Introduction
The Insurance Regulatory and Development Authority of India (IRDAI) introduced comprehensive Cyber Security Guidelines in 2023 to bolster the cyber resilience of insurers and intermediaries. The IRDAI Cyber Security Guidelines establish robust frameworks to protect critical information assets, mitigate cyber risks, and ensure compliance with regulatory standards.
The IRDAI Cyber Security Guidelines apply to:
All insurers, including life, general, health insurers, and foreign reinsurance branches (FRBs).
Insurance intermediaries such as brokers, third-party administrators, web aggregators, and others regulated by IRDAI.
Third-party service providers (like vendors) engaged by insurers, who must align with the insurer’s board-approved security policies.
Excluded Entities:
Insurance agents, micro-insurance agents, point-of-sale personnel, and individual surveyors fall outside the scope of these guidelines. However, insurers must ensure these entities adhere to a minimum security framework outlined in their internal policies.
The guidelines are structured across 24 Security Domains, covering all critical aspects of cyber security management.
Some key domains include:
Data Classification
Access Control Management
Asset Management
Human Resource Security
Cryptographic Controls
Cloud Security Policy
Incident and Problem Management
Business Continuity Management & Disaster Recovery (BCM & DR)
Third-Party Service Provider Management
Mobile Security Policy
Work from Remote Locations
Monitoring, Logging, and Assessments
Cyber Resilience Strategy
Legal and Regulatory Compliance
These domains ensure comprehensive cyber security coverage, addressing both preventive and corrective measures.
To ensure continuous compliance, regulated entities must undergo annual independent audits. Several annexures are included in the guidelines to assist with audit planning, execution, and reporting:
Annexure I: Applicability of the NIST Framework to all regulated entities.
Annexure II: Classification of Insurance Intermediaries based on their gross insurance revenue.
Annexure III: Auditor’s Report – Includes a summary of findings, non-compliance areas, risk rating, and the audit checklist.
Annexure IV: Eligibility Criteria for the audit firm.
Annexure V: Audit Certificate template for insurers and intermediaries.
Annexure VI: Specific Audit Certificate template for Foreign Reinsurance Branches (FRBs).
The audit reports must be submitted to IRDAI within 90 days of the financial year-end or 30 days from audit completion, whichever is earlier. Compliance with CERT-In directives is also required for reporting and responding to cyber incidents.
The IRDAI Cyber Security Guidelines provide a holistic framework to ensure the safety, resilience, and compliance of the insurance sector. Insurers and intermediaries must integrate these principles across their operations to safeguard customer data, ensure business continuity, and align with regulatory requirements. With 24 distinct security domains and structured audit mechanisms, these guidelines offer a pathway for continuous cyber risk management and compliance.
Recent Comments