IRDAI vide Circular dated 30.12.2020 has issued amendments to the Guidelines on Information and Cyber Security for Insurers. The amendment has provided new procedure for conducting Vulnerability Assessment and Penetration Testing (VAPT), which include the following requirements:
- VA&PT of the entire ICT infrastructure components should be conducted annually in every financial year.
- Every VA&PT shall have two test cycles one at the beginning of VA&PT for identification of gaps and to check for known vulnerabilities, and a retesting post closure of vulnerabilities identified.
- VA&PT of critical applications should be conducted annually in every financial year. The remaining applications should be conducted once in a two-year cycle.
- VA&PT of all internet facing applications and Infrastructure components should be conducted at least once in a six months.
- An assessment of the need for security testing should be conducted whenever any change is made to any internet facing applications or to any infrastructure component irrespective of the magnitude of change.
- Mandatory security testing should be conducted in case of all applications and related infrastructure components so as to check for known vulnerabilities once initially and again whenever major changes in internet facing applications and related infrastructure components take place. However, all Internet facing applications should be tested for all major and minor changes either through internal or external VA, and any gap found must be closed.
- The Cycle of the above security testings should be aligned with Annual assurance audit.
