The Insurance Regulatory and Development Authority of India has released revised information and cybersecurity guidelines for insurers and intermediaries, aiming to strengthen the sector’s resilience against rising cyber threats.
The new framework focuses on stronger governance, enhanced board accountability, and continuous risk monitoring.
Quarterly Risk Oversight Made Mandatory
A key change under the revised norms is related to the Information Security Risk Management Committee (ISRMC):
- Must now meet at least once every quarter
- Earlier requirement: twice a year
This reflects a shift toward continuous monitoring, given the rapidly evolving cyber threat landscape.
Greater Role for Board of Directors
The guidelines significantly expand the responsibilities of company boards. They are now required to:
- Allocate adequate budgets for cybersecurity
- Review audit findings and non-compliance issues
- Ensure closure of identified gaps within 12 months
This move embeds cyber risk management at the highest decision-making level.
Enhanced Independence for CISO
The role of the Chief Information Security Officer (CISO) has been strengthened:
- Must operate independently from IT functions
- Cannot be assigned business targets
- Responsible for:
- Scenario-based incident response planning
- Compliance with directions from Indian Computer Emergency Response Team
Introduction of IT Steering Committee
A new IT Steering Committee will be set up at the senior management level to:
- Align technology strategy with business goals
- Oversee:
- IT architecture
- Procurement decisions
- Data protection mechanisms
The committee will meet quarterly.
Removal of CITSO Role
The regulator has removed the requirement for a separate:
- Chief IT Security Officer (CITSO)
These responsibilities will now be handled by:
- CISO
- Chief Technology Officer (CTO)
Stricter Compliance and Reporting Norms
- Cybersecurity audit reports must be submitted within 30 days of completion
- Reports must include comments from:
- Audit committee / Risk committee / Board
Entities must also align with the Digital Personal Data Protection Act.
Tighter Controls on Outsourcing and Cloud
The revised guidelines introduce stricter rules for outsourcing and cloud usage:
- Prior approval required for sub-outsourcing
- Use of empanelled cloud service providers only
- Mandatory data deletion protocols after contract completion
Focus on Future-Ready Security
To prepare for emerging risks:
- Firms must maintain inventory of cryptographic assets
- Build resilience for post-quantum security environments
- Ensure robust backup systems for critical infrastructure
Conclusion
The updated guidelines reflect IRDAI’s proactive approach to future-proof the insurance sector. By increasing accountability at the board level and strengthening operational controls, the regulator aims to build a robust and resilient cybersecurity ecosystem in India’s insurance industry.