Irdai revises cyber security norms, mandates stronger governance
Mumbai, Apr 9, 2026
Irdai strengthens cyber security framework with tighter board oversight, quarterly risk reviews and enhanced compliance norms for insurers and intermediaries
The Insurance Regulatory and Development Authority of India (Irdai) on Wednesday issued revised information and cyber security guidelines for regulated entities to strengthen the cybersecurity framework for insurers and intermediaries, mandating tighter governance, enhanced board accountability and more frequent risk reviews.
Under the revised norms, the Information Security Risk Management Committee (ISRMC) will now be required to meet at least once every quarter, as against the earlier requirement of two meetings annually, signalling a shift towards continuous oversight in response to a rapidly evolving threat landscape.
“In view of the evolving threat landscape and feedback received from the recommendations of various Irdai committees, the revised guidelines have been issued to enable the insurance industry to further strengthen its defences as well as related governance mechanisms to deal with emerging cyber threats,” Irdai said.
The regulator has also expanded the role of boards, requiring them to allocate adequate budgets for cybersecurity, review audit findings on non-conformities, and ensure closure of identified gaps within a 12-month timeline. These measures are aimed at embedding cyber risk management at the highest level of decision-making.
Further, the Chief Information Security Officer (CISO) has been granted greater independence, with a clear separation from the IT function and is prohibited from being given any business targets. The CISO will also be responsible for developing scenario-based incident response plans and ensuring compliance with directions issued by the Indian Computer Emergency Response Team.
The revised framework also introduces an IT Steering Committee at the senior management level to align technology strategy with business objectives and regulatory requirements. The committee will meet quarterly and play a central role in overseeing IT architecture, procurement decisions and data protection controls.
Further, Irdai has done away with the requirement for a separate Chief IT Security Officer (CITSO), directing entities instead to subsume these responsibilities within the roles of the CISO and Chief Technology Officer (CTO).
On compliance, insurers and intermediaries will need to submit cybersecurity audit reports within 30 days of completion, along with comments from the audit committee, risk management committee or board, as applicable. Entities have also been asked to align their systems with the provisions of the Digital Personal Data Protection Act.
The amendments also introduce stricter controls around outsourcing and cloud infrastructure, including requirements for prior approvals for sub-outsourcing, use of empanelled cloud service providers, and mandatory data deletion protocols at the end of contracts.
Regulated entities will also have to maintain updated inventories of cryptographic assets to prepare for post-quantum security environments and ensure resilient backup systems for critical hardware.
The revised guidelines underscore the regulator’s push to future-proof the sector against rising cyber threats, while placing greater onus on boards and senior management to ensure robust cyber resilience frameworks.
[The Business Standard]