Insurance regulator IRDAI has asked insurance companies to identify new age cyber frauds and implement appropriate controls to prevent such threats amid rising cyber risks.

Recently, Star Health and Allied Insurance saw a major cyberattack, compromising policyholders’ data. Hackers reportedly demanded $68,000 in exchange for not leaking confidential information of the policyholders.

The IRDAI has come out with draft guidelines after reviewing the existing ones. It has asked insurance companies to undertake annual comprehensive risk assessments and identify red flag indicators for fraud detection.

The regulator has observed that there has been a substantial change in the nature and intensity of fraud over the past years requiring a review of the framework
and sought comments and suggestions from stakeholders on the draft by November 13, 2024.

“Personal information such as KYC details, financial details and medical records are highly coveted by cybercriminals, who exploit vulnerabilities in security defences to gain unauthorised access to these sensitive data available with insurers or distribution channels,” said the IRDAI in its draft guidelines.

“The insurer shall establish robust cybersecurity framework and implement appropriate controls to strengthen their defences against evolving cyber frauds or threats,” the draft guidelines said.

“Insurers shall ensure that systems or processes used for fraud risk identification, detection, prevention, mitigation, monitoring such as incident database are continuously monitored and strengthened,” the guidelines added.

Measures to verify customer information before accepting a proposal to prevent identity frauds, enhanced verification mechanisms for certain areas with high incidence of frauds, access rights to employees or vendors according to the principle of least privilege have to be monitored.

Insurance company officials said the regulator has already issued an advisory to all insurers to check their IT systems for vulnerabilities and take steps to protect policyholders’ data.

The draft guidelines classify fraud broadly into four categories — internal fraud, distribution channel fraud, claims fraud and external fraud and ask insurance companies to put in place anti-fraud policies and set up monitoring committees and units to oversee fraud deterrence, prevention, detection, monitoring, investigation and reporting activities.

The draft guidelines also asked the Insurance Information Bureau to maintain a caution repository concerning blacklisted agents, distribution channels, hospitals and third party administrators.