Page 57 - The Insurance Times April 2025
P. 57
IRDAI Corner
λ¹¿®¼·²¹ ݧ¾»® ײ½·¼»²¬ ±® Ý®·· Ю»ó Regulated Entities shall adhere to directions issued
°¿®»¼²» by Cert-In from time to time including relating to
Incident Reporting to the CERT-In as per CERT-In
March 24, 2025 direction dated 28th April 2022 on information se-
curity practices, procedure, prevention, response
1. In today's digital age, any cyber incident and / or crisis and reporting of cyber incidents for Safe & Trusted
pose significant threats to organizations and therefore Internet.
it is crucial to be prepared to respond effectively to 3. It is once again re-iterated that all Regulated Entities
prevent or minimize damage to information assets, in- must strictly adhere to the above provisions on cyber
cluding customer data and ensure business continuity.
incident/crisis preparedness to ensure effective readi-
2. In this connection, attention is invited to various provi- ness.
sions of IRDAI Information and Cyber Security Guide- 4. In addition to the above, all Regulated Entities are re-
lines, 2023, with respect to the captioned subject: quired to establish a well-defined procedure / practice to
a) Para 3.5 under Policy no. 2.10 and IRDAI circular ensure that the forensic auditor/s are empanelled in ad-
ref: Ref: IRDAI/GA&HR/CIR/MISC/128/06/2023 vance and can be onboarded to conduct forensics and root
dated 13/06/2023 i.e. Regulated Entities (REs) to cause analysis of cyber incident/s without any delay.
report any cyber incidents to IRDAI in prescribed
format within 6 hours of noticing or being brought 5 Furthermore, it must be ensured that the vendor han-
to notice about such incidents; dling Security Operation Centre (SOC), attack surface
monitoring, Red teaming, or conducting the annual as-
b) Para 3.3 under Policy no. 2.16 i.e. Monitoring, Log- surance audit or any cyber security aspect of Regulated
ging and Assessment Para: Entity is not engaged as the forensic auditor for the
I. all ICT infrastructure and application logs are incident to avoid a conflict of interest.
to be maintained and monitored for a rolling
period of 180 days; 6. All Regulated Entities, including insurance intermediar-
ies are advised to place compliance to the above provi-
II. the clocks of all relevant information process- sions to their Board in the ensuing Board Meeting and
ing systems within Organization or security submit the minutes of the meeting to the Authority for
domain shall be synchronized with Network information.
Time Protocol (NTP) Server of National
Informatics Centre (NIC) or National Physical
Laboratory (NPL) or with NTP Servers traceable Exposure to Forward Contracts in Government
to these NTP Servers. Securities (Bond Forwards).
c) Para 3.3 under Policy no. 2.18 i.e. Situational 10th March, 2025
Awareness provides for Cyber Crisis Management
Plan (CCMP) as a part of organisations response for 1. As per para 1.8 a (A) of Chapter 3 of the Master Circu-
cyber-attacks; lar on IRDAI (Actuarial, Finance and Investment Func-
tions of Insurers) Regulations,2024 insurers are allowed
d) Para 3.4 under Policy no. 2.20 i.e. Cyber Resilience as users with following types of Rupee Interest Rate De-
provides for performing forensic investigation for rives to hedge the interest rate risk:
severe information security incidents. One of the i. Forward Rate Agreements (FRAs);
functions of CISO also provides engagement of ex-
ternal forensic experts who are certified as well as ii. Interest Rate Swaps (IRS) and
competent for the job as and when required. iii. Exchange Traded Interest Rate Futures (IRF).
(e) Para 1.10 under General Guidelines provided that 2. RBI has recently issued Reserve Bank of India (Forward
The Insurance Times April 2025 51
