Irdai asks insurers to check vulnerabilities in IT systems, take measures

Following data leaks from insurance, the Insurance Regulatory and Development Authority of India (Irdai) has issued an advisory to all insurance companies asking them to check their Information Technology (IT) systems for vulnerabilities and take steps to protect policyholders’ data.

The insurance regulator said in a statement, “There have been reports of data leaks from two insurers recently. 

At the outset, it is stated that the Irdai considers data security as very important and takes data breach, cyber-attacks on IT systems of insurance companies, etc very seriously.”
 

Recently, there was a data breach at Star Health & Allied Insurance’s servers and reportedly sensitive data of 31 million customers were put up for sale on the messaging platform Telegram amounting to an estimated 7.24 terabytes.   
 

The leaked information included names, addresses, phone numbers, tax details, and even medical records of the policyholders.  Irdai said that it is closely monitoring the situation in case of the concerned insurers and has been in touch with their management and has been obtaining regular updates to ensure that the policyholders’ data and interest are fully protected and the company is taking all steps to arrest the threat posed by this breach.  
 

It has also asked the concerned insurance companies to appoint an independent auditor to undertake a comprehensive audit of the company’s IT landscape with the aim that there are no vulnerabilities and the IT system is adequate to meet the scale and complexities of their operations. 

The insurance companies have reported the cyber incident to Irdai and government and they have also ring fenced the impacted IT system by isolating it and have filed a criminal complaint with the law enforcement agencies against the threat actors. It has served legal notice on the social media platform to prevent the threat actor from selling the policyholders data. The concerned insurers have also appointed an external IT security company to conduct a root cause analysis.
 

This audit firm reported vulnerabilities in the company’s IT system and the methodology used by the threat actor to exploit the same which were acted upon by insurers. The Containment, Eradication and Recoverability plan as suggested by the audit firm are being implemented by the insurers.
 

The audit firm has also outlined certain preventive steps which are in the process of implementation to keep the policyholders’ data safe and secure. System upgrades over immediate, short and medium time periods, will be acted upon by the insurers. The API vulnerabilities, Gap assessment and VAPT (Vulnerability Assessment and Penetration Testing) issues are at an advanced stage of rectification.