Irdai Directs Insurance Companies to Create Social Media Guidelines for Employees

The Insurance Regulatory and Development Authority of India (Irdai) has issued a directive to all insurance companies, including foreign re-insurance branches (FRBs) and insurance intermediaries, to establish social media guidelines for their employees. The guidelines aim to prevent the spread of unverified or confidential information about the organization through social media channels.

Guidelines to Enhance Cyber Security in the Insurance Industry

Irdai's Information and Cyber Security Guidelines include a section focused on the "acceptable usage of social media." According to the guidelines, employees must avoid sharing any unverified or confidential information on "any Blogs/Chat forums/Discussion forums/Messenger sites/Social networking sites." They also urge employees to use social media in a way that adds value to the organization's business.

The guidelines require that any information received, accessed, or obtained by an employee, either in their official or personal mail or through other means, should be forwarded to the organization's compliance team and corporate communication team for prior approval before being disseminated or shared on any media forum.

Personal Use of Social Media and Cyber Security

Irdai's guidelines also emphasize that utilizing social media platforms to report service faults or file complaints is not appropriate. If an individual posts or communicates anything on the internet that suggests they are affiliated with an organization, they must include a clear and noticeable disclaimer such as 'the postings on this service are my own personal views and not those of organization and are not intended to be interpreted as such.'

The guidelines also stress that personal comments or critiques about an organization's business should not be made on personal websites or social networking platforms. Irdai emphasizes that an individual's personal image projected on social media affects their reputation and may affect the reputation of the organization.

Implementation of Information and Cyber Security Policy

Irdai's Information and Cyber Security Policy (ICSP) outlines the responsibilities and objectives for safeguarding critical data and information assets in a consistent and appropriate manner. The regulator believes that implementing this policy can mitigate the potential risks of unintentional or deliberate disclosure, modification, destruction, delay, or misuse of information assets.

The ICSP covers all insurance companies, including FRBs and insurance intermediaries under Irdai's regulation. Initially introduced in 2017 for insurers, these guidelines were later extended to cover all intermediaries in 2022. With the growing use of digital technologies and the consequent rise in cyber security incidents, the Irdai has updated the guidelines to help the insurance industry bolster its defences and establish a related governance mechanism to address the increasing cyber threats.