IRDAI, in an advisory, has called upon all insurers to check their IT systems for vulnerabilities and take necessary steps to protect the policyholders’ data. The insurance regulatory body has said that insurers are required to follow cyber security guidelines and put in place robust IT and cyber security framework for carrying out their operations.

Recently in a major data breach that took place at Star Health Insurance, one of the country's largest health insurers, over 31 million customers' sensitive personal information was allegedly sold to hackers.

In its statement, IRDAI has said that it was closely monitoring the situation in case of the concerned insurers and was in touch with their management. Regular updates are being obtained to ensure that the policyholders’ data and interest are fully protected and the company is taking all steps to arrest the threat posed by this breach. The IRDAI will continue to engage with the insurance companies to ensure that the policyholders’ interests are fully protected.

“The concerned insurers have been instructed to appoint an independent auditor to undertake comprehensive audit of the company’s IT landscape.”

IRDAI has said that the concerned insurers have ring-fenced the impacted IT system by isolating it and at the same time appointed an external IT security company to undertake root cause analysis. The audit firm reported vulnerabilities in the company’s IT system and the methodology used by the threat actor to exploit the same which were acted upon by insurers. The Containment, Eradication and Recoverability plan as suggested by the audit firm are being implemented by the insurers.

The regulatory authority said that preventive steps outlined in the report are in the process of implementation to keep the policyholders’ data safe and secure. System upgrades over immediate, short and medium time period, will be acted upon by the insurers. The API vulnerabilities, gap assessment and VAPT Issues are at an advanced stage of rectification. The insurers have filed a criminal complaint with the law enforcement agencies against the threat actors. It served legal notice on the social media platform to prevent the threat actor from selling the policyholders' data.