Failure to comply with the reporting requirements may lead to strict probes and also potential penalties. For this reason, organizations need to have a well-structured incident response plan in place
The Insurance Regulatory and Development Authority of India (Irdai) has cracked down on cybersecurity threats. It has issued a mandate saying that regulated entities, insurance intermediaries, and training institutes should report cyber incidents within six hours of detection. This is in line with Irdai’s ongoing efforts to beef up cybersecurity and fast response mechanisms so that the potential damage arising out of cyber threats is minimized.
“In today’s digital age, and or/ crisis poses a significant threat to organisations, and therefore it is crucial to respond effectively to prevent or minimize damage to information assets, including customer data, and ensure business continuity,” said the Irdai circular.
Failure to comply with the reporting requirements may lead to strict probes and also potential penalties. For this reason, organizations need to have a well-structured incident response plan in place.
"In addition..., all regulated entities are required to establish a well-defined procedure/practice to ensure that the forensic auditor/s are empanelled in advance and can be onboarded to conduct forensics and root cause analysis of cyber incident/s without any delay," said the circular.
Last year, following some data leaks, the Irdai had issued an advisory to all insurance companies asking them to inspect their IT systems to check for vulnerabilities, so that policyholders’ data is protected.
In fact, a data breach last year affected over 31 million customers of an insurance company whose data who sensitive personal information was sold to hackers.
What Can A Customer Do If His Or Her Data Is Breached
A data breach can lead to financial losses, legal liabilities, and significant reputational damage. The global average cost of a data breach in 2023 was approximately $4.45 million, covering expenses like incident response and legal fees. In India, the Digital Personal Data Protection (DPDP) Act outlines strict compliance requirements for data protection. Non-compliance can result in heavy fines, and in severe cases, the insurer could face suspension or revocation of its license by the Irdai.
“From the legal perspective, insurance companies are required to protect customer data under various regulations issued by the Irdai. The Insurance Regulatory and Development Authority of India(Irdai), (third-party administrators – health services) regulations, 2016, enforce strict confidentiality for data shared with TPAs. The cybersecurity guidelines (2023) require insurers and intermediaries to implement robust data security frameworks, appoint a Chief Information Security Officer (CISO), and conduct periodic audits,” says Rashmi Deshpande, founder, Fountainhead Legal, a law firm.
Buy Outlook Money March 2025 Magazine Issue on Amazon Here.