Reporting of Cyber Security Incidents by Regulated Entities
Reporting of Cyber Security Incidents by Regulated Entities
- Reference is drawn to para 3.5 ‘Notification to Regulatory Authorities’ under policy no. 2.10 ‘Incident and Problem Management’ in IRDAI Information and Cyber Security Guidelines, 2023
dated 24th Apr, 2023, wherein it is stated that “Organization shall mandatorily report cyber incidents to Cert-In within 6 hours of noticing or being brought to notice about such incidents with a copy to IRDAI and other concerned regulators / authorities.” - In this connection, it is observed that the Regulatory Entities are not adhering to the above mentioned timelines and also not keeping the Authority in loop in their communications to CertIn.
- In view of the above, all Regulated Entities are directed to scrupulously follow the provisions regarding reporting of incident to IRDAI and Cert-In. Further, Regulated Entities are required to submit available details of Cyber Security Incident to the Authority in an enclosed format within 24 hrs of intimation of the incident.
- Further, the details in the reporting format needs to be updated with flow of information from the forensic analysis as and when obtained and submitted to the Authority as subsequent version(s) within 24 hrs of such information being made available.
Read More on IRDAI