INFORMATION SECURITY POLICY

RiskBirbal Insurance Brokers Pvt. Ltd.

1. Purpose

The purpose of this Information Security Policy is to establish a structured framework for protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted by the Broker in the course of its insurance broking operations. This policy ensures that information assets are safeguarded against unauthorized access, misuse, disclosure, alteration, or loss.

2. Scope

This policy applies to:

All information assets of the Broker, including:

  • Client and employee data
  • Policy, underwriting, claims, and insurer-related information
  • Financial, contractual, and operational records
  • All systems, applications, and websites used for insurance broking activities

All users, including:

  • Employees and management
  • Authorized administrators and operational staff
  • Client-side users with granted access
  • Authorized third parties and service providers
  • All environments including production, testing, and staging

3. Information Security Objectives

The Broker’s information security objectives are to:

  • Protect confidentiality of client, insurer, and employee information
  • Maintain integrity and accuracy of data
  • Ensure availability of systems and information for authorized users
  • Comply with regulatory, contractual, and legal obligations
  • Minimize operational, reputational, and compliance risks

4. Information Security Principles

4.1 Confidentiality

Information shall be accessible only to authorized individuals with a legitimate business need.

4.2 Integrity

Information shall be accurate, complete, and protected from unauthorized modification.

4.3 Availability

Information and systems shall be available to authorized users as required for business operations.

4.4 Accountability

All users are accountable for protecting information accessed or handled by them.

5. Information Classification

Information handled by the Broker is classified into the following categories:

  • Confidential – Client data, policy information, financial records
  • Internal – Operational processes, internal communications
  • Public – Approved marketing and publicly available information
  • Security controls are applied in accordance with the classification level.

6. Access and User Responsibilities

Access to information is governed by role-based permissions.

Users shall:

  • Use information solely for authorized business purposes
  • Protect login credentials and access mechanisms
  • Prevent unauthorized disclosure of information
  • Sharing of sensitive information without authorization is strictly prohibited.

7. Technical and Operational Security Controls

The Broker implements appropriate security measures, including:

  • Secure authentication and access controls
  • Encryption or secure transmission of sensitive information where applicable
  • Regular system updates and security patches
  • Protection against unauthorized access and malicious activities
  • Secure configuration of systems and applications

8. Physical and Environmental Security

  • Physical access to offices, servers, and sensitive equipment is restricted.
  • Access to critical infrastructure is limited to authorized personnel.
  • Measures are in place to protect systems from environmental threats.

9. Data Handling and Protection

  • Information shall be collected, processed, and stored only for legitimate business purposes.
  • Data retention follows regulatory and business requirements.
  • Secure disposal methods are used for information no longer required.
  • Personal and sensitive data is handled with heightened security controls.

10. Third-Party and Vendor Security

Third parties handling Broker information must adhere to appropriate security standards.

Access granted to third parties is limited, monitored, and contractually governed.

Third-party access is reviewed periodically.

11. Incident Management and Reporting

  • Any actual or suspected information security incident must be reported immediately.
  • Incidents are investigated and managed in accordance with internal procedures.
  • Corrective and preventive measures are implemented to reduce recurrence.

12. Business Continuity and Backup

  • Information and systems critical to operations are backed up regularly.
  • Backup data is protected from unauthorized access.
  • Recovery measures are in place to ensure continuity of operations in the event of disruptions.

13. Compliance and Regulatory Alignment

This policy aligns with:

  • IRDAI regulations applicable to insurance brokers
  • Applicable Indian cyber and data protection laws
  • Insurer and corporate client security expectations
  • Internal risk management and governance standards

14. Awareness and Training

Employees and authorized users are made aware of information security responsibilities.

Security awareness is reinforced through internal communication and training where applicable.

15. Policy Review and Maintenance

This policy is reviewed periodically and updated as required.

Reviews consider:

  • Regulatory changes
  • Business and technology changes
  • Audit and incident findings
  • Continued use of the Broker’s systems constitutes acceptance of this policy.

16. Policy Ownership

This Information Security Policy is owned, implemented, and enforced by:
RiskBirbal Insurance Brokers Pvt. Ltd.