IRDAI · Insurance · Updated June 2026

Complete guide to IRDAI cyber guidelines

Information and Cyber Security Guidelines for insurers, reinsurers, brokers, web aggregators, and InsurTech. Mandatory CISO, board-approved policy, annual independent assurance, sectoral incident reporting, and what to ship before your IRDAI inspection.

CISO
Mandatory
Annual
Independent assurance
₹1 cr
Penalty per violation
CERT-In
Empanelled auditor

01What IRDAI cyber guidelines cover

The Insurance Regulatory and Development Authority of India issued comprehensive Information and Cyber Security Guidelines first in 2017, with substantive updates in 2023 covering cloud adoption, board governance, and cross-references to DPDP. The guidelines are control-oriented across identity, network, application, data, and operational security domains, with a strong emphasis on board-level accountability.

Unlike CSCRF's MITRE-mapped granularity, IRDAI's framework is principle-led but with explicit minimum control expectations. The 2023 update narrowed many of those principles into measurable obligations — particularly around cloud, third-party assurance, and incident reporting.

What's new in the 2023 update: explicit cloud security obligations including data residency, board-approval thresholds for material outsourcing, vendor risk uplift, and incident reporting alignment with CERT-In April 2022 directions.

02Who they apply to

  • Life insurers, general insurers, health insurers, reinsurers — direct in-scope.
  • Insurance brokers, corporate agents, web aggregators — proportionate to scale.
  • Third-party administrators (TPAs) — separately regulated under TPA regulations with cyber overlap.
  • InsurTech / digital intermediaries — covered through their licensed principal's flow-down obligations.
  • IRDAI's regulatory sandbox participants — required to demonstrate proportionate controls.

03Governance & CISO

  • CISO — mandatory, full-time, reporting to MD/CEO or board IT committee. Cannot dual-hat as CTO/CIO except for the smallest entities with documented justification.
  • Board-level Information & Cyber Security Policy — refreshed annually, documented minutes.
  • Information Security Committee — at executive level; quarterly cadence; reviews posture, incidents, audit findings.
  • Risk Management Committee — cyber risk on its register; reported to the board.
  • Annual cyber report to IRDAI through the prescribed return.

04Identity, network, application security

  • Identity — MFA on privileged access and remote workforce; quarterly access review with manager certification; PAM for production system administration.
  • Network — perimeter segmentation; DMZ for internet-facing services; intrusion prevention; web-application firewall on customer-facing services; DDoS protection for transaction platforms.
  • Application — SDLC with secure coding, SAST/DAST in CI for material applications, OWASP Top-10 baseline testing, mobile-app hardening for customer apps, secrets management.
  • Endpoint — managed endpoints with EDR; encryption; remote-wipe capability; BYOD policy if applicable.

05Data security & localisation

  • Encryption — AES-256 at rest, TLS 1.2+ in transit; encryption-key management with HSM-backed keys for sensitive systems.
  • Classification — policyholder PII, financial data, health data (sensitive), business-confidential, public.
  • Data localisation — policyholder and claim data primarily stored in India; cross-border transfer permissible with safeguards (intra-group, regulator-approved, contractual).
  • Retention — policy + claim records per IRDAI prescribed periods (typically 8–10 years post-claim closure); secure destruction at end of life.
  • DLP — for sensitive policyholder data on email, endpoint, cloud channels.

06Cloud-based insurance services

The 2023 update created an explicit cloud-services regime. Material insurance services on cloud require:

  • Board approval for material outsourcing.
  • Risk assessment documented; vendor SOC 2 / ISO 27001 evidence on file.
  • Data residency — primary copy in India; DR copy may be cross-border under conditions.
  • Encryption keys — controlled by the insurer; HSM-backed; key-revocation tested.
  • Exit / portability — documented exit plan, data extraction tested.
  • IRDAI inspection rights — flowed down to cloud provider via contract.

07Annual independent assurance

  • Annual cyber assurance by an independent reviewer — typically CERT-In empanelled auditor or qualified accounting firm with cyber competence.
  • Assurance scope — full guideline-control surface, with sample testing.
  • Report submission to IRDAI through the prescribed return; remediation plan with target dates.
  • Audit committee oversight — assurance findings reviewed; remediation tracked to closure.

08VAPT & vulnerability management

  • Annual VAPT by CERT-In empanelled vendor; manual exploitation expected.
  • Quarterly external vulnerability scans.
  • Patch SLAs — Critical 7 days, High 30 days, Medium 90 days; documented exception register.
  • Re-test of high/critical findings within 30 days.
  • Mobile-app testing for customer apps before each major release.

09Incident reporting

TriggerAuthorityWindow
Cyber incident (significant)IRDAIWithin 24 hours of detection
Cyber incidentCERT-InWithin 6 hours (April 2022 direction)
Personal data breachDPDP Board (when Rules notified)72 hours
Material policyholder impactIRDAI + affected policyholders"Without undue delay"
Outsourcing partner breachIRDAISame window as own breach

10Third-party & outsourcing

  • Outsourcing register — every material vendor inventoried with risk rating.
  • Pre-engagement due diligence — SOC 2 / ISO 27001 / equivalent; right-to-audit; sub-processor disclosure.
  • Material vendor assurance — annual review, breach notification clause, exit plan.
  • TPA-specific — separate TPA regulatory framework with overlapping cyber expectations.
  • IRDAI flow-down — inspection rights and breach-reporting obligations flowed to vendors.

11DPDP overlap

Insurance is among the most data-intensive sectors. Most insurers will be classified as Significant Data Fiduciaries (SDFs) under DPDP §10 once thresholds are notified. Practical implications:

  • Data Protection Officer (DPO) appointment alongside CISO.
  • Annual DPIA for material processing including AI-driven underwriting and claims.
  • Independent data audit alongside annual cyber assurance.
  • Health-data sensitivity creates higher consent and security baselines.
  • Cross-border transfer of health data — extra scrutiny.

12Common mistakes

  • CISO dual-hatting as CTO/CIO without explicit IRDAI permission.
  • Cloud adoption without board approval for the material outsourcing.
  • Policyholder data replicated to cross-border DR without localisation safeguards.
  • Annual assurance scope excluding cloud workloads on the basis that "the cloud provider is certified."
  • Health-data treated like ordinary PII despite DPDP sensitive category.
  • TPA contracts that pre-date 2023; missing flow-down clauses.
  • Mobile customer apps without per-release security testing.
  • VAPT performed by non-empanelled vendor; finding rejected at inspection.

1390-day roadmap

  • Days 1–15. Read the 2023 update end-to-end; gap-register against current state. CISO appointment letter validated; ISC charter refreshed.
  • Days 15–30. Cloud-services inventory; localisation audit; encryption-key holder review; HSM-backed key migration plan.
  • Days 30–45. VAPT scoped with empanelled vendor; quarterly scan cadence formalised; mobile-app test integrated to release pipeline.
  • Days 45–60. Outsourcing register refreshed; material vendor SOC 2 / ISO 27001 evidence pulled; flow-down clauses checked.
  • Days 60–75. Annual independent assurance scoped; DPIA template ready for SDF expectations; incident-reporting playbook tested.
  • Days 75–90. Audit committee briefing; IRDAI return draft prepared; gap closure into ticket system with named owners.
If you remember nothing else: IRDAI's 2023 update meaningfully tightened cloud, vendor, and incident expectations. A pre-2023 cyber programme will fall short on the explicit cloud, localisation, and outsourcing controls. Re-baseline against the 2023 text before the next assurance cycle.

From scattered controls to IRDAI-ready

A 30-minute consultation. We map your environment to the IRDAI guideline control surface and give you a 90-day roadmap prioritised by inspection risk.

Book Free Consultation Take readiness check (5 min)