Cyber Preparedness: Insurers to Empanel Forensic Auditors in Advance

Underscoring the importance of timely and effective responses to cyber incidents or crises, the Insurance Regulatory and Development Authority of India (IRDAI) has mandated all regulated entities to establish a well-defined procedure for the empanelment of forensic auditors in advance. The goal is to ensure that these auditors can be onboarded to conduct forensics and root cause analysis of cyber incidents without delay.

This directive follows several reports of data breaches from insurers, with IRDAI directing two insurers to carry out audits of their IT systems last year. As part of ongoing efforts to strengthen the framework, IRDAI introduced the Information and Cyber Security Guidelines, 2023, replacing the previous 2017 guidelines. Additionally, in September 2023, it constituted a standing committee (reconstituted last month) to regularly review the threats inherent in existing or emerging technologies and suggest appropriate changes to the framework.

The latest circular also draws attention to certain specific provisions of the 2023 guidelines which regulated entities must strictly adhere to, including the requirement to report cyber incidents to IRDAI in the prescribed format within six hours of noticing or being brought to notice about such incidents. To avoid conflicts of interest, the new circular states that the vendor handling the Security Operation Centre (SOC), attack surface monitoring, red teaming, or conducting annual assurance audits or any cyber security aspect of the regulated entity should not be engaged as the forensic auditor for the incident.

All regulated entities, including insurance intermediaries, have been advised to place compliance with these provisions at their Board Meetings and submit the minutes of the meeting to IRDAI.