Cyber Crime
IRDAI Takes Action: Two Insurers to Undergo IT System Audits
The Insurance Regulatory and Development Authority of India (IRDAI) has instructed two insurance companies to conduct comprehensive audits of their IT systems after concerns were raised over recent policyholder data breaches.
Without identifying the insurers involved, IRDAI emphasized that it takes incidents of data breaches seriously and remains committed to protecting policyholders’ interests. The regulator is working closely with the companies’ management to address potential vulnerabilities. It confirmed that regular updates are being obtained to ensure that necessary actions are being taken.
One of the insurers, Star Health Insurance, has recently acknowledged a data breach. The identity of the second insurer is not yet confirmed.
“There have been reports of data leaks from two insurers recently,” IRDAI said in an official statement. The regulator is closely monitoring the situation and is actively engaging with the affected companies to mitigate the threat and secure policyholder data.
IRDAI has mandated the insurers to appoint independent auditors for a thorough review of their IT infrastructure to ensure no further vulnerabilities exist. The aim is to confirm that the systems in place are capable of handling the complexities of their operations. In line with their protocols, the insurers reported the cyber incident to both the government and the IRDAI.
To contain the breach, the insurers have isolated the impacted IT systems and enlisted external cybersecurity firms to conduct root cause analyses. An initial audit identified weaknesses in the companies’ systems and outlined how the breach occurred. The insurers are now implementing a Containment, Eradication, and Recovery plan based on the audit findings.
The report also recommended system upgrades over immediate, short, and medium-term timelines, which are now underway to safeguard policyholder data. In addition, rectification of API vulnerabilities, gap assessments, vulnerability assessments, and penetration testing are in advanced stages.
Legal action is being pursued, with the affected insurers filing criminal complaints against the perpetrators and issuing legal notices to prevent the sale of stolen data on social media platforms.
IRDAI reiterated its stance on data security, urging all insurers to proactively examine their IT systems and address any potential weaknesses. The regulator has emphasized the critical importance of data security, noting that comprehensive cybersecurity guidelines are already in place to ensure that insurance companies maintain strong IT and cyber defenses.