IRDAI asks insurance companies to lay down social media guidelines for employees

Regulator Insurance Regulatory and Development Authority of India (IRDAI) has asked insurance companies to lay down social media guidelines for their employees to ensure that no unverified or confidential information relating to the organisation is disseminated to the public through these platforms.

An organisation's reputation is closely linked to the behaviour of its employees, IRDAI said, adding, "Social media should be used in a way that adds value to the organisation's business".

The Information and Cyber Security Guidelines, which were issued by IRDAI to all insurers, have a specific section on 'acceptable usage of social media.' It states that the employees should be refrained from disseminating any unverified and confidential information on "Any blogs/chat forums/discussion forums/messenger sites/social networking sites".

"Any information received, accessed or obtained by an employee, either in his/her official mail/personal mail/Media Forums or in any other manner, if proposed to be disseminated or shared in any Media Forum, should be forwarded to the Organisation's Compliance team and corporate communication team for prior approval," it said.

Media forums should not be used to report a service fault or to make a complaint, it added.

IRDAI further said any personal internet posting or communication which implies that you work for an organisation must include a simple and visible disclaimer like: 'The postings on this service are my own personal views and not those of organisation and are not intended to be interpreted as such.'

"The personal image projected in social media affects an individual's reputation and may affect the reputation of organisation. No form of critique or comment on an organisation or its business should be made on personal websites or social networking platforms," said the section on guidelines for the usage of social media by employees for personal purposes.

The organisation's Information and Cyber Security Policy (ICSP) identifies responsibilities and establishes the goals for consistent and appropriate protection of the organisation's critical data and information assets. Implementing this policy shall reduce the risk of accidental or intentional disclosure, modification, destruction, delay, or misuse of information assets, the regulator said.

Information assets comprise data or information recorded in electronic, printed, written, facsimile or other systems and the 'system' itself.

The guidelines are applicable to all insurers, including foreign re-insurance branches (FRBs) and insurance intermediaries regulated by the IRDAI.

In 2017, the regulator issued guidelines on Information and Cyber Security for Insurers, which were later extended to all intermediaries in 2022.

Considering the widespread adoption of digital technologies and the concurrent increase in cyber security incidents, Irdai has revised the guidelines to enable the insurance industry to strengthen its defences and a related governance mechanism to deal with such emerging cyber threats.