3. Initiate immediate action to ensure that all reported  IRDAI vide its Ref. No: IRDA/IT/GDL/MISC/ 082/04/2017
             claims are registered and eligible claims are settled  dated 07-4-2017 had issued Information and Cyber Security
             expeditiously.                                   Guidelines containing comprehensive cyber security
                                                              framework for Insurance sector for the purpose of
         4. With regard to claims involving loss of life, where
                                                              implementing appropriate mechanism to mitigate cyber
             difficulty is experienced in obtaining a death certificate
             due to non-recovery of body etc., the process followed  risks
             in the case of Chennai floods in 2015 may be considered.  Based on the review of the compliance process for cyber
         5. A suitably simplified process/procedure including  security by insurers and their subsequent feedback, the
             relaxations in the usual requirements wherever feasible  following sections of guidelines are amended as below.
             may be considered to expedite claims settlement.  14. Platform/Infrastructure Security.
         6. Details of offices/special camps set up for the purpose  As per the action point 14.1 of the Guidelines, the
             may be publicized in the press, electronic media etc.  Vulnerability Assessment and Penetration Testing (VAPT) on
             to enable immediate filing of claims. Details of such  the entire ICT infrastructure should be conducted by the
             publicity activities may be sent to the Authority,  insurers on a periodic basis. Also, VA & PT has to be
             immediately.                                     conducted on the software applications whenever there are
                                                              changes in the configurations / applications.
         7. With a view to limit the fallout of the Novel Corona Virus
             (COVID-19) pandemic and limiting direct/indirect social  In order to streamline the security assessment process, the
             contact, all the Life Insurers are advised to encourage  following sub sections are added to Section 14.
             and motivate their policyholders/claimants to adopt e-  14.3 Procedure for conducting VA&PT
             modes, wherever possible for correspondence while  (a) VA&PT of the entire ICT infrastructure components
             intimating the claim and the procedure for filing all the  should be conducted annually in every financial year.
             relevant documents.
                                                              (b) Every VA&PT shall have two test cycles one at the
         8. If Policyholders/claimants are coming  to office, Insurers  beginning of VA&PT for identification of gaps and to
             should  follow  the government directions regarding  check for known vulnerabilities, and a retesting post
             maintaining social distancing and proper sanitization.  closure of vulnerabilities identified.
             The staff must be duly sensitized to deal with
                                                              (c) VA&PT of critical applications should be conducted
             policyholders/claimants with empathy and concern.
                                                                  annually in every financial year. The remaining
         9. The State-wise Progress report & consolidated report  applications should be conducted once in a two-year
             on the claims settled shall be submitted to          cycle.
             hemant.mourya@irdai.gov.in and life@irda.gov.in on a
                                                              (d) VA&PT of all internet facing applications and
             weekly basis before 12.00 PM (first such report to be  Infrastructure components should be conducted at least
             received on 3rd Nov. 2020). PMJJBY claims data need  once in a six months.
             to be submitted separately while including the same in
             total claims. The format for data to be submitted state  (e) An assessment of the need for security testing should
             wise and consolidated data for all states is given in  be conducted whenever any change is made to any
             Annexure-I.                                          internet facing applications or to any infrastructure
                                                                  component irrespective of the magnitude of change.
         This has the approval of the Competent Authority     (f) Mandatory security testing should be conducted in case
                                                                  of all applications and related infrastructure
         Chief General Manager (Life Insurance)                   components so as to check for known vulnerabilities
                                                                  once initially and again whenever major changes in
         Amendments to the Guidelines on                          internet facing applications and related infrastructure
                                                                  components take place. However, all Internet facing
         Information and Cyber Security for
                                                                  applications should be tested for all major and minor
         Insurers dated 07.04.2017                                changes either through internal or external VA, and any
                                                                  gap found must be closed.
         IRDA/IT/CIR/MISC/301/12/2020
                                                              (g) The Cycle of the above security testings should be
                                             Date:30-12-2020
                                                                  aligned with Annual assurance audit.
         Life Insurance Today                     July - December 2020                                        53