Kathmandu. The cybersecurity vulnerability that has surfaced on the web portal of the insurance sector regulator Nepal Insurance Authority (NEA) has exposed how weak the cybersecurity is.
Although the Authority immediately blocked access to the portal, it has given strong evidence of how weak the Authority’s IT policy and its implementation is. After the news was published in Insurance Khabar, the authority temporarily removed the link of the portal.
Why was not investigated and processed:
Who is responsible for the security lapse on such a sensitive issue? Why was such a weakness not monitored by the Information Technology Section of the Authority and the Department that monitors it? Why couldn’t the organization or person advising the authority on information technology identify such a sensitive flaw? What is the role of the authority to audit the information technology? Why did the auditor ignore this issue?
The authority has not investigated why the portal was opened without completing at least one level of security identification. In the absence of an investigation, action or warning has been granted. If this case is taken as a minor error, not only the authority but the entire insurance sector of Nepal will have to pay a heavy price.
Ahalko Buffalo Only
}
Just as it is only the back of a buffalo sitting in the hall, this case is also an indication of a big weakness in the information technology system of the authority.
According to information technology experts, simply removing the link from the portal is not a long-term solution, but serious security risks still persist in the entire web ecosystem of the authority.
NEA, which has been entrusted with the responsibility of digital regulation of the insurance sector, has raised questions about the regulatory capacity of its own online system not being secured. Although the IT department of the authority should ensure that there is no unauthorized access to websites, web applications and sensitive data, the latest incident seems to have failed to fulfill this responsibility effectively.
Regulator
}
Interestingly, the Information Technology Directive 2075 issued by the Insurance Authority states that insurance companies should be required to test the information technology system and unauthorized access at least once a year to ensure digital security and data privacy. However, the authority itself has completely ignored how effectively the provisions related to unauthorized access control have been implemented in its own system.
According to information security experts, compromises in the regulatory body’s system are not only institutional weaknesses but also pose a risk to the overall insurance sector’s data, surveyor details, and sensitive information related to companies and insurers. They warn that if these shortcomings are not addressed in time, it could have a negative impact on public confidence in the insurance sector.
After this incident, the authority needs to implement independent cybersecurity audits, regular unauthorized access checks, secure coding practices, and real-time monitoring systems across all its digital platforms. At the same time, the regulator itself should lead by example before insurers strictly adhere to digital security.
