Overview
The Insurance Regulatory and Development Authority of India (IRDAI) issued its Information and Cyber Security Guidelines in April 2023, establishing comprehensive cybersecurity requirements for all insurers, insurance intermediaries, and insurance repositories operating in India. Building on earlier IRDAI circulars, these guidelines align with industry best practices and mandate specific governance, technical, and operational controls. Compliance is mandatory, and IRDAI evaluates adherence through its regular inspection and on-site audit process.
Applicability and Scope
| Entity Type | Key Requirements |
|---|---|
| Life and General Insurers | Full compliance with all guidelines including dedicated CISO, SOC, and comprehensive controls |
| Health Insurers | Full compliance including specific protections for health data and electronic medical records |
| Reinsurers | Compliance with guidelines applicable to their India operations |
| Insurance Intermediaries | Brokers, corporate agents, and web aggregators must comply with applicable controls proportionate to their operations |
| Insurance Repositories | Full compliance with enhanced data protection controls for policyholder data |
Governance Framework
- Establish a Board-approved Information and Cyber Security Policy reviewed annually
- Appoint a Chief Information Security Officer (CISO) with direct access to the Board and CEO
- Constitute an Information Security Committee with cross-functional representation
- Allocate a dedicated cybersecurity budget as a defined percentage of IT spend
- Conduct cybersecurity risk assessments at least annually and after significant changes
- Present quarterly cybersecurity reports to the Board covering risk posture, incidents, and remediation progress
- Develop and maintain a three-year cybersecurity roadmap aligned with business strategy
Technical Controls
The guidelines prescribe a defense-in-depth approach with specific controls across multiple layers. Network security must include next-generation firewalls, intrusion detection and prevention systems, and network segmentation isolating critical systems. Endpoint security requires EDR solutions, application whitelisting, and device encryption. Data security mandates encryption at rest and in transit, data loss prevention (DLP), and database activity monitoring. Access management must implement multi-factor authentication, privileged access management, and regular access reviews. Application security requires secure development lifecycle practices, code reviews, and web application firewalls.
Incident Management and Reporting
- Report cybersecurity incidents to IRDAI within 6 hours of detection
- Report concurrently to CERT-In as required under CERT-In mandatory directions
- Maintain a documented incident response plan tested through tabletop exercises at least annually
- Conduct root cause analysis for all significant incidents and submit findings to IRDAI
- Preserve forensic evidence and maintain chain of custody documentation
- Notify affected policyholders in case of personal data breaches within prescribed timelines
- Conduct post-incident reviews and implement corrective measures with documented evidence
Audit and Compliance Requirements
IRDAI requires insurers to conduct comprehensive cybersecurity audits annually through CERT-In empaneled auditors. The audit scope covers IT governance, access controls, network security, application security, data protection, incident management, business continuity, and vendor risk management. Vulnerability Assessment and Penetration Testing (VAPT) must be conducted at least twice a year, with critical findings remediated within 30 days. Insurers must also participate in industry-wide cyber exercises organized by IRDAI or CERT-In and submit compliance reports in the prescribed format.
Frequently Asked Questions
When did the IRDAI cybersecurity guidelines take effect?
The Information and Cyber Security Guidelines were issued in April 2023, with immediate applicability. Insurers were given a phased implementation timeline for certain technical controls, but governance and reporting requirements were effective immediately.
Do intermediaries need a dedicated CISO?
Large insurance intermediaries with significant digital operations may need a dedicated CISO or equivalent role. Smaller intermediaries can designate a senior IT or compliance official to own cybersecurity responsibilities, proportionate to their scale and risk profile.
How does IRDAI compliance interact with RBI and CERT-In requirements?
Entities regulated by multiple authorities (such as insurance companies with financial operations) must comply with all applicable frameworks. CERT-In mandatory directions apply to all organizations in India and operate in parallel with IRDAI requirements. The 6-hour incident reporting requirement applies under both IRDAI and CERT-In.
What are the penalties for non-compliance?
IRDAI can impose penalties under the Insurance Act and IRDAI regulations, including monetary fines, restrictions on business operations, and directions for corrective action. Persistent non-compliance can affect license renewal and registration status.
Are cloud services permitted for insurance operations?
Yes, but with conditions. Insurers must ensure that cloud deployments comply with data localization requirements, customer data is encrypted, the cloud provider meets security standards acceptable to IRDAI, and the insurer retains full control and auditability of data. Cloud service agreements must include IRDAI audit rights.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.