IRDAI’s information and cyber security guidelines direct insurers and insurance intermediaries to implement a structured information-security programme with board oversight, defined controls and independent assurance.
Who must comply
- Life, general and health insurers and reinsurers.
- Insurance intermediaries (brokers, corporate agents, web aggregators, TPAs) per applicability.
Key requirements
| Area | Requirement |
|---|---|
| Governance | Board-approved information & cyber security policy; a CISO; an information security committee |
| Risk management | Risk assessment, asset classification and treatment |
| Controls | Access control, encryption, network and application security, data protection |
| Assurance | VAPT and a periodic information-security audit |
| Resilience | Incident response, reporting and business continuity |
Implementation roadmap
- Establish governance, policy and a CISO function.
- Perform a gap assessment against IRDAI expectations.
- Implement controls, VAPT and monitoring.
- Undergo the periodic information-security assurance audit.
- Report and remediate; maintain continuity arrangements.
Evidence checklist
- Board-approved information & cyber security policy and CISO appointment.
- Risk assessment and asset classification.
- Control-implementation evidence and VAPT reports.
- Periodic information-security audit report.
- Incident-response and business-continuity records.
How CyberSigma helps
We run the IRDAI gap assessment, VAPT and periodic information-security audit, and help stand up governance, a CISO function and the required controls — as a CERT-In empanelled auditor.
Frequently asked questions
Does IRDAI require a cyber security audit?
Yes — insurers and intermediaries are expected to undergo periodic information/cyber security audits as part of the assurance requirements.
Official documents
CyberSigma resources
Need help with IRDAI Cyber Security?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
