Current Affairs Topics Quiz Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

IRDAI issues revised information and cyber security guidelines

April 08, 2026 4 min read Science & Technology Economics GS Paper 3
On This Page

What Happened

  • The Insurance Regulatory and Development Authority of India (IRDAI) has issued revised Information and Cyber Security Guidelines, strengthening the cybersecurity governance framework for all insurance entities operating in India.
  • The guidelines mandate enhanced board-level accountability, a stronger and independent Chief Information Security Officer (CISO), faster incident reporting, and data-centric security measures.
  • The revised framework builds upon the IRDAI Cyber Security Guidelines of 2023, tightening compliance obligations and timelines.
  • All insurers, insurance intermediaries, and licensed insurance-related entities must comply with the revised requirements.

Static Topic Bridges

IRDAI: Mandate, Composition, and Regulatory Role

The Insurance Regulatory and Development Authority of India (IRDAI) is a statutory body established under the IRDAI Act, 1999, to regulate and develop the insurance industry in India. It operates under the Ministry of Finance and is headquartered in Hyderabad.

  • Established by the IRDAI Act, 1999; became operational in April 2000.
  • Mandate: Protect policyholders' interests, regulate insurers and intermediaries, develop the insurance sector, and ensure orderly growth of the market.
  • IRDAI has powers to issue regulations, guidelines, and circulars; grant and cancel licences; conduct inspections; and impose penalties.
  • The Authority consists of a Chairperson and not more than five whole-time members and four part-time members, all appointed by the Central Government.
  • Under IRDAI's "Insurance for All by 2047" vision, the penetration target is significantly higher than India's current ~4% insurance penetration rate.

Connection to this news: IRDAI's revised cyber guidelines reflect its expanding regulatory remit — from solvency and policyholder protection to operational risk including digital and cyber threats, as insurance companies increasingly operate on digital platforms handling vast amounts of sensitive financial and health data.

Cybersecurity Regulation in India: The Multi-Regulator Framework

India's cybersecurity regulatory landscape involves multiple sectoral regulators, each issuing sector-specific guidelines. IRDAI covers insurance, RBI covers banks and NBFCs (through its Master Directions on IT and Cyber Risk), SEBI covers capital markets, and TRAI covers telecom. Across all sectors, CERT-In (Computer Emergency Response Team — India) under the Ministry of Electronics and Information Technology acts as the national nodal agency.

  • CERT-In, established under Section 70B of the IT Act, 2000, is mandated to collect, analyse, and disseminate information on cyber incidents; issue alerts and advisories; and coordinate incident response.
  • CERT-In's 2022 directions require mandatory reporting of cyber incidents within 6 hours — one of the world's most stringent reporting timelines.
  • The IRDAI revised guidelines align with CERT-In's 6-hour reporting requirement for critical cyber incidents.
  • The Digital Personal Data Protection Act, 2023 (DPDPA) adds another layer: personal data breaches must be notified to the Data Protection Board.

Connection to this news: The IRDAI guidelines place insurance under the same 6-hour incident reporting obligation that CERT-In mandates across sectors, creating a more unified national cyber incident response ecosystem.

Key Provisions of the Revised IRDAI Cyber Security Framework

The revised guidelines significantly upgrade governance, technical, and organisational requirements for cyber risk management in the insurance sector.

  • Board Accountability: Boards of insurance companies must allocate adequate cybersecurity budgets, review audit findings, and ensure identified gaps are closed within 12 months.
  • CISO Independence: The Chief Information Security Officer must be independent of IT operations, have no business performance targets, and report directly to the board/senior management.
  • Incident Reporting: Cyber incidents must be reported to both IRDAI and CERT-In within 6 hours of detection.
  • Data-Centric Security: Emphasis on securing data itself (encryption, data masking) rather than only network perimeters.
  • Governance Committee: The Information Security Risk Management Committee must meet at least quarterly (earlier: twice annually).
  • Scope: Applies to all insurers (life, general, health, reinsurers), foreign reinsurance branches, insurance intermediaries (brokers, corporate agents, web aggregators, TPAs, IMFs), Insurance Information Bureau of India (IIB), and insurance repositories.

Connection to this news: The expansion of scope to intermediaries and the elevation of board accountability reflects a maturing regulatory approach — moving from compliance checklists to embedded cyber risk governance, particularly important as insurance fraud and data theft are rising.

Key Facts & Data

  • IRDAI established: 1999 (Act); operational: 2000; HQ: Hyderabad.
  • CERT-In: nodal cybersecurity agency under Section 70B of the IT Act, 2000.
  • Incident reporting timeline: 6 hours to IRDAI and CERT-In.
  • Board must close identified security gaps within 12 months.
  • Information Security Risk Management Committee: minimum quarterly meetings.
  • Applicable entities: all insurers, intermediaries, FRBs, IIB, insurance repositories.
  • India's insurance penetration rate: approximately 4% of GDP (target: significantly higher by 2047).
  • DPDPA 2023: complementary personal data breach notification requirement.