IRDAI Asks Insurers To Set Social Media Norms For Employees

The Insurance Regulatory and Development Authority of India (IRDAI) has asked insurance companies to lay down social media guidelines for their employees under the revised Information and Cyber Security Guidelines, 2023.

IRDAI has introduced sweeping, detailed guidelines for how insurance employees should use social media. These guidelines are set to impact the many insurtech startups in India such as ACKO, Go Digit, Plum, InsuranceDekho and others.

“Considering the wide-spread adoption of digital technologies and the concurrent increase in cyber security incidents, the revised Guidelines are hereby issued in order to enable the insurance industry to strengthen their defences as well as related governance mechanisms to deal with such emerging cyber threats,” IRDAI said in a notification on April 24.

The insurance regulator said that the companies need to ensure that no unverified or confidential information relating to the organisation is disseminated to the public through social media, hence the need for a social media policy at the organisation.

The guidelines have a separate section for social media – Acceptable usage of social media – with two subsections about social media usage for corporate and personal purposes.

Under corporate purposes, IRDAI said that employees should not use any social media platform for business unless they have received appropriate training recommended by the organisation’s corporate communication team.

Further, the insurance regulator said that during office hours or while on the office’s network, employees are categorically restricted from using social media, adding that they should refrain from “disseminating any unverified and confidential information related to Organisation on any Blogs/Chat forums/Discussion forums/Messenger sites/Social networking sites.”

To make things more transparent and controlled, the IRDAI said that the employees couldn’t use social media platforms to report a service fault, make a complaint or make posts anonymously or under a pseudonym.

The employees are also not supposed to share anything they receive on their official email ID without prior approval from the insurer’s compliance team, even if the contents of the email are meant to be shared online.

While using social media for personal purposes, the employees should act in a way that adds value to the company’s business and helps its reputation, the IRDAI said.

The insurance regulator added that the employees should make it explicitly clear that they are posting as themselves and not the insurer they work for. Unless explicitly approved by the company, such communications should not be assigned to it. IRDAI added that a simple disclaimer could also help make that distinction.

Further points include that employees should avoid criticising the insurer they work for online, not use official logos, email IDs and other identification while posting on social media, comply with other company policies, and be mindful of the privacy settings on their devices.

The guidelines, though restrictive for employees, would protect an insurer’s trustworthiness and reputation. The insurance regulator’s guidelines come amid increased cybersecurity incidents in India.

Per the Indian Computer Emergency Response Team (CERT-In) data, India witnessed 13.9 Lakh cybersecurity incidents in 2022. However, this data is not a clear reflection of the actual scale, as these are the incidents that were large enough to be reported to CERT-In.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.