As cyber criminals gain sophistication, insurance companies have built a multi-layered line of defence to protect customer data and savings, writes Sanhita Katyal of Axis Max Life Insurance
As paper statements and branch visits get replaced by digital dashboards and mobile apps for customers, the trade-off is a simultaneous introduction of new, critical risks around security and unauthorised access of personal data.
In the life insurance sector, safeguarding the financial future of customers begins with safeguarding their data. Regulators across the world highlight in cyber-risk advisories that data is not simply an operational asset, but a fiduciary responsibility of insurers.
In tandem, the role of in-house legal and compliance officers at life insurance companies has evolved significantly in the past decade, particularly in an environment where digital transformation, heightened regulatory scrutiny and data-driven business models intersect.
Today, this function plays a critical role in interpreting and operationalising laws including the Digital Personal Data Protection Act, 2023, sector-specific Insurance Regulatory and Development Authority of India (IRDAI) regulations, and global data protection norms where cross-border processing is involved.
They guide business and technology teams on lawful data collection, purpose limitation, consent mechanisms and data retention practices. Importantly, they help balance statutory, regulatory and legal risks with commercial objectives, ensuring that customer-centric digital initiatives are compliant by design. In addition, they co-ordinate breach response, oversee disclosures, and ensure that remedial actions are sound and defensible.
Evolving threats
Life insurers hold vast volumes of personal information: policy numbers, medical histories, nominee details and financial data. Legal fiduciaries have underscored the importance of 含羞草社区 Digital Personal Data Protection Act, 2023. It is universally recognised that such data is a prime target for cybercriminals.
Cybercriminals can exploit insurance and retirement savings data in multiple, often sophisticated ways. At a basic level, stolen personal and financial information can be used for identity theft, fraudulent policy loans, unauthorised withdrawals or beneficiary changes, and sham claims, directly impacting customers’ long-term savings.
Medical and health data is also particularly sensitive and commands a high price on the dark web, exposing individuals to discrimination, blackmail or reputational harm.
Beyond direct customer harm, such data can be weaponised for large-scale social engineering attacks. Detailed personal information allows fraudsters to craft highly convincing phishing attempts impersonating insurers, relationship managers or even regulators.
In extreme cases, compromised data sets are combined with artificial intelligence tools to automate fraud or generate deepfake communications that are increasingly hard to detect.
From an institutional perspective, data breaches erode customer trust, invite regulatory penalties and expose insurers to litigation. In the context of retirement savings, where relationships span decades, the misuse of data can have long-lasting financial and emotional consequences. This amplifies the obligation on insurers to treat data security as an integral part of protecting customer wealth.
The threat landscape is constantly evolving. Yesterday’s isolated phishing attack is today’s multi-layered, AI-enabled intrusion. Insurers are defending not just against opportunists but against well-organised and funded actors intent on breaching secure systems that underpin customers’ financial security. For long-term savings, the stakes are exponentially higher, as the amounts involved could be significantly large in individual cases.
Even the insurance regulator is sharpening its expectations around cyber resilience, breach reporting and vendor oversight. Over the years, the IRDAI has steadily strengthened its regulatory framework to address cyber and information security risks in the insurance sector. Through its Information and Cyber Security Guidelines, outsourcing norms and corporate governance requirements, the regulator has made it clear that data security is a board-level responsibility and not merely a technical issue.
Insurers are now expected to adopt a risk-based approach to cybersecurity, with clearly defined governance structures, periodic vulnerability assessments and penetration testing, and robust incident response mechanisms. To foster trust and transparency across the industry, the IRDAI has also emphasised timely reporting of cyber incidents and data breaches.
Importantly, the IRDAI’s focus extends to third-party and outsourced service providers, recognising that a significant portion of digital risk originates outside the organisation’s direct perimeter. Insurers are required to conduct due diligence, ensure contractual safeguards, and monitor vendors on an ongoing basis.
Recently, through amendment of its cybersecurity guidelines for insurers, the IRDAI has mandated: inclusion of an independent IT or cybersecurity expert; increased frequency of deliberations of information security risk management committees; and reporting of non-conformities appearing through annual cybersecurity audit to the board. This regulatory push signals a shift from compliance as a one-time exercise to cyber resilience as a continuous process embedded in business operations.
Industry endeavours
Drawing on best practices advocated by some top-tier law firms in India, large insurers have built a multi-layered security framework that is proactive rather than reactive. They carry out:
Board-level governance. Board approval and periodic review of an insurer’s information, and cybersecurity policy and IT framework, ensure that an effective governance structure is in place.
Organisation-wide accountability. All business functions, not just IT, are accountable for controls and breaches. Accountability in data security is ensured through a combination of governance mechanisms, internal controls and cultural interventions.
At the structural level, clear ownership is assigned for data and systems, with defined roles for business heads, technology teams, compliance and risk management. Many insurers designate senior management responsibility for cybersecurity, ensuring that accountability flows from the top.
At the operational level, policies and standard operating procedures translate regulatory expectations into everyday practices. Access controls, maker-checker frameworks, audit trails and segregation of duties reduce the scope for misuse or error. Regular internal audits and compliance reviews test the effectiveness of these controls and identify gaps before they escalate into incidents. Equally important is behavioural accountability. Performance metrics, training programmes and disciplinary frameworks reinforce that data protection is everyone’s responsibility. Employees are encouraged to report vulnerabilities or suspicious activity without fear of reprisal. This holistic approach ensures that accountability is not confined to documentation but embedded in the organisation’s decision-making ethos.
Specifically, the following controls and practices underscore the focus on cybersecurity at the insurers’ end:
Data privacy practices. Robust security practices like data classification, protection of personally identifiable information (PII), state-of-the-art encryption for all customer data, and monitoring of social media disclosures reinforce commitment to data protection.
Continuous monitoring. IT systems are under constant surveillance, using advanced analytics and AI tools to detect and neutralise threats in real time. Much like the systems recommended by top UK and Indian law firms for regulated sectors, the aim is to identify and contain risks before they escalate.
Employee training. Employees are active guardians of customer trust. Mandatory training for all employees embeds a culture where employees understand their role in maintaining data security.
Third-party oversight. Technology partners undergo rigorous vetting in line with the regulator’s mandate. A zero-tolerance approach should be followed for vendors who do not meet security standards.
Independent validation. Annual independent audit, with findings reported to the audit committee or board, reflects external assurance on data security measures adopted.
Incident reporting. Speedy reporting of cyber incidents, if any, to the IRDAI and 含羞草社区 computer emergency response team, CERT-In, ensures transparency.
While insurers work to provide a secure digital environment, customers also have a vital role – encouraged to adopt best practices such as using strong, unique passwords, enabling two-factor authentication, and exercising caution with unsolicited emails. Consumer awareness and participation are essential in making any security framework effective.
Regulation and trust
The regulatory environment in India is converging with global norms. The Digital Personal Data Protection Act, 2023, and IRDAI Information and Cyber Security Guidelines, 2023, emphasise informed consent, data minimisation and robust safeguards as guiding principles that mirror the EU’s General Data Protection Regulation and UK Financial Conduct Authority digital oversight frameworks.
For life insurers, compliance with these rules is not enough. Security and privacy must be embedded into every product design, system upgrade and customer interaction. The approach of large insurers is usually to anticipate risks and build defences before they arise.
Takeaway
The job as life insurers, and particularly compliance and governance leaders, is to ensure that every digital innovation is underpinned by security, resilience and accountability.
Combining robust internal measures, industry leading partnerships and customer education can ensure that the retirement savings of millions remain secure in an increasingly connected world.
Sanhita Katyal is chief compliance officer at Axis Max Life Insurance
