IRDAI: Insurers Must Have a CISO and Cybersecurity PlanSecurity Leaders Are Sceptical About Meeting the Deadline
The Insurance Regulatory and Development Authority of India is requiring all insurance companies to appoint a full-time CISO by April 30 and to formulate an effective cyber crisis management plan by June 30.
The requirements are part of IRDAI's new information and cybersecurity guidelines for insurers issued recently under the Subsection (1) of Section 14 of IRDA Act 1999, which will be implemented in a series of steps through March 2018. The announcement for appointing CISOs came on April 7 (see: IRDAI Floats Draft Cybersec Framework for Insurers)
Security experts say many insurance companies will have trouble meeting IRDAI's deadline because finding a CISO with required skills sets in such a short span is a big challenge. And they argue that defining a cybersecurity crisis management plan is also difficult.
"The deadlines are surely aggressive, and on top of it, most organizations have already completed their annual planning and budgeting cycle, and appointing a CISO in such a short span is unlikely," says Mumbai-based Sharad N. Sadadekar, CISO and vice president at HDFC Life.
The CISO Designate
The IRDAI directive states that every insurance organization shall appoint a suitably qualified and experienced senior level officer exclusively as CISO who will be responsible for articulating and enforcing the policies that the organization uses to protect their information assets, and coordinating the security-related issues/implementation within the organization, as well as relevant external agencies.
The CISO needs to report directly to the head of risk management and will have a working relationship with the CIO to help understand the IT infrastructure and operations and build effective security in IT across the organization in support of business requirements and objectives.
The CISO must also convene an information security committee that reports to the risk management committee of the board at least four times in a year.
Although the announcements wasn't unexpected, security practitioners feel that the insurance industry hasn't matured enough to incorporate all these changes.
A practitioner from one of the leading insurance companies in India, who requested anonymity, says most insurance companies do not have budgets to hire a CISO. "The insurance sector is not technology savvy, and having a CISO is not a priority for this sector like in banking," he says.
Many security leaders say finding CISOs with the right qualifications to take a hands-on approach is challenging.
IRDAI is requiring that insurance companies have a CISO who:
- Proposes information and cybersecurity policy to the Insurance Standing Committee, incorporates feedback on the implications of the policy from the ISC and other business areas into the policy-making process;
- Is responsible for providing advice and specialist support to management and information users in the implementation of Information and cybersecurity policy;
- Builds and leads the information security team with appropriate competencies and attitude to deliver the information security program;
- Promotes user awareness initiatives within the organization.
Sadadekar suggests insurers need to build the right culture to ensure the CISO can succeed. "While the insurance sector may not implement controls with the same rigor as the banking industry, it's time insurers harmonize and cultivate an environment in which a structured, orderly response outperforms a cybersecurity breach," Sadadekar says.
Lopa Mudraa Basuu, former head of enterprise security & risk governance at SLK Global, believes insurers who still haven't appointed a CISO aren't serious about having one in this sector- that they either cannot afford one, or they can't find the right talent. "There isn't any doubt that the role of a CISO is very demanding and highly specialized," she says.
Most organizations lack security skill sets and understanding. The human resource team often doesn't have the know-how to write down a proper job description of a CISO's role. "The human resources team need to take cue from big consultant groups in carving out the job description for security professionals," Basuu says.
The other major hurdle for the insurance sector is that it pays lower salaries for CISOs than the banking sector, say the experts.
Cybersecurity Crisis Management
One key role for insurance company CISOs is to understand the various business functions of the organization to develop a cyber crisis management plan. They need to develop the plan considering that cyber risk is different from other risks.
The cyber crisis management plan should incorporate key functions including threat intelligence services, forensic investigation, and collaboration with key stakeholders, root cause analysis, detection, response, recovery and containment, that could help in building good cyber defences.
"A CISO has to wear different caps - tech head, compliance head, people manager, and a regulatory head," Basuu says. "He or she should have the ability to collaborate with both internal and external stakeholders."
Sadadekar says CISOs must be able to protect enterprise assets as well as advise business leaders on importance of security. "Organizations should source a leader who can articulate information security and privacy-related technical issues in a non-threatening and clear/actionable manner to non-technical leadership and get the necessary budgets to put an effective cyber crisis plan in place," he says.