Governance & Risk Management

IRDA: Insurers' Cybersecurity Comes Up Short

Security Experts Weigh In on the Challenges Facing Organizations
IRDA: Insurers' Cybersecurity Comes Up Short

Despite new guidance issued earlier this year, insurance companies in India are still falling short of meeting security standards, according to a notification from the Insurance Regulatory and Development Authority of India.

See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing

In April, the IRDA had issued guidelines on security best practices. But after six months, several insurance companies have yet to implement the suggested measures, the authority says.

Some security practitioners attribute the delay to a lack of understanding of the criticality of cybersecurity - and, in many cases, the lack of a CISO.

"Barring the top eight or nine firms, the smaller insurance companies have little understanding of the importance of cybersecurity," says a CISO of one insurance company who asked not to be named. "It's still a chicken and egg problem - either the board doesn't have enough budget for cybersecurity or in case they have the budget, the understanding of how exactly a cybersecurity plan needs to be framed is [lacking]."

IRDA Scolds Insurers

In its notification to insurance companies, the IRDA says it has observed that "many of the insurers still have not finalized their gap analysis report, cyber crisis management plan and board approved information and cyber security policy. Ensuring that information and computer technology infrastructure of insurers are fully secured is of paramount importance."

The notification advises insurers to take immediate steps to conduct a security audit for their ICT infrastructures, including a vulnerability assessment and penetration tests, through CERT-IN empaneled auditors. "Identify the gaps and ensure that audit findings are rectified swiftly," the notification stresses. "Insurers are also requested to firm up their cyber crisis management plan for handling cyber incidents more effectively. In case CISOs have not yet been appointed ... they are advised to ensure that they are appointed immediately."

Where the Challenge Lies

When it comes to security, the insurance sector spends less than the banking sector, some security experts say.

"The insurance sector is not technology savvy, and having a CISO is not a priority for this sector like in banking," says a CISO from the industry who asked not to be named. "Even for CISOs, joining a bank is considered a better career move than getting into the insurance industry thanks to the visibility one gets in the former sector."

A lower pay scale for CISOs in the insurance sector also makes recruiting challenging, some observers say. "In order to attract CISOs from other sectors, one needs to shell out a huge sum of money," says the CISO from the industry. "Not all insurance firms have that kind of a budget set aside for cybersecurity."

Another CISO from the insurance sector, who requested anonymity, claims the real problem is that the insurance sector still views cybersecurity as an IT issue. "At a time when most industries have understood the problem of cybersecurity and how it is a business issue, we [the insurance sector] are still stuck in a time warp," this CISO says.

Some insurers lack a human resources team with the skills to prepare a proper job description for the CISO's role, says Lopa Mudraa Basuu, an enterprise security and risk governance expert. "The human resources team needs to take a cue from big consultant groups in carving out the job description for security professionals," Basuu says. "A CISO has to wear different caps - tech head, compliance head, people manager and a regulatory head. He or she should have the ability to collaborate with both internal and external stakeholders."

CISOs must be able to protect enterprise assets as well as advise business leaders on the importance of security, security practitioners say. "Organizations should source a leader who can articulate information security and privacy-related technical issues in a nonthreatening and clear/actionable manner to nontechnical leadership and get the necessary budgets to put an effective cyber crisis plan in place," says another CISO from the insurance industry who asked not to be identified.

Cyber Crisis Management

Security experts advise companies still drafting a cyber crisis management plan to ensure that they incorporate key elements like threat intelligence services; forensic investigation and collaboration with key stakeholders; root cause analysis; and breach detection, response, recovery and containment.

Many companies in the insurance sector also still lack a separate incident response committee or an IT response committee, some observers say.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.