The Insurance Regulatory and Development Authority of India (IRDAI) has issued comprehensive cyber security and IT governance guidelines applicable to all insurers (life, general, and health) and insurance intermediaries (insurance brokers, corporate agents, web aggregators, and insurance marketing firms) operating in India. The guidelines — updated through the 2023 Information and Cyber Security Guidelines — establish mandatory requirements for IT governance, cyber security management, data protection, business continuity, and cyber incident reporting aligned with India's evolving cyber security regulatory ecosystem.
IRDAI's cyber security requirements mandate a Board-approved Information and Cyber Security Policy, a designated CISO (for insurers above specified premium thresholds), a 24x7 Security Operations Centre, quarterly Vulnerability Assessments, annual Penetration Testing, and mandatory cyber incident reporting to IRDAI within 6 hours of detection. The guidelines also address cloud adoption, third-party IT outsourcing, and the security of policyholder data — which constitutes sensitive personal and financial information under both IRDAI guidelines and the DPDP Act 2023.