ISNP Audit Service

  1. Home
  2. Risk Compliance

As we immerse ourselves in the ever-evolving era of digitalization, where e-commerce has become a way of life, the insurance industry is keeping pace by harnessing the potential of online platforms. In this dynamic landscape, Insurance Self Networking Platform (ISNP) compliance emerges as a vital pillar, ensuring the security and privacy of online insurance transactions. Championed by the Insurance Regulatory and Development Authority of India (IRDAI), ISNP stands tall as an electronic platform authorized to revolutionize insurance e-commerce activities.

Today, many businesses use the internet to gain a competitive advantage. However, the insurance industry has been a little slow to catch up. When IRDAI through ISNP allowed insurers or insurance intermediaries to conduct insurance e-commerce activities in India, the insurance sector finally opted to develop e-commerce in the insurance domain. ISNP is an e-commerce portal in India that deals with insurance services. It enables brokers or firms to sell policies at a lower cost. The Insurance Self Network Platform was established with the approval of the insurance regulatory authorities.

What is ISNP Audit?

In the world of insurance, where online transactions are becoming the norm, ensuring the security, efficiency, and compliance of self-networking platforms is of utmost importance. This is where ISNP Audit comes into play. An ISNP Audit involves a comprehensive evaluation of an insurance organization's self-network platform, with the aim of assessing its compliance with regulatory standards, security measures, functionality, and overall effectiveness.

During an ISNP audit, a team of auditors meticulously examines various aspects of the ISNP. They review the platform's design, architecture, policies, procedures, and controls to evaluate its adherence to industry regulations and best practices. The auditors also assess the implementation of security measures, access controls, and data management practices specific to the insurance industry.

The primary purpose of an ISNP audit is to ensure that the platform operates efficiently, securely, and in line with industry standards. By identifying any vulnerabilities, weaknesses, or non-compliance issues, the audit provides valuable insights and recommendations for improvement. This empowers insurance organizations to enhance their ISNP, strengthen data security and privacy measures, mitigate risks, and maintain compliance with regulatory requirements.

The ISNP audit process involves a thorough examination of the platform's design, functionality, and security measures. Auditors review documentation, policies, and procedures related to the ISNP, and may conduct interviews with key personnel involved in its management and operation. Technical assessments, such as vulnerability scans and penetration testing, may also be conducted to identify potential security flaws or weaknesses.

The audit findings are compiled in a comprehensive report that highlights any identified issues, areas of non-compliance, and recommended improvements. This report serves as a roadmap for the organization, guiding them in addressing the identified issues and enhancing the overall performance and security of their ISNP.

By conducting ISNP audits, insurance organizations demonstrate their commitment to maintaining high standards of security, compliance, and operational efficiency. These audits play a crucial role in identifying and mitigating potential risks, preventing data breaches, and ensuring that the ISNP functions effectively to support the organization's insurance operations. Ultimately, ISNP audits promote transparency, accountability, and trust within the insurance industry by ensuring that self-network platforms are robust, secure, and compliant with relevant regulations.

As the insurance industry embraces digitalization, ISNP compliance and audits become essential components in safeguarding online insurance transactions. By conducting regular ISNP audits, insurance organizations can bolster the security, efficiency, and compliance of their self-network platforms, reinforcing trust and providing enhanced services to their customers in the rapidly evolving digital landscape.

Who or What Types of organizations should be doing ISNP audit?

ISNP audits are typically conducted by independent audit firms or internal audit teams with expertise in information security, risk management, and regulatory compliance. The specific organizations that should be conducting ISNP audits include:

  1. Insurance Companies: Insurance companies are at the forefront of utilizing ISNPs to streamline their insurance operations. As they are the primary users of ISNPs, it is crucial for insurance companies to conduct ISNP audits to ensure the platform's compliance, security, and effectiveness.
  2. Underwriters: Underwriters play a vital role in the insurance industry by assessing risks and determining premiums. Underwriters often rely on ISNPs to manage and process insurance policies. Therefore, it is important for underwriters to conduct ISNP audits to ensure that the platform aligns with their risk assessment processes and meets regulatory requirements.
  3. Insurance Intermediaries: Insurance intermediaries, such as brokers or agents, act as intermediaries between insurance companies and policyholders. These intermediaries frequently utilize ISNPs to facilitate insurance transactions. Conducting ISNP audits enables insurance intermediaries to validate the security and compliance of the platform, providing assurance to both insurers and policyholders.
  4. Third-Party Administrators (TPAs): TPAs are organizations that handle administrative tasks on behalf of insurance companies, such as claims processing and policy administration. Since TPAs often handle sensitive customer data, conducting ISNP audits is crucial to ensure data security, privacy, and compliance with relevant regulations.
  5. Regulators and Regulatory Bodies: Regulatory authorities overseeing the insurance industry may require insurance organizations to undergo ISNP audits as part of their regulatory compliance obligations. Regulators themselves may also conduct audits or review the results of ISNP audits to assess compliance with industry regulations and standards.
  6. Reinsurers: Reinsurers provide insurance coverage to insurance companies, sharing the risks associated with insurance policies. Reinsurers may need to access ISNPs for data sharing or to perform their own risk assessments. Hence, conducting ISNP audits helps reinsurers ensure the security and reliability of the platform they rely on.
  7. Risk Management Departments: Within insurance organizations, risk management departments are responsible for identifying, assessing, and mitigating risks. Conducting ISNP audits allows these departments to evaluate the risk exposure associated with the platform and implement necessary controls and improvements.

    8. All these individuals and organisations should be doing ISNP Audit.

What are the steps in ISNP audit?

ISNP audits are typically conducted by a range of insurance organizations that have integrated an Insurance Self Networking Platform (ISNP) into their operations. These organizations include insurance companies, underwriters, brokers, and any entity involved in managing and administering an insurance self-network platform.

The detailed steps involved in an ISNP audit are as follows:

  1. The first step in an ISNP audit involves an in-depth technical assessment. Auditors thoroughly examine the technical aspects of the ISNP, including its design, architecture, and infrastructure. This examination aims to evaluate the platform's robustness, scalability, and reliability to ensure it can effectively support the organization's insurance operations.
  2. Information security process audit is another essential component of the ISNP audit. Auditors assess the organization's information security processes, which encompass security policies, procedures, and controls. This evaluation ensures that the implemented security measures align with industry best practices and regulatory requirements, thereby safeguarding the confidentiality, integrity, and availability of data within the ISNP.
  3. To address the critical aspect of cybersecurity, auditors verify the applicability and effectiveness of cybersecurity controls within the ISNP. This assessment includes evaluating access controls, encryption methods, intrusion detection systems, and incident response procedures. The goal is to ensure that the platform is adequately protected against cyber threats and unauthorized access attempts, reducing the risk of data breaches or security incidents.
  4. During the audit, evidences and logs stored on the servers supporting the ISNP are thoroughly checked and analyzed. This step helps identify any suspicious activities, signs of unauthorized access attempts, or potential security breaches. The review of evidences and logs provides valuable insights into the overall security posture of the platform and enables auditors to pinpoint potential vulnerabilities or weaknesses.
  5. Additionally, an ISNP audit examines the ISNP's compliance with technical requirements established by the Insurance Regulatory and Development Authority of India (IRDAI). Auditors evaluate the platform's adherence to guidelines, standards, and regulations set by the regulatory authority. This assessment ensures that the ISNP meets the necessary technical standards and aligns with regulatory expectations.

By following these comprehensive steps, the ISNP audit aims to provide a thorough assessment of the platform's security, functionality, and compliance. It enables auditors to identify any gaps or deficiencies in the implementation of technical controls, thus facilitating the development of appropriate recommendations for improvement. Ultimately, an ISNP audit helps insurance organizations strengthen the security and effectiveness of their ISNP, enhancing operational efficiency and instilling confidence in customers and stakeholders.

How frequently an organization should be doing ISNP audit?

Organizations that have implemented an Insurance Self Networking Platform (ISNP) should conduct ISNP audits on a regular basis to ensure compliance and maintain the integrity of their operations. The frequency of these audits may vary based on factors such as regulatory requirements, industry best practices, and the organization's risk management strategy.

The Insurance Regulatory and Development Authority of India (IRDAI) mandates that controls, procedures, systems, and safeguards put in place by the ISNP should be reviewed at least once a year. This review is typically conducted by an external certified information system auditor (CISA) or qualified Chartered Accountants (CA) with expertise in information system audit. These auditors are responsible for assessing the ISNP's compliance with regulatory standards and identifying any adverse findings that may impact the platform's operations or cause financial loss to policyholders.

Insurance organizations that have implemented an Insurance Self Networking Platform (ISNP) must ensure timely renewal of their ISNP license to maintain its validity. The ISNP certification is initially granted for a period of three years. Once this period expires, the certificate of incorporation for the ISNP becomes invalid, indicating the need for renewal.

During the audit, the auditors thoroughly examine the controls, procedures, and systems implemented by the ISNP. They assess the code of conduct and performance of the individuals managing the platform, review the website information and processes, and scrutinize the mechanisms in place. Additionally, auditors ensure that the ISNP only enrolls market participants who have received a certificate of registration from the regulatory authority.

The ISNP audit also requires the organization to maintain a proactive fraud detection policy and process approved by the board. Proper record-keeping, adherence to standard operating procedures (SOPs), and supervision by the insurer over the ISNP are essential. The organization must also comply with reporting requirements to the insurance regulatory authority, including informing them of any actions taken by the government or regulatory bodies. Filing an annual compliance certificate, signed by the CEO and compliance officer, demonstrates the organization's commitment to meeting the guidelines set by the regulatory authority.

By conducting ISNP audits at regular intervals, insurance organizations can ensure that their self-network platform remains compliant with regulatory requirements, operates securely, and protects the interests of policyholders. These audits play a crucial role in maintaining transparency, preventing fraudulent activities, and upholding the standards of the insurance industry.

What is the latest version of ISNP?

The Insurance Self Networking Platform (ISNP) was proposed by the regulator in April 2017 to facilitate e-commerce in the insurance industry. The latest version of the Insurance Self Networking Platform (ISNP) has been introduced by the Insurance Regulatory and Development Authority of India (IRDAI) in April 2017. The ISNP aims to promote e-commerce in the insurance industry, with the goal of reducing transaction costs, increasing efficiency, and expanding insurance penetration. However, there is a lack of comprehensive information available regarding the ISNP itself, the entities participating in it (such as insurance companies, brokers, and corporate agents), and the regulatory framework governing their operations.

Despite the establishment of a dedicated portal (https://isnp.irda.gov.in/) by the IRDAI, there is limited transparency regarding the entities registered on the ISNP portal and the nature of their business activities. The regulatory authority has not provided explicit details about the authorization process for selling or servicing insurance policies through the ISNP platform. Consequently, stakeholders remain unaware of the number of insurance companies, brokers, and corporate agents that have applied for registration, the status of their applications, and the specific responsibilities they have toward insurance consumers.

According to available information, approximately 50 insurance broking companies have been approved for participation in the ISNP by the IRDAI, while others are still awaiting permission or have had their applications rejected. The lack of awareness among insurance policy buyers about authorized intermediaries operating through ISNPs increases the risk of falling victim to fraudulent entities that exploit the ISNP name for illegitimate purposes. Moreover, there is a concern that some entities may be conducting business under the guise of ISNPs without proper authorization from the IRDAI.

This situation is particularly significant given the rising prevalence of online cyber fraud, particularly in the insurance sector. Unscrupulous entities posing as insurance companies or intermediaries could perpetrate fraud against unsuspecting customers. However, the IRDAI has not disclosed any information about entities associated with or authorized by the ISNP, and there is currently no consumer grievance redressal mechanism available on the ISNP portal.

Interestingly, while the IRDAI's portal for policyholders (https://www.policyholder.gov.in) emphasizes caution and awareness during the policy purchase process, highlighting the risk of mis-selling by insurers and intermediaries, similar cautionary measures are not explicitly evident on the ISNP portal.

The circular issued by the IRDAI on 12 April 2017 outlined the filing process for the online application for ISNP in line with the guidelines for insurance e-commerce published on 9 March 2017. The circular stated that insurance companies, brokers, and corporate agents could sell and service insurance policies through the ISNP platform. The services offered under the ISNP include the issuance and delivery of policy documents, certificates of insurance, proposal forms, medical reports, and endorsements.

To facilitate policyholders' access to their insurance information, the ISNP allows the creation of e-insurance accounts (eIAs) that store policy documents in electronic format. Four entities, namely NSDL Database Management Ltd, Central Insurance Repository Ltd, Karvy Insurance Repository Ltd, and CAMS Repository Services Ltd, have been authorized by the IRDAI to open eIAs for policyholders. It is mandatory for customers transacting on the ISNP to possess an eIA, and insurers or intermediaries registered with the ISNP must facilitate the opening of eIAs within 15 days of policy issuance.

Despite the ISNP's importance and its potential impact on the insurance industry, the IRDAI has not provided proactive information about the platform under the Right to Information (RTI) Act. Requests for detailed information about the ISNP, including the names and businesses of registered entities, and the supervisory and regulatory measures undertaken by the IRDAI, have been met with silence from the regulatory authority.

It is crucial for the IRDAI to address these information gaps and enhance transparency regarding the ISNP. By doing so, they can foster trust among policyholders, mitigate the risks associated with fraudulent activities, and ensure effective regulation and supervision of the entities operating within the ISNP framework.

The Insurance Self Networking Platform (ISNP) audit for an organization can be conducted by qualified and independent auditors who possess the necessary expertise and knowledge in insurance regulations, compliance, and information technology systems. The audit aims to assess the organization's adherence to the ISNP guidelines and regulatory requirements set forth by the Insurance Regulatory and Development Authority of India (IRDAI).

Who can conduct ISNP audit for an organization?

Some key considerations regarding the entities that can conduct ISNP audits:

  1. Third-Party Audit Firms: Organizations can engage third-party audit firms that specialize in insurance audits and have experience in conducting similar assessments. These firms should have a thorough understanding of ISNP guidelines, IRDAI regulations, and the specific requirements related to e-commerce and insurance transactions.
  2. IRDAI-Empaneled Auditors: The IRDAI may maintain a panel of approved auditors or audit firms who are authorized to conduct ISNP audits. These auditors are selected based on their qualifications, experience, and expertise in the insurance sector. Organizations can choose auditors from the IRDAI's empaneled list to ensure compliance with the regulatory standards.
  3. Internal Audit Departments: Organizations may have an internal audit department or team responsible for evaluating internal controls, compliance, and risk management processes. If the internal audit team possesses the necessary knowledge and skills in insurance regulations and ISNP guidelines, they can perform the ISNP audit internally. However, it is essential to maintain independence and objectivity in conducting internal audits to ensure unbiased assessments.

Regardless of whether the audit is conducted by a third-party firm, an empaneled auditor, or an internal audit team, the auditors should adhere to certain principles and considerations during the ISNP audit process:

  1. Expertise: The auditors should have a deep understanding of insurance regulations, ISNP guidelines, e-commerce practices, and relevant technological aspects related to insurance transactions.
  2. Independence and Objectivity: The auditors must maintain independence and objectivity throughout the audit process to provide unbiased evaluations and opinions. This ensures that the audit findings are reliable and credible.
  3. Compliance Assessment: The auditors should review the organization's processes, systems, and controls to determine compliance with ISNP guidelines, IRDAI regulations, and other applicable laws and regulations. This includes verifying the organization's adherence to authorization requirements, information security measures, policy issuance processes, and other relevant aspects.
  4. Risk Assessment: The auditors should assess the organization's risk management practices, including identifying potential risks associated with ISNP operations, data privacy, cybersecurity, and fraud prevention. They should evaluate the effectiveness of the organization's risk mitigation measures and control frameworks.
  5. Audit Report: Upon completion of the audit, the auditors should prepare a comprehensive audit report detailing their findings, observations, and recommendations. The report should highlight any non-compliance issues, control weaknesses, or areas for improvement. The organization can use this report to address deficiencies, strengthen internal controls, and enhance their ISNP operations.

In summary, the ISNP audit for an organization can be conducted by qualified third-party audit firms, IRDAI-empaneled auditors, or internal audit departments with the necessary expertise and knowledge in insurance regulations, compliance, and technology. The auditors should ensure independence, compliance assessment, risk assessment, and provide a comprehensive audit report to support the organization in improving its ISNP operations and complying with regulatory requirements.