India's Insurers Face New Security MandatesCritical Customer Data Must Be Stored Domestically
To improve security, The Insurance Regulatory and Development Authority of India, under the Outsourcing of Activities of Indian Insurers Regulations, 2016, is requiring insurance companies to stop using internet servers outside India and to store all critical customer data domestically. The authority also is requiring insurers to take stringent measures to safeguard indigenous servers.
The actions are in keeping with Parliament's decision to require critical sectors to use only servers based in India.
IRDA sees the location of insurers' servers as a critical security issue.
"To retain the confidentiality and security of the data, no activity that may result in migration of or transfer of any information or data outside India shall be outsourced," Yegnapriya Bharath, IRDA's joint director, health, says in a statement.
The objective is to make sure that insurers follow prudent practices in managing risks arising from outsourcing to protect the interests of policyholders.
IRDA has mandated all insurance organizations relocate any foreign-based servers and data to India in the next three to six months, although it has not announced penalties for non-compliance.
Many Indian insurance companies have joint ventures with foreign companies, which means they have servers in data centers outside India, security sources say.
Among the insurers using the joint venture model are TataAIG, Bharti AXA General Insurance Co., BajajAllianz, ICICI Lombard, ICICI Prudential, BirlaSunLife Insurance, Reliance Nippon Life Insurance Co. and HDFC Life Insurance.
A Costly, But Necessary, Mandate?
The new regulatory mandates could prove costly to implement.
"IRDA's mandate puts forth new challenges for IT and security teams," says Satyanandan Atyam, associate vice president of risk management and data privacy officer at Bharti AXA General Insurance. "This will demand new investments for building infrastructure to store critical data and procure new servers for securing legacy applications. Besides, there are investments for procuring new licenses on servers and writing new security policies for new technologies, which means new budgets to be sanctioned, which is difficult."
Atyam acknowledges, however, that IRDA's mandates make sense because they'll help insurers to have better control over data and take the right security steps.
Mumbai-based S. V. Sunder Krishnan, chief risk officer at Reliance Nippon Life Insurance, also supports the new mandates that insurance servers be housed in India because servers outside India are mostly handled by internet service providers, which raises serious security concerns.
"Having data in India helps address data privacy issues, create indigenous infrastructure without dependency and prevent misuse of data leakage internationally," Krishnan says.
Relocation of servers, however, will mean insurers must make hefty investments in new infrastructure and security.
"Relocation would result in setting up a new project with a new cost and complexities, deploying new solutions and new resources to manage," Atyam says. "Besides, there are investments for procuring new licenses on servers and writing new security policies for new technologies, which means new budgets to be sanctioned, which is difficult."
Other challenges for CISOs, Atyam says, are designing security architecture for new web-facing applications, planning new tools and rewriting the rules.
A Big Project
The new regulations mean that Tata AIG General Insurance Co. faces the massive task of relocating servers from data centers in the Middle East region and New York, says K. Suresh, vice president of IT.
"There are risk concerns during relocation, as it requires additional security controls and backup related concerns - a big challenge for CISOs," Suresh says.
"It's not just about technological change; re-designing the security development lifecycle is a big cost. It's also about creating new policies, besides building a new security culture."
Plus, the insurer will need to find new outsourcing service providers with data centers within India, he points out.
Steps to Safeguard Servers
In addition to requiring insurance companies to relocate servers and store data within India, IRDA has other new requirements.
For example insurers must make sure that outsourcers' security policies, procedures and controls are adequate to protect the confidentiality and security of policyholder information. Plus they must take into account any legal or contractual obligation to disclose the outsourcing arrangement and circumstances under which data may be disclosed. And in the event of termination of the outsourcing agreement, the insurer must ensure that all customer data is completely retrieved from the service provider.
For insurers' in-house servers, Atyam says CISOs must design a new security authentication architecture. "Deploying a new SSL protocol will help establish additional capabilities," he says.
Suresh adds: "Given that we see increasing hack attempts by Chinese hackers, new budgets must be sought and allocated exclusively for faster [breach] detection to ensure the lowest levels of damage post-breach - since breaches are inevitable."