Data Leak Concerns: Irdai Orders IT Audits for Insurers

New Delhi, Oct 21 (PTI) Insurance regulator Irdai has directed two insurers to carry out audits of their IT systems following concerns over the recent instances of policyholders' data leaks.

The regulator is also in touch with their management to address the vulnerabilities.

Without naming the insurers, the Insurance Regulatory and Development Authority of India (Irdai) said it takes data breaches very seriously and asserted that it will continue to engage with the companies to ensure that the policyholders' interests are fully protected.

Star Health Insurance had recently admitted data breach. The name of the second insurer could not be immediately ascertained.

"There have been reports of data leaks from two Insurers recently," the regulator said.

In a release, the Irdai said it is closely monitoring the situation in the case of the concerned insurers and has been in touch with their management.

Regular updates are being obtained to ensure that the policyholders' data and interests are fully protected and the company is taking all steps to arrest the threat posed by this breach, the regulator said.

Irdai said it will continue to engage with the insurance companies to ensure that the policyholders' interests are fully protected.

"The concerned insurers have been instructed to appoint an independent auditor to undertake a comprehensive audit of the company's IT landscape with the aim that there are no vulnerabilities and the IT system are adequate to meet the scale and complexities of their operations," the release said.

As part of the standard operating procedures of the concerned insurers, they reported the cyber incident to the government and Irdai, it added.

It also said the concerned insurers have ring-fenced the impacted IT system by isolating it and at the same time, appointed an external IT security company to undertake root cause analysis.

"The audit firm reported vulnerabilities in the company's IT system and the methodology used by the threat actor to exploit the same, which were acted upon by insurers. The Containment, Eradication and Recoverability plan as suggested by the audit firm is being implemented by the insurers," Irdai said.

Further preventive steps outlined in the report are in the process of implementation to keep the policyholders' data safe and secure. System upgrades over immediate, short and medium periods, will be acted upon by the insurers, Irdai said.

Also, the application programming interface (API) vulnerabilities, gap assessment, vulnerabilities assessment and penetration testing issues are at an advanced stage of rectification.

"The insurers have filed a criminal complaint with the law enforcement agencies against the threat actors. It served legal notice on the social media platform to prevent the threat actor from selling the policyholders' data," the regulator said.

Further, Irdai has issued an advisory to all insurers to check their IT systems for vulnerabilities and take necessary steps to protect the policyholders' data.

The regulator said it considers data security as very important and takes data breaches, cyber-attacks on IT systems of insurance companies, etc very seriously.

Cyber security guidelines for insurance companies are in place, which require insurers to put in place robust IT and cyber security frameworks for carrying out their operations, it added.