- Download a copy of the Information and Cybersecurity Guidelines here.
- Download a copy of the list of amendments here.
Issued on April 6, 2026, the Insurance Regulatory and Development Authority of India (IRDAI) updated its Information and Cyber Security Guidelines, which apply to regulated entities (REs), including insurers, Foreign Reinsurance Branches (FRBs), and intermediaries such as brokers, corporate agents, web aggregators, and third-party administrators (TPAs). Compliance is mandated from the current financial year, replacing the 2023 guidelines.
Changes from the previous guidelines
- The Information Security Risk Management Committee (ISRMC) must now meet at least quarterly, up from twice a year.
- The Chief Information Security Officer (CISO) must not have a direct reporting relationship with the Head of IT and must not be given business targets.
- Exception approvals are now tiered by duration: up to three months require CISO approval; three months to one year require ISRMC approval; beyond one year require Board approval. All exceptions exceeding 12 months must undergo reassessment and re-approval, and all exceptions must formally document the associated risk.
- Insurance intermediaries must submit their audit compliance report from a CERT-In empanelled auditor within 30 days of completion of the audit.
- REs must now take appropriate technical and organisational measures to comply with the Digital Personal Data Protection Act (DPDP Act).
- External penetration testing must now be grey-box or white-box testing, and conducted at least once every six months by a CERT-In empanelled auditor.
- Organisations must maintain an up-to-date inventory of cryptographic assets to prepare for the transition to post-quantum cryptographic environments.
- REs must contractually require service providers to obtain prior written permission before any further sub-outsourcing.
- Cloud service providers (CSPs) must be empanelled by the Ministry of Electronics and Information Technology (MeitY) and hold a valid Standardisation Testing and Quality Certification (STQC) audit status. Organisations must sign non-disclosure agreements (NDAs) with CSPs covering privacy, confidentiality, security, and business continuity. They must contractually require CSPs to eliminate all data from disks and backups upon contract termination.
- Immutable backup and resilient components must be available for critical hardware.
Data Protection
- All information assets must be classified into one of four tiers: Public, Internal, Restricted, or Confidential, with security controls calibrated to each level.
- Dual-tag any Personally Identifiable Information (PII): classified under the standard four-tier system and separately flagged as PII.
- Encrypt confidential information when transmitting it outside the organisation’s network, including over the internet, and when stored on mobile or removable media.
- Review classification labels at least every two years.
- Sensitive data that is not regularly accessed must be removed from the network and either operated as a standalone system or fully virtualised and powered off until needed.
Strengthening Cybersecurity Measures
- Access to all systems must follow the principles of least privilege, need-to-know, segregation of duties, and individual accountability.
- Users must change passwords every 45 days; previously used passwords must be blocked from reuse.
- Privileged access must be limited to those with documented business justification, comprehensively logged, and reviewed at regular intervals. Vendors and contractors must not gain privileged access without close supervision and monitoring.
- Organisations must deploy perimeter security, including firewalls and intrusion detection systems, segment networks based on data classification, implement micro-segmentation to counter lateral movement, and deploy WAFs for all web-facing applications.
- All connections to high-severity systems from outside the organisation’s network require two-factor authentication.
- Organisations must implement DMARC, SPF, and DKIM standards to reduce the prevalence of spoofed emails, use DNS filtering to block malicious domains, and deploy sandboxing to analyse and block malicious email attachments.
- Cryptographic controls must be applied based on data classification. Organisations must define a key management lifecycle, protect keys from modification and loss, and not transmit keys over networks unless through secure channels.
- Risk assessments must be conducted at least annually and ahead of major technology changes, new outsourcing arrangements, or granting external access to critical systems
Audits and Compliance
- An independent assurance team must carry out an annual audit and present the audit plan and findings to the Audit Committee, RMC, or Board, as applicable.
- The independent assurance auditor must be rotated every three years.
- Insurers must submit their audit report to IRDAI within 90 days of the end of the financial year or within 30 days of audit completion, whichever is earlier.
- All cyber incidents must be reported to CERT-In within six hours of detection, with copies to IRDAI and other relevant regulators.
- Business Continuity Planning (BCP) and Disaster Recovery (DR) plans must be tested at least annually, with results reported to the ISRMC. Tests must cover real disaster scenarios, not only planned shutdowns.
Other Key Clauses
- FRBs must comply with these guidelines on a comply-or-explain basis, subject to a reasonably justifiable explanation.
- Insurance agents, micro-insurance agents, point-of-sale persons, and individual surveyors fall outside the guidelines’ direct scope; however, insurers must ensure that these entities follow a minimum security framework defined under the insurer’s Board-approved policy.
- The CISO may engage externally certified forensic experts for investigations as and when required.
- Organisations must participate in national and sectoral cybersecurity exercises and drills, such as CERT-In’s Cyber Security Exercises Programme.
- All third-party vendor contracts must include right-to-audit clauses. If a vendor holds a valid ISO 27001 certification covering the scope of the services provided, the organisation may waive periodic audits, subject to the vendor’s self-certification and submission of valid certification copies.
- For remote work, organisations must provision VPN, endpoint protection, data encryption, and data loss prevention (DLP) mechanisms on all user systems, and must conduct hardening checks on systems returned to the office.
Also read
- Why the IRDAI Is Not Allowing Insurance Manufacturing Licenses for VC-Backed Fintechs
- Explained: CERT-In’s space cybersecurity framework brings 6-hour reporting and audit mandates for satellite operators
- India’s Insurance Regulator Orders Audit of Dark Patterns, 15-Day Deadline Set
For You
- Read Reasoned by Nikhil Pahwa: How AI is changing our world
- Sign up for MediaNama's Daily Newsletter to receive regular updates
- Sponsor a MediaNama Event





















