It is reported that the Insurance Regulatory and Development Authority of India (IRDA) has mandated that the Indian Insurance companies should store all critical customer data in domestic servers within the next 3 to 6 months. (See article here)
This would mean that many of the Insurance companies which have joint ventures and are storing their data in foreign servers (or on the cloud) will now be required to set up new data centers in India so that Customer data does not move out of India.
It is expected that this move would require substantial investments from these insurance companies such as Tata AIG, Bharti AXA, ICICI Lombard, Birla Sunlife, Bajaj Alliance etc.
The decision follows the issue of the Outsourcing guidelines which inter alia indicate the following norms.
According to the guidelines, only Indian companies can be the outsource agents though there is a provision to approve any other authority that may be approved by IRDA.
The guidelines also suggest that the Insurance company has to ensure that the outsourcing agency has adequate information security measures and also conduct periodical audit of the outsourcing arrangement.
A detailed guideline of the clauses that the outsourcing contract must have has also been indicated in the exposure draft.
Though the guideline only reiterates some of the known principles of Information security for management of outsourcing agencies which are already in place in case of other regulated industries such as the Banks, it brings in a new focus on the Insurance companies and the need for storing the data within India.