in an enclosed format within 24 hours of intimation of the incident,” IRDAI said.

Details in the reporting format ought to be updated with information from the forensic analysis and submitted to the authority as subsequent versions within 24 hours of such information being made available, it said in a circular to the regulated entities.

[The Hindu]