Free Tool · 5-Minute Self-Assessment

IRDAI Cyber Guidelines Readiness Checklist

Twenty practitioner-grade questions to test whether your insurer, broker, web aggregator, or InsurTech is ready for an IRDAI cyber inspection or independent assurance — or whether you will get a remediation list longer than your policy schedule.

Questions
20
Time
5 min
Output
Score band
Email gate
None
Start the Checklist Read the Full Guide

20 questions · 5 minutes · Score band on completion

Your readiness
0 / 20
The Checklist

Answer Honestly. No One Is Watching.

Five sections, twenty yes/no questions. Click Yes only if you can produce the document or run the workflow today. Score reveals when you complete all twenty.

01

Governance & CISO

IRDAI starts with a designated CISO and a board-approved cyber policy. Without these the rest is window-dressing.

1
A full-time CISO is appointed with documented JD, reporting to MD/CEO or board IT committee, with no operational dual-hat unless explicitly justified.
2
A board-approved Information & Cyber Security Policy exists, refreshed in the current year, with documented board minutes.
3
An Information Security Committee meets quarterly with attendance, agenda, minutes, and tracked actions.
4
Cyber risk is on the Risk Management Committee register and reported to the board at least annually.
02

Identity, Network & Application

IRDAI control surface across access, perimeter, and software security.

5
MFA is enforced on all privileged access, all admin interfaces, and all remote workforce; quarterly access reviews are completed and signed.
6
PAM is deployed for production system administration with session recording, approval workflow, and break-glass procedure.
7
Customer-facing services have WAF, DDoS protection, and tested IPS; SDLC includes SAST/DAST in CI for material applications.
8
Mobile customer apps are security-tested before each major release with documented findings closure.
03

Data, Localisation & Cloud

Policyholder data, claim data, health data — encrypted, localised, and cloud-governed.

9
All policyholder PII and claims data is encrypted at rest (AES-256) and in transit (TLS 1.2+); HSM-backed keys for sensitive systems.
10
Primary copy of policyholder data is stored in India; cross-border DR (if any) has documented IRDAI-acceptable safeguards and board approval.
11
Material cloud outsourcing has board approval, vendor SOC 2 / ISO 27001 evidence, customer-controlled keys, and tested exit plan.
12
Sensitive health data has elevated controls (separate access, DLP rules, restricted analytics) consistent with DPDP sensitive-data treatment.
04

Testing, Assurance & VAPT

Annual independent assurance plus VAPT plus quarterly scans — by qualified auditors.

13
An annual independent cyber assurance was conducted by a CERT-In empanelled or qualified reviewer, with report submitted via the IRDAI return.
14
Annual VAPT was conducted in the current cycle by a CERT-In empanelled vendor with manual exploitation, re-test letter, and audit committee acknowledgement.
15
Quarterly external vulnerability scans of internet-facing systems are documented; patch SLAs (Critical 7d, High 30d) are tracked with exception register.
16
Audit committee reviews assurance findings each cycle; remediation tracked to closure with named owners.
05

Incident, Outsourcing & DPDP

Multi-regulator incident reporting, vendor flow-down, and SDF-readiness for DPDP.

17
An incident-reporting playbook covers IRDAI (24h), CERT-In (6h), DPDP Board (72h), and policyholder notification with templates pre-drafted and tested.
18
A current outsourcing register exists with risk rating, SOC 2 / ISO 27001 evidence on file for material vendors, and refreshed flow-down clauses (post-2023).
19
A Data Protection Officer is appointed alongside the CISO with documented responsibilities for DPDP compliance.
20
DPIA template is in place for material processing including AI-driven underwriting / claims; first DPIA cycle is documented or scheduled.
What "Ready" Looks Like

Three Bands. Three Plays.

0–7
Critical exposure

Your IRDAI assurance will produce major findings. Spend the next 90 days on CISO governance fixes, encryption + localisation hygiene, mobile-app testing, and a CERT-In empanelled VAPT.

8–14
At risk

Foundations exist but you are missing 2023-update specifics — cloud-outsourcing governance, vendor flow-down, DPO/DPIA. Close these in the next 60 days with audit-committee oversight.

15–20
Audit-defensible

Your independent assurance and IRDAI inspection should land cleanly. Move to threat-led testing maturity, sectoral intel integration, vendor concentration analysis, and SDF readiness.

FAQ

Common Questions

Do I need a full-time CISO under IRDAI? +

Yes for any insurer of material scale. The 2023 update narrowed the room for CIO/CTO dual-hatting. Smallest entities may justify a senior officer with cyber accountability, but the regulator has been increasingly strict on this.

What is "material outsourcing"? +

IRDAI defines material outsourcing as activities whose disruption would affect customer service, regulatory compliance, or financial soundness. Cloud-hosted policy administration, claims, or customer-facing services typically qualify and require board approval.

Can I host policyholder data outside India? +

Primary copy must be in India. DR copies cross-border are permissible with board approval, encryption-key control by the insurer, IRDAI inspection rights flowed down, and a tested exit plan. Health data carries an additional DPDP sensitive-category baseline.

How does this overlap with DPDP? +

Insurance is among the data-heaviest sectors and most insurers will be Significant Data Fiduciaries (SDFs) once DPDP thresholds are notified. Practically: DPO alongside CISO, annual DPIA, and independent data audit overlapping the IRDAI cyber assurance scope.

What is the difference between this checklist and the buyer's guide? +

The checklist diagnoses readiness in 5 minutes. The full IRDAI Cyber Guidelines guide walks through every control area, the 2023 cloud update, third-party flow-down, incident reporting, DPDP overlap, and a 90-day roadmap.

Need an IRDAI roadmap?

Skip the Guesswork. Get a 90-Day Plan.

A 30-minute consultation. Walk away with a prioritised remediation list mapped to IRDAI's 2023 control surface and the gaps you must close before assurance.

Book Free Consultation Read the Full Guide

No sales pitch. Responds within 24 hours.