Irdai asks insurers to appoint data security officer by Apr 30

Insurance firms will have to mandatorily appoint a chief information security officer by April 30 whose main job would be ensuring data protection.

This is part of sector regulator Insurance Regulatory and Development Authority of India (Irdai) cyber security guidelines that will be implemented in series, the first phase of which begins on April 30 and complete a full circle by end-March 2018.

"By March 31, all insurance companies will have to appoint a Chief Information Security Officer (CISO) who will be responsible for articulating and enforcing the policies to protect their information assets and formation of Information Security Committee (ISC)," Irdai said in circular.

The guidelines entail data, applications, operating systems and network layers. Security audit and legal aspects on cyber security are other aspects of the guidelines.

Insurance firms who are in existence for less than three years, however, have been exempted from the requirement of a full-time appointment of a CISO.

However, they can give responsibility of CISO to any of the functionaries reporting to Board, Irdai said.

Data security is important and needs proper guard against theft and misuse as insurers and related entities share significant amount of personal and confidential policy holder information, at times even sensitive health-related ones, with third parties.