Blog, GRC, Resources

Navigating IRDAI Cyber Security Guidelines: A Guide for Insurers and Intermediaries

  1. By seconize
IRDAI Cyber Security Guidelines

Introduction

The Insurance Regulatory and Development Authority of India (IRDAI) introduced comprehensive Cyber Security Guidelines in 2023 to bolster the cyber resilience of insurers and intermediaries. The IRDAI Cyber Security Guidelines establish robust frameworks to protect critical information assets, mitigate cyber risks, and ensure compliance with regulatory standards.

Applicability of the Guidelines

The IRDAI Cyber Security Guidelines apply to:

  • All insurers, including life, general, health insurers, and foreign reinsurance branches (FRBs).

  • Insurance intermediaries such as brokers, third-party administrators, web aggregators, and others regulated by IRDAI.

  • Third-party service providers (like vendors) engaged by insurers, who must align with the insurer’s board-approved security policies.

Excluded Entities:

  • Insurance agents, micro-insurance agents, point-of-sale personnel, and individual surveyors fall outside the scope of these guidelines. However, insurers must ensure these entities adhere to a minimum security framework outlined in their internal policies.

Security Domains in the IRDAI Guidelines

The guidelines are structured across 24 Security Domains, covering all critical aspects of cyber security management.

Some key domains include:

  1. Data Classification

  2. Access Control Management

  3. Asset Management

  4. Human Resource Security

  5. Cryptographic Controls

  6. Cloud Security Policy

  7. Incident and Problem Management

  8. Business Continuity Management & Disaster Recovery (BCM & DR)

  9. Third-Party Service Provider Management

  10. Mobile Security Policy

  11. Work from Remote Locations

  12. Monitoring, Logging, and Assessments

  13. Cyber Resilience Strategy

  14. Legal and Regulatory Compliance

These domains ensure comprehensive cyber security coverage, addressing both preventive and corrective measures.

Audit Process and Annexures for Compliance

To ensure continuous compliance, regulated entities must undergo annual independent audits. Several annexures are included in the guidelines to assist with audit planning, execution, and reporting:

  • Annexure I: Applicability of the NIST Framework to all regulated entities.

  • Annexure II: Classification of Insurance Intermediaries based on their gross insurance revenue.

  • Annexure III: Auditor’s Report – Includes a summary of findings, non-compliance areas, risk rating, and the audit checklist.

  • Annexure IV: Eligibility Criteria for the audit firm.

  • Annexure V: Audit Certificate template for insurers and intermediaries.

  • Annexure VI: Specific Audit Certificate template for Foreign Reinsurance Branches (FRBs).

The audit reports must be submitted to IRDAI within 90 days of the financial year-end or 30 days from audit completion, whichever is earlier. Compliance with CERT-In directives is also required for reporting and responding to cyber incidents.

Conclusion

The IRDAI Cyber Security Guidelines provide a holistic framework to ensure the safety, resilience, and compliance of the insurance sector. Insurers and intermediaries must integrate these principles across their operations to safeguard customer data, ensure business continuity, and align with regulatory requirements. With 24 distinct security domains and structured audit mechanisms, these guidelines offer a pathway for continuous cyber risk management and compliance.

TAGS :

Related

11 Jul

Compliance Audit Management
Compliance Audit Management – Challenges
Transitioning from Excel to Risk-Based Vulnerabili

11 Jul

SEBI's New Framework for Regulated Entities
SEBI’s New Framework for Regulated Entities

12 May

What’s the ROI of Our Cybersecurity Investments?

05 Jul

Seconize Company Profile

25 May

Predicting 3rd party risk
Three steps to reducing Third Party Risks

14 Jun

Seconize DeRisk Centre – Part 1

10 Jul

Organizations face an array of cybersecurity threats and regulatory requirements. To navigate these complexities, Information Security (InfoSec) teams adopt Governance Risk and Compliance (GRC) frameworks.
Introduction to Governance Risk and Compliance (GR

23 Oct

The Securities and Exchange Board of India
Understanding SEBI’s Guidelines on Outsourci

25 May

Predicting 3rd party risk
9 Reasons To Migrate From TVM To Seconize DRC (DeR

11 Jul

Automation in Compliance Audit Management
The Power of Automation in Compliance Audit Manage

Categories

GRC

RBVM

In the News

Meetings

Recent Posts

Cybersecurity and Sustainable Success

Security Isn’t a Speed Breaker: Cybersecurity and Sustainable Success

Proposal Template for a GRC Product

Request for Proposal Template for a GRC Product (Cyber Governance, Risk, and Compli

The Little Dutch Boy of Cybersecurity: Plugging Control Gaps Before They Flood Your

IT audit planning guide

IT Audit Planning Guide and Free Templates

Art of GRC Audits

The Art of GRC Audits: Insights from Sun Tzu’s The Art of War

Schedule a Demo​
Book a session with one of our senior Customer Success Specialists.​
GET IN TOUCH

About Us

Company

Career

Our Team

Partner

Contact

Use Cases

Risk-Based Vulnerability Management

Compliance Management

Vendor Risk Management

Application Security Testing​

Linkedin Facebook-f Twitter Youtube Rss
Ofofo Cyber Security Marketplace

Copyright © 2024 Seconize Technologies Pvt Ltd. All rights reserved.