Insurance Regulatory & Development Authority (IRDAI) issued a circular on 13th June 2023, addressing all regulated entities. This circular, IRDAI/GA&HR/CIR/MISC/128/06/2023, brings attention to the reporting process of cyber security incidents, urging compliance with the guidelines provided under policy no. 2.10 ‘Incident and Problem Management’ in the IRDAI Information and Cyber Security Guidelines, 2023.
The IRDAI circular emphasizes the significance of timely reporting of cyber security incidents. According to the guidelines, regulated entities must report any cyber incidents to Cert-In within six hours of detection. The circular underscores the lack of adherence to these reporting protocols, specifically the failure to include the Authority in communications to Cert-In.
In response to these findings, the IRDAI has reiterated the need for regulated entities to strictly follow the provisions regarding reporting of incidents. A new requirement has also been introduced, mandating regulated entities to submit available details of Cyber Security Incidents to the Authority within 24 hours of incident intimation. Moreover, these details must be updated with subsequent forensic analysis findings, if any, and submitted to the Authority within 24 hours of information availability.
Insurance Regulatory & Development Authority
Circular Ref: IRDAI/GA&HR/CIR/MISC/128/06/2023
All Regulated Entities
Subject: Reporting of Cyber Security Incidents by Regulated Entities
1. Reference is drawn to para 3.5 ‘Notification to Regulatory Authorities’ under policy no. 2.10 ‘Incident and Problem Management’ in IRDAI Information and Cyber Security Guidelines, 2023 dated 24th Apr, 2023, wherein it is stated that “Organization shall mandatorily report cyber-incidents to Cert-In within 6 hours of noticing or being brought to notice about such incidents with a copy to IRDAI and other concerned regulators / authorities.”
2. In this connection, it is observed that the Regulatory Entities are not adhering to the above mentioned timelines and also not keeping the Authority in loop in their communications to Cert-In.
3. In view of the above, all Regulated Entities are directed to scrupulously follow the provisions regarding reporting of incident to IRDAI and Cert-In. Further, Regulated Entities are required to submit available details of Cyber Security Incident to the Authority in an enclosed format within 24 hrs of intimation of the incident.
4. Further, the details in the reporting format needs to be updated with flow of information from the forensic analysis as and when obtained and submitted to the Authority as subsequent version(s) within 24 hrs of such information being made available.