IRDAI Developing Cybersecurity Framework for InsurersTwo Working Groups to Develop Recommendations
In the wake of recent cyberattacks on the financial sector, the Hyderabad-based Insurance Regulatory Authority of India plans to develop by March 2017 a comprehensive cybersecurity framework offering guidance for insurers.
IRDAI is asking all 54 insurance companies in India to nominate CIOs to participate in two working groups - one for life insurers, and another for all other insurers, including those offering health insurance - that will develop cybersecurity framework recommendations. The groups will make recommendations by the end of January 2017.
Most insurers in India have not yet designated a CISO, which is why the regulator is seeking participation by CIOs in the workgroups.
IRDAI has appointed A.R. Nithiyanantham, its chief general manager-IT, as convener of the working groups. He will review the recommendations the groups submit.
IRDAI is taking the action in response to the growing cybersecurity concerns among insurance companies. The regulator is taking steps to make sure that insurers follow prudent practices in managing risks and protecting customer data.
Reaction to Plan
Many security practitioners say it's good to see the regulator develop a framework because insurers are still lagging in security. And they hope IRDAI adopts firm mandates for breach notification and guidance on how insurers can effectively leveraging people, technology and processes to improve security.
But because most enterprises do not have baseline security standards and a dedicated security and risk team, or even an IT team, they're concerned that implementing a robust cybersecurity mechanism could prove challenging.
Bangalore-based Satyanandan Atyam, associate vice president of risk management and data privacy officer at Bharti AXA General Insurance, says: "IRDAI's idea to come up with risk framework will put all the functional groups on their toes to assess the company's cybersecurity and risk strategy and understand the requirements in order to come up with suggestions. However, the challenge is most insurance companies have just baseline security with ISO 270001 framework in place, and they do not have tools to defend against new attack forms due to lack of layered security."
Mumbai-based S. V. Sunder Krishnan, CISO at Reliance Nippon Life Insurance, says most insurance companies don't have the financial muscle or are operationally unaligned to invest strategically in cybersecurity risk management. "The measures adopted are more tactical and short term. IRDAI's guidelines would help them build a long-term approach to tackling cybersecurity issues and take appropriate security measures."
Working Group Activities
The two working groups will put forth recommendations for how to mitigate internal and external threats to insurers; bolster the IT backbone; enhance measures to prevent cyber fraud and improve business continuity and disaster recovery; and assess legal issues.
IRDAI says the groups' recommendations should relate to securing data, applications, operating systems and network layers against various attacks, including denial-of-service, phishing, hacking, man-in-middle, malware, sniffing and spoofing.
Once the working groups submit their reports, the regulator will issue a draft of its cybersecurity risk guidelines.
Insuring the Risk Factors
CISOs in the insurance sector face both business and security risks, Krishan says, including:
- Data leakage;
- Ransomware attack;
- Online transaction and messaging frauds;
- IPR violations risk.
"I foresee the big challenge of integrated fraud. The industry is in a transitional stage owing to far-reaching and overwhelming regulatory changes," Krishan says.
Many security practitioners believe that most insurance companies that are collecting vast amounts of customer credentials through intermediaries and insurers do not yet protect them with stringent controls.
Bengaluru-based Lopa Mudra Basu, former security head of Metlife Ltd., observes: "Insurers lack an effective incident response team with domain expertise along to build an effective risk management framework. Though every insurer has an ISO 270001 in place, it's more a framework which handles compliance needs for auditing - not effective in protecting business."
Rana Gupta, an APAC vice president at Gemalto, says the biggest challenge is overcoming the mindset "it cannot happen to me" and overconfidence that breaches can be prevented.
"The riskiest aspect is that insurers always think security is a single-layer approach and static in nature," he adds. "It's historically proven that enterprises take security and risks seriously only when driven by a mandate or a regulation accompanied with severe penalties for non-compliance."
Krishnan remarks that most companies have been working in silos or depending on third-party security frameworks that will not address process-oriented risks within the organization.
Mandatory Breach Reporting
Security experts suggest that mandatory breach reporting be included in the framework so the companies will invest more in security.
"Making it mandatory for companies to report breaches within a stipulated period, holding the CEO responsible for implementing this and imposing penalties for non-disclosure may help establish the right security measures," Gupta says.
Krishnan says IRDAI should also require mandatory notification of customers when data is shared with third-party service providers.
Immediate Action Plan
Security experts say now is the right time for insurance companies to review their security strategies.
IRDAI must emphasize that enterprises need to have a dedicated security team that can work with all other parts of the company, Basu says.
"What really matters to insurance is data; the IRDAI framework must come up with guidelines to protect data and ways to secure the aftermath of an attack," Gupta says.
The regulator needs to emphasize the importance of data encryption and enhanced user authentication as part of the proposed framework and also direct companies to adopt common data standards to establish a secure infrastructure, some security experts say.
"A modus operandi to establish a structured mechanism for information exchange between experts and CERT-In to understand cyber threats is important; IRDAI can lay emphasis on this structure," Krishnan says.