Table of Contents
Background
In light of recent developments, the Insurance Regulatory and Development Authority of India (IRDAI) has issued crucial advisories concerning the security of KYC data access via APIs. The directives, referenced in IRDAI/IT/MISC/AD/136/10/2024 dated 29/10/2024 and IRDAI/IT/MISC/AD/148/11/2024 dated 25/11/2024, focus on preventing unauthorized access to KYC data maintained at CKYC and KRA through insurers’ web portals.
Following a detailed presentation by CERSAI to all insurers on 29/11/2024, several immediate cybersecurity measures were outlined to mitigate risks associated with IT systems accessing the CERSAI portal. Insurers were advised to address these gaps promptly to avoid revocation of their access to CERSAI KYC data.
CERSAI Limits CKYC API Access
Despite these efforts, persistent vulnerabilities related to API access to CKYC data have been observed, alongside an increasing number of complaints regarding unauthorized access. Consequently, CERSAI has implemented restrictions on CKYC access via APIs, although access through SFTP and other modes remains available for insurers.
To restore CKYCRR access through API, insurers must now comply with the following requirements:
1. VAPT Certificate: Obtain a Vulnerability Assessment and Penetration Testing certificate from an external CERT-In empaneled auditor within the last six months.
2. API Security Assessment Certificate: Provide the latest API Security Assessment Certificate from an external CERT-In empaneled firm.
3. Malware and Security Risks Certificate: Ensure the infrastructure and applications integrated with CKYCRR are free from malware and security risks, certified by a CERT-In empaneled firm.
4. Security Risk Assessment: Undertake to perform a Security Risk Assessment at least once every six months.
5. Third Party Risk Assessment Reports: Submit comprehensive third-party risk assessment reports.
6. Dedicated IPs Usage: Confirm the use of unique/dedicated IPs by regulated entities (REs).
Conclusion
Insurers are requested to send their compliance documentation to CERSAI to enable the restoration of CKYCRR access via API.
This initiative underscores the importance of robust cybersecurity practices in safeguarding sensitive data and ensuring the integrity of financial systems. By adhering to these new guidelines, insurers can help build a more secure and trustworthy digital environment for all stakeholders.
Read more on https://cybertechworld.co.in for insightful cybersecurity related content.
