PwC’s Insurance Insights Analysis of regulatory changes and impact assessment … · PwC’s Insurance Insights Analysis of regulatory changes and ... in March, while the growth

PwC’s Insurance Insights Analysis of regulatory changes and impact assessment for April 2017

2 PwC PwC’s Insurance Insights

PwC’s Insurance Insights

Preface Our point of view on key IRDAI guidelines issued in April 2017 Other key guidelines issued by IRDAI in April 2017 Contacts

• Private life insurers ended the year on a strong note with 31% YoY annual premium equivalent (APE) growth, while LIC grew by 16% YoY, leading to 23% YoY APE growth for the industry.1

• Among the top seven life insurers, HDFC Life (44%) and Max Life (41%) outperformed the industry in March, while the growth for SBI Life (21%), ICICI Prudential Life Insurance (14%), Birla Sun Life (13%) and Bajaj Allianz (12%) remained positive.2

• LIC of India registered a 27.22% growth in new business in terms of first-year premium (FYP) in 2016–17. The total FYP amounted to 1,24,396.27 crore INR as on 31 March 2017 as against 97,777.47 crore INR in the previous year, capturing 71.07% of the market share as against last year’s market share of 70.61%. LIC’s market share in terms of the number of policies is 76.09%, with over 20 million new policies garnered this year, as against a share of 74.72% last year.3

• After the launch of Pradhan Mantri Jeevan Jyoti Bima Yojana (PMJJBY), life insurance companies like SBI Life Insurance and Edelweiss Tokio Life Insurance started designing over-the-counter products for the masses. The Insurance Regulatory and Development Authority of India (IRDAI) is encouraging life insurers to launch more such ‘vanilla’ products where each and every benefit is pre-defined and clearly disclosed upfront at the time of sale.

• In 2009, life insurance penetration levels were at 4.60%. However, a steady decline in sales caused the number to further plummet to 2.72% as of March 2016. To increase sales, IRDAI has been trying to increase insurance penetration by launching initiatives such as point of salesperson (POS) transactions.5

• Kotak Mahindra Bank entered into an agreement to purchase the entire 26% equity stake held by UK-based Old Mutual Kotak Mahindra Old Mutual Life Insurance. The size of the deal is 1292.7 crore INR.6

• In comparison to global players, India, like most other developing countries, performs low in terms of insurance density. The figure below shows that Switzerland has the

1 NURC Media Next Pvt Ltd 2 NURC Media Next Pvt Ltd 3 NURC Media Next Pvt Ltd 5 NURC Media Next Pvt Ltd6 Indian Express article dated 29th April, 2017

highest density (in USD) for 2011–12. The densities of developing economies like India, Pakistan, Bangladesh and China are much lower than the world average.

Source: IRDAI annual report 2014–15

USD Life Insurance USD Non-Life Insurance Total

Aust

ralia

Braz

il

Fran

ce

Ger

man

y

Russ

ia

Sout

h Af

rica

Switz

erla

nd

Uni

ted

King

dom

Uni

ted

Stat

es

Hon

g Ko

ng

Indi

a

Japa

n

Mal

aysi

a

Paki

stan

PR C

hina

Sing

apor

e

Sout

h Ko

rea

Sri L

anka

Taiw

an

Thai

land

Wor

ld

9,0008,0007,0006,0005,0004,0003,0002,0001,000

0



• In order to overcome issues of low density, IRDAI has launched various consumer education initiatives (CEIs) through print, electronic and other media channels with the objective of empowering consumers by educating them about various insurance-related concepts, processes, procedures and mechanisms.

• Some of IRDAI’s initiatives are mentioned below-

‘Bima Bemisaal’ awareness campaign Handbooks

‘Jago Grahak Jago’ programme

• It educates policyholders about their rights and obligations.

• This campaign uses various media like print, radio and television.

• Handbook on life insurance

• Employment opportunities in the insurance sector

• Handbook on crop insurance

• Health insurance handbook

• Motor insurance handbook, among others

01

02

03

• This is a consumer awareness programme.

• To create awareness, the government uses multiple channels, including audio, print and television.



IRDAI circular reference:Ref: IRDA/IT/GDL/MISC/082/04/2017Date of notification: 7 April 2017Applicable entities: All insurers in India



Guidelines on information and cyber security for insurers

Introduction:IRDAI has created the following sub-groups for arriving at a comprehensive framework for information and cyber security:

Group 1: All four layers of security (data, applications, operating systems and network layers)

Group 2: Security audit Group 3: Legal aspects on cyber security

Background and objectiveIt is essential to ensure that a uniform framework for information and cyber security is implemented for insurers and that an in-built governance mechanism is in place within the

regulated entities in order to make sure that all such security-related issues are addressed on time.

Implications for insurersIRDAI, in its circular, has given a detailed step-by-step approach that every insurer needs to follow while implementing a cyber security framework.

• Ensure that a board-approved information and cyber security policy is in place.

• Lay down the necessary implementation procedures for information and cyber security related issues.

• Have in place adequate mitigation controls for information and cyber security related risks.

• Employ in-built governance mechanisms for the effective implementation of an information and cyber security framework.

• Appoint/designate an experienced senior-level officer exclusively as chief information security officer (CISO) and form an Information Security Committee (ISC).

• Put together a separate information security team to focus exclusively on information security management.

• Devise a separate internal audit plan covering the information security audit plan.

• Present the audit plan and reports to the audit committee of the board.

• Conduct audit for third parties/vendors handling critical data on a planned and ad hoc basis.

• Communicate and discuss all instances of non-compliance with relevant line management and CISO.

• Establish identity management and access control arrangements for effective and consistent user administration.

• Follow a change management process to make changes to business applications, computer systems and networks, covering associated risks, change authorisation, business continuity and impact.





• Plan a process for managing the security of relationships with external parties and implement a vendor/third-party risk management framework.

• Establish a strong business continuity plan so as to continue provisions of alternative, secure facilities for business processes.

• Identify assets associated with information and information processing facilities and draw up and maintain an inventory of these assets.

• Implement physical and environmental security to protect information-processing facilities and areas that contain either sensitive or critical information.

• Communicate information security roles and responsibilities to job candidates during the pre-employment process.

• Identify and manage information security requirements and associated processes that should be integrated in early stages of information systems projects.

• Develop a risk management programme to undertake information security risk assessment for target environments on a periodic basis.

• Manage information security risk assessment by having documented standards/procedures for performing information risk assessments.

• Develop a business continuity and disaster recovery framework.

• Define and implement procedures to ensure that the confidentiality, integrity, availability and consistency of all data stored in different forms is maintained.





• Develop policy, standards, procedures and guidelines to address the threats to endpoints in information system infrastructures and prevent unauthorised access to endpoints and for virtualisation of the systems.

• Ensure security of information processed, transmitted and stored on the cloud architecture.

• Ensure security of information assets while teleworking and using mobile devices by implementing appropriate security measures to manage the risks associated with the usage of mobile computing devices and communication facilities.

• Engage qualified external systems auditors to carry out independent assurance audits.

• Ensure compliance to the legal framework for storing, disseminating, processing and retrieving of electronic data.

• Mandatory compliance by insurers

• Adhere to timelines for implementation as defined in the circular.

• Prepare a gap analysis report.

• Complete the first comprehensive information and cyber security assurance audit and submit the report to IRDAI by 31 March 2018.

• Implement application security to ensure that information security is an integral part of information systems.

• Classify critical systems and cyber security incidents based on their criticality and severity.

• Develop a well-functioning cyber security management programme consistent with cyber resilience best practices.

• Configure organisations’ IT infrastructure, including servers, applications, and network and security devices, to ensure security, reliability and stability.

• Protect the information transmitted across the organisation through its network by deploying adequate network security controls.

• Protect the confidentiality, authenticity and integrity of information by cryptographic means wherever necessary.

• Establish logging and monitoring capabilities to detect security events in a timely manner.


Guidelines reference Particulars Impact



F. No. IRDAI/Reg/3/140/2017

Date of issue: 24 April 2017

Payment of commission or remuneration or reward to insurance agents and insurance intermediaries

The Authority (IRDAI) has issued amendments to the guideline on ‘Payment of commission or remuneration or reward to insurance agents and insurance intermediaries’ which came into force on 1 April 2017.

The highlights of the regulation are:

The maximum rate of commission or remuneration payable by an insurer shall not exceed either:

• The maximum specified by these regulations or

• Any other rate of commission or remuneration approved by the Authority, whichever is lower.

Other key guidelines issued by IRDAI April 2017





IRDA/Int/ POS/GDL/ PSP/084/ 04/ 2017


Circular on Point of sales person database

As per amendments to the POS guidelines issued on 16 March 2017:

• An insurer or insurance intermediary proposing to engage a POS shall ensure that the applicant is not engaged as a POS with any other insurer or insurance intermediary by cross-checking with the database housed at the Insurance Information Bureau (IIB).

• All insurers and insurance intermediaries have to upload the existing database of their POS on the portal, start using the functionalities of the POS portal and upload the details of new POS enrolled by them.

• The web link, uploadable format, user guide and the technical configuration details are made available in the circular.

Mandatory compliance by insurers

The circular stipulates uploading of POS data from 15 April 2017.






IRDA/INT/CIR/ECM/083/04/2017


Circular on Filing of online application for Insurance Self Networking Platform

In its endeavour to increase insurance penetration through the medium of e-commerce, the Authority has announced the launch of an online registration portal for the Insurance Self Networking Platform (ISNP).

Implications for insurers

Through this portal, the insurers and insurance intermediaries can:

• Create log-in credentials for registration.

• Submit the ISNP application form online.

• Generate a print version of the application form with all details pre-filled.

• Refer to the guidelines on e-commerce.

• Find out more about ISNP through the FAQs section.

• Track the status of/read important announcements from IRDAI.






IRDA/IT/GDL/MISC/ 082/04/2017


Guidelines on Information and Cyber Security for insurers

IRDAI has created the following sub-groups for arriving at a comprehensive framework for information and cyber security:

Group 1: All four layers of security (data, applications, operating systems and network layers)

Group 2: Security audit Group 3: Legal aspects on cyber security





Vivek Iyer Partner [email protected] Mobile: +91 9167745318

Dnyanesh Pandit Director [email protected] Mobile: +91 9819446928

Joydeep K Roy Partner [email protected] Mobile: +91 9821611173

Yugal Mehta Assistant Manager [email protected] Mobile: +91 9970163293

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India’s service offerings, visit www.pwc.com/in

PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details.

©2017 PwC. All rights reserved.

About PwC

pwc.inDataClassification:DC0This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093),whichisamemberfirmofPricewaterhouseCoopersInternationalLimited(PwCIL),eachmemberfirmofwhichisaseparatelegalentity.MJ/May2017-9628

Documents

PwC’s Insurance Insights Analysis of regulatory changes and impact assessment … · PwC’s Insurance Insights Analysis of regulatory changes and ... in March, while the growth