The IRDAI has issued an advisory to all insurers to check their IT systems for vulnerabilities and take necessary steps to protect the policyholders' data.
The IRDAI says that it considers data security as very important and takes data breaches, cyber-attacks on IT systems of insurance companies, etc very seriously.
The advisory follows reports of data leaks at two insurers recently. Although the IRDAI did not name the insurers, one of them is widely believed to be the standalone health insurer, Star Health.
The IRDAI is closely monitoring the situation in the case of the concerned insurers and has been in touch with their management. Regular updates are being obtained to ensure that the policyholders’ data and interests are fully protected and the company is taking all steps to arrest the threat posed by this breach. The IRDAI will continue to engage with the insurance companies to ensure that the policyholders’ interests are fully protected.
Audit
The concerned insurers have also been instructed to appoint an independent auditor to undertake a comprehensive audit of the company’s IT landscape to check that there are no vulnerabilities and that the IT system is adequate to meet the scale and complexities of their operations.
As part of the standard operating procedures of the concerned insurers, they reported the cyber incident to the government and IRDAI. The concerned insurers have ring-fenced the impacted IT system by isolating it and at the same time appointed an external IT security company to undertake root cause analysis. The audit firm reported vulnerabilities in the company’s IT system and the methodology used by the threat actor to exploit the same which were acted upon by insurers.
The Containment, Eradication and Recoverability Plan as suggested by the audit firm is being implemented by the insurers. Further preventive steps outlined in the report are in the process of implementation to keep the policyholders’ data safe and secure. System upgrades over immediate, short, and medium time periods, will be acted upon by the insurers. The API vulnerabilities, gap assessment, and VAPT Issues are at an advanced stage of rectification.
The insurers have filed a criminal complaint with the law enforcement agencies against the threat actors. It served legal notice on the social media platform to prevent the threat actor from selling the policyholders' data.