惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Hacker News
The Hacker News
Martin Fowler
Martin Fowler
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
F
Full Disclosure
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
Security Archives - TechRepublic
Security Archives - TechRepublic
阮一峰的网络日志
阮一峰的网络日志
T
Threatpost
P
Privacy International News Feed
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
I
Intezer
Recent Announcements
Recent Announcements
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Privacy & Cybersecurity Law Blog
A
Arctic Wolf
博客园 - 聂微东
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
H
Help Net Security
S
Schneier on Security
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
月光博客
月光博客
NISL@THU
NISL@THU
A
About on SuperTechFans
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
D
DataBreaches.Net
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
G
Google Developers Blog
W
WeLiveSecurity
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
博客园 - 司徒正美
L
LINUX DO - 热门话题
小众软件
小众软件

MEDIANAMA

India in talks with US, Anthropic for Mythos access; no Indian firms in Project Glasswing yet Including OTTs in TRAI’s spam protection draft rules a ‘regulatory overreach’: IAMAI Eternal Q4FY26: All Users Pay Higher Platform Fee, Only Some Get Discounts Amazon, Meta to challenge PhonePe-Google Pay dominance as UPI cap delayed since 2020 Meta failed to protect the safety of under-13s: European Commission If markets and regulators are ready for network slicing, we are ready: JIO Why defining ‘news’ won’t fix the free speech problems of draft IT Rules? #NAMA Eternal Q4FY26: Goyal Dismisses AI Disruption Risk as Zomato Quietly Builds Agentic Commerce Infrastructure Karnataka files appeal challenging the bike taxi ban lift in the Supreme Court How did WhatsApp turn 17 govt. flags into 9,400 digital arrest scam bans? Google Wallet integrates Aadhaar as digital ID, expands India’s mobile identity ecosystem Kerala HC issues notice on MediaOne’s Facebook page block in India MeitY warns VPN providers against enabling access to blocked betting platforms Shreya Singhal targeted private censorship. Today’s threat is the State #NAMA Amazon scales its quick delivery service ‘Amazon Now’ in 100 cities Can MeitY issue binding rules via advisories? Experts raise alarm over draft IT Rules #NAMA How 2019 election code of ethics became India’s three-hour content takedown mandate #NAMA Australia proposes new levy on big tech to fund news, opens draft law for consultation ‘judge, jury, executioner’: experts warn of Inter-Departmental Committee (IDC) overreach under New draft IT Rules Lowdown: TRAI flags low deployment under PM-WANI in public Wi-Fi consultation paper Why the NBFC licence matters for MobiKwik China blocks Meta-Manus deal, asserts origin-country jurisdiction: what this means for India ‘No transparency’: experts warn of expanding powers to block online speech in India #NAMA X launches standalone iOS messaging app XChat with encryption in India How India’s content takedown framework was built and where It has gone wrong #NAMA Claude Mythos puts India on alert: CERT-In, telcos, banks assess unprecedented cyber risks Explained: why did the RBI cancel Paytm’s banking licence? Meta now instantly blocks content in India Govt. asks ZEE5 to halt ‘Lawrence of Punjab’ web series release Online Gaming Rules notified, to be in effect from May 1, what are the major changes? RBI mandates additional factor authentication for e-mandates No notice, no explanation, no recourse: how content creators experience censorship in India #NAMA Telangana Police invokes UAPA to demand TeluguScribe’s user data from X Lowdown: RBI releases draft PPI rules covering capital requirements, wallet limits & escrow norms MeitY tightens AI label rules, mandates continuous disclosure Watch Live: IT Rules and the Future of Online Speech in India, Delhi April 23, #NAMA Govt. defends 4 PM YouTube ban, cites foreign influence and ‘digital lobbying’ in Delhi HC Anthropic’s Mythos AI accessed without approval via third-party vendor route: Report YouTube expands AI likeness detection tool to celebrities amid deepfake surge ECI orders 3-hour takedown rule for AI and fake content in elections Final Call: IT Rules and the Future of Online Speech in India, Delhi April 23, #NAMA Announcing Speakers: Victims of Censorship | IT Rules and the Future of Online Speech in India, Delhi April 23, #NAMA Apple withholds financial data as India App Store antitrust case heads to final hearing Sony rolls out age checks in Playstation in the UK, users to prove age to access chat Vercel confirms hack via third-party AI tool, says sensitive data safe Karnataka High Court stays blocking orders against Proton Mail J&K DMs impose sweeping 60-day social media curbs; IFF calls them “illegal, overbroad” Flipkart plans ticketing entry, food delivery pilot in May ahead of IPO ANI v OpenAI: Not Everything an LLM Does is Copyright Infringement EU’s “safe by design” age-verification app cracked in minutes, raising data security fears Molitics’ Instagram suspended days after Facebook ban Speaker Announcement: IT Rules and the Future of Online Speech in India, April 23, 2026, Delhi X has only responded to 13 out of 94 takedown notices since 2024: Centre tells Gujarat HC Jio Financial Services Q4FY26 profit declines 14% to Rs 272 crore Bombay HC cracks down on fake ‘NSE’ social media handles amid rising impersonation fraud Government drops proposal to mandate Aadhaar app on smartphones Ola’s Krutrim quietly shuts down its agentic AI assistant ‘Kruti’ Anthropic taps Peter Thiel-backed Persona for Claude ID checks, raising DPDP concerns YouTube rolls out option to turn off Shorts, expands time controls Amnesty calls for ‘immediate withdrawal’ of India’s 2026 IT Amendment Rules, cites threat to free speech and privacy European Commission proposes Google have to share search data with rivals under the DMA AIGEG: MeitY’s new AI governance body excludes regulators recommended by its own AI guidelines Amazon acquires Globalstar for $11.57 Billion: What it means for India European Commission rolls out privacy-focused age verification app for child safety Reading List: IT Rules and the future of online speech in India, April 23, Delhi #NAMA Digital rule, colonial echo – India’s IT Rules 2021 amendments Agenda: IT Rules and the future of online speech in India, Delhi, April 23 #NAMA Motorola gets court order to block YouTube videos critical of its phones in India Apple and Google promote ‘nudify’ apps despite policy bans, report finds National security could be used to mandate registration of online games HBO Max enters India via JioHotstar partnership Andhra Pradesh police detain stand-up comedian Anudeep Katikala over YouTube video jokes Aptoide sues Google for app store monopoly, alleges ‘anticompetitive chokehold’ HBO Pushes X to Unmask User Behind Euphoria Season 3 Spoilers Delhi HC directs DoT, MeitY to take action against Tucows for failing to take down infringing URLs in Premier League case Claude users say accounts suspended after being incorrectly flagged as minors MeitY may let users, intermediaries join content-blocking hearings Sucheta Dalal challenges Delhi Court order using ‘Right to Be Forgotten’ in Sterling Biotech case Govt launches Rs 10,000 Cr Startup India Fund of Funds 2.0 to bridge early-stage funding gap in deep tech Advisories as Law? Panelists Debate Legal Sanctity Under Draft IT Rules Amendments Independent journalists in Punjab allege censorship by ruling AAP using copyright strikes, IT act Supreme Court Issues Notice on PIL Seeking Biometric Verification of Voters Fact-check: MP Nishikant Dubey’s claim on X community notes & Australian tax is false “No scientific evidence”: 438 scientists call for pause on age-based controls until benefits and risks understood Developer partially bypasses Google’s AI watermark, undermining detection India’s deepfake rules rely on Event Announcement: IT Rules and the Future of Online Speech in India, April 23, #NAMA UK plans jail risk for tech executives over failure to remove intimate images Press bodies demand ‘unconditional withdrawal’ of draft amendment to IT Rules, warns of free speech threat Zoho revenue crosses Rs 12,000 crore in FY25, but profit slips 3% YouTube’s AI avatar tool for Shorts raises questions around India’s deepfake rules, personality rights Instagram expands safety settings on teen accounts with 13+ content ratings Digi Yatra is eyeing international travel roll-out with passport-based enrolment Meta’s new AI model Muse Spark is coming to WhatsApp. Here is what that means for Indian users Andhra Pradesh explores DigiLocker age tokens for social media curbs on children aged 13-16 Kunal Kamra tells Bombay HC police sent “thousands” of takedown notices via Sahyog portal Extra safeguard for the elderly: RBI suggests trusted person approval for high-value digital payments Delhi court orders Google to remove Sterling Biotech case links, cites ‘right to be forgotten’ RBI Proposes 1-hour delay, customer controls for digital payments as frauds surge Should only MIB-authorised apps be allowed to stream free TV on Smart TVs? TRAI Seeks Inputs OpenAI releases child safety policy framework recommendations to combat AI-enabled CSAM
Lowdown: Insurers have to comply with DPDP as IRDAI updates Cyber Security Guidelines
Prabhanu Kumar Das · 2026-04-17 · via MEDIANAMA

Issued on April 6, 2026, the Insurance Regulatory and Development Authority of India (IRDAI) updated its Information and Cyber Security Guidelines, which apply to regulated entities (REs), including insurers, Foreign Reinsurance Branches (FRBs), and intermediaries such as brokers, corporate agents, web aggregators, and third-party administrators (TPAs). Compliance is mandated from the current financial year, replacing the 2023 guidelines.

Changes from the previous guidelines

  • The Information Security Risk Management Committee (ISRMC) must now meet at least quarterly, up from twice a year.
  • The Chief Information Security Officer (CISO) must not have a direct reporting relationship with the Head of IT and must not be given business targets.
  • Exception approvals are now tiered by duration: up to three months require CISO approval; three months to one year require ISRMC approval; beyond one year require Board approval. All exceptions exceeding 12 months must undergo reassessment and re-approval, and all exceptions must formally document the associated risk.
  • Insurance intermediaries must submit their audit compliance report from a CERT-In empanelled auditor within 30 days of completion of the audit.
  • REs must now take appropriate technical and organisational measures to comply with the Digital Personal Data Protection Act (DPDP Act).
  • External penetration testing must now be grey-box or white-box testing, and conducted at least once every six months by a CERT-In empanelled auditor.
  • Organisations must maintain an up-to-date inventory of cryptographic assets to prepare for the transition to post-quantum cryptographic environments.
  • REs must contractually require service providers to obtain prior written permission before any further sub-outsourcing.
  • Cloud service providers (CSPs) must be empanelled by the Ministry of Electronics and Information Technology (MeitY) and hold a valid Standardisation Testing and Quality Certification (STQC) audit status. Organisations must sign non-disclosure agreements (NDAs) with CSPs covering privacy, confidentiality, security, and business continuity. They must contractually require CSPs to eliminate all data from disks and backups upon contract termination.
  • Immutable backup and resilient components must be available for critical hardware.

Data Protection

  • All information assets must be classified into one of four tiers: Public, Internal, Restricted, or Confidential, with security controls calibrated to each level.
  • Dual-tag any Personally Identifiable Information (PII): classified under the standard four-tier system and separately flagged as PII.
  • Encrypt confidential information when transmitting it outside the organisation’s network, including over the internet, and when stored on mobile or removable media.
  • Review classification labels at least every two years.
  • Sensitive data that is not regularly accessed must be removed from the network and either operated as a standalone system or fully virtualised and powered off until needed.

Strengthening Cybersecurity Measures

  • Access to all systems must follow the principles of least privilege, need-to-know, segregation of duties, and individual accountability.
  • Users must change passwords every 45 days; previously used passwords must be blocked from reuse.
  • Privileged access must be limited to those with documented business justification, comprehensively logged, and reviewed at regular intervals. Vendors and contractors must not gain privileged access without close supervision and monitoring.
  • Organisations must deploy perimeter security, including firewalls and intrusion detection systems, segment networks based on data classification, implement micro-segmentation to counter lateral movement, and deploy WAFs for all web-facing applications.
  • All connections to high-severity systems from outside the organisation’s network require two-factor authentication.
  • Organisations must implement DMARC, SPF, and DKIM standards to reduce the prevalence of spoofed emails, use DNS filtering to block malicious domains, and deploy sandboxing to analyse and block malicious email attachments.
  • Cryptographic controls must be applied based on data classification. Organisations must define a key management lifecycle, protect keys from modification and loss, and not transmit keys over networks unless through secure channels.
  • Risk assessments must be conducted at least annually and ahead of major technology changes, new outsourcing arrangements, or granting external access to critical systems

Audits and Compliance

  • An independent assurance team must carry out an annual audit and present the audit plan and findings to the Audit Committee, RMC, or Board, as applicable.
  • The independent assurance auditor must be rotated every three years.
  • Insurers must submit their audit report to IRDAI within 90 days of the end of the financial year or within 30 days of audit completion, whichever is earlier.
  • All cyber incidents must be reported to CERT-In within six hours of detection, with copies to IRDAI and other relevant regulators.
  • Business Continuity Planning (BCP) and Disaster Recovery (DR) plans must be tested at least annually, with results reported to the ISRMC. Tests must cover real disaster scenarios, not only planned shutdowns.

Other Key Clauses

  • FRBs must comply with these guidelines on a comply-or-explain basis, subject to a reasonably justifiable explanation.
  • Insurance agents, micro-insurance agents, point-of-sale persons, and individual surveyors fall outside the guidelines’ direct scope; however, insurers must ensure that these entities follow a minimum security framework defined under the insurer’s Board-approved policy.
  • The CISO may engage externally certified forensic experts for investigations as and when required.
  • Organisations must participate in national and sectoral cybersecurity exercises and drills, such as CERT-In’s Cyber Security Exercises Programme.
  • All third-party vendor contracts must include right-to-audit clauses. If a vendor holds a valid ISO 27001 certification covering the scope of the services provided, the organisation may waive periodic audits, subject to the vendor’s self-certification and submission of valid certification copies.
  • For remote work, organisations must provision VPN, endpoint protection, data encryption, and data loss prevention (DLP) mechanisms on all user systems, and must conduct hardening checks on systems returned to the office.

Also read

Post navigation

Under the Commission’s proposal, Google would have to share a set of anonymised data including user queries, clicks, rankings and search result pages, with rivals in the European Economic Area

Amnesty urges withdrawal of Draft IT Amendment Rules 2026, citing censorship and surveillance risks.