IRDA: Insurers' Cybersecurity Comes Up ShortSecurity Experts Weigh In on the Challenges Facing Organizations
Despite new guidance issued earlier this year, insurance companies in India are still falling short of meeting security standards, according to a notification from the Insurance Regulatory and Development Authority of India.
In April, the IRDA had issued guidelines on security best practices. But after six months, several insurance companies have yet to implement the suggested measures, the authority says.
Some security practitioners attribute the delay to a lack of understanding of the criticality of cybersecurity - and, in many cases, the lack of a CISO.
"Barring the top eight or nine firms, the smaller insurance companies have little understanding of the importance of cybersecurity," says a CISO of one insurance company who asked not to be named. "It's still a chicken and egg problem - either the board doesn't have enough budget for cybersecurity or in case they have the budget, the understanding of how exactly a cybersecurity plan needs to be framed is [lacking]."
IRDA Scolds Insurers
In its notification to insurance companies, the IRDA says it has observed that "many of the insurers still have not finalized their gap analysis report, cyber crisis management plan and board approved information and cyber security policy. Ensuring that information and computer technology infrastructure of insurers are fully secured is of paramount importance."
The notification advises insurers to take immediate steps to conduct a security audit for their ICT infrastructures, including a vulnerability assessment and penetration tests, through CERT-IN empaneled auditors. "Identify the gaps and ensure that audit findings are rectified swiftly," the notification stresses. "Insurers are also requested to firm up their cyber crisis management plan for handling cyber incidents more effectively. In case CISOs have not yet been appointed ... they are advised to ensure that they are appointed immediately."
Where the Challenge Lies
When it comes to security, the insurance sector spends less than the banking sector, some security experts say.
"The insurance sector is not technology savvy, and having a CISO is not a priority for this sector like in banking," says a CISO from the industry who asked not to be named. "Even for CISOs, joining a bank is considered a better career move than getting into the insurance industry thanks to the visibility one gets in the former sector."
A lower pay scale for CISOs in the insurance sector also makes recruiting challenging, some observers say. "In order to attract CISOs from other sectors, one needs to shell out a huge sum of money," says the CISO from the industry. "Not all insurance firms have that kind of a budget set aside for cybersecurity."
Another CISO from the insurance sector, who requested anonymity, claims the real problem is that the insurance sector still views cybersecurity as an IT issue. "At a time when most industries have understood the problem of cybersecurity and how it is a business issue, we [the insurance sector] are still stuck in a time warp," this CISO says.
Some insurers lack a human resources team with the skills to prepare a proper job description for the CISO's role, says Lopa Mudraa Basuu, an enterprise security and risk governance expert. "The human resources team needs to take a cue from big consultant groups in carving out the job description for security professionals," Basuu says. "A CISO has to wear different caps - tech head, compliance head, people manager and a regulatory head. He or she should have the ability to collaborate with both internal and external stakeholders."
CISOs must be able to protect enterprise assets as well as advise business leaders on the importance of security, security practitioners say. "Organizations should source a leader who can articulate information security and privacy-related technical issues in a nonthreatening and clear/actionable manner to nontechnical leadership and get the necessary budgets to put an effective cyber crisis plan in place," says another CISO from the insurance industry who asked not to be identified.
Cyber Crisis Management
Security experts advise companies still drafting a cyber crisis management plan to ensure that they incorporate key elements like threat intelligence services; forensic investigation and collaboration with key stakeholders; root cause analysis; and breach detection, response, recovery and containment.
Many companies in the insurance sector also still lack a separate incident response committee or an IT response committee, some observers say.