Issued on April 6, 2026, the Insurance Regulatory and Development Authority of India (IRDAI) updated its Information and Cyber Security Guidelines, which apply to regulated entities (REs), including insurers, Foreign Reinsurance Branches (FRBs), and intermediaries such as brokers, corporate agents, web aggregators, and third-party administrators (TPAs). Compliance is mandated from the current financial year, replacing the 2023 guidelines.

Changes from the previous guidelines

  • The Information Security Risk Management Committee (ISRMC) must now meet at least quarterly, up from twice a year.
  • The Chief Information Security Officer (CISO) must not have a direct reporting relationship with the Head of IT and must not be given business targets.
  • Exception approvals are now tiered by duration: up to three months require CISO approval; three months to one year require ISRMC approval; beyond one year require Board approval. All exceptions exceeding 12 months must undergo reassessment and re-approval, and all exceptions must formally document the associated risk.
  • Insurance intermediaries must submit their audit compliance report from a CERT-In empanelled auditor within 30 days of completion of the audit.
  • REs must now take appropriate technical and organisational measures to comply with the Digital Personal Data Protection Act (DPDP Act).
  • External penetration testing must now be grey-box or white-box testing, and conducted at least once every six months by a CERT-In empanelled auditor.
  • Organisations must maintain an up-to-date inventory of cryptographic assets to prepare for the transition to post-quantum cryptographic environments.
  • REs must contractually require service providers to obtain prior written permission before any further sub-outsourcing.
  • Cloud service providers (CSPs) must be empanelled by the Ministry of Electronics and Information Technology (MeitY) and hold a valid Standardisation Testing and Quality Certification (STQC) audit status. Organisations must sign non-disclosure agreements (NDAs) with CSPs covering privacy, confidentiality, security, and business continuity. They must contractually require CSPs to eliminate all data from disks and backups upon contract termination.
  • Immutable backup and resilient components must be available for critical hardware.

Data Protection

  • All information assets must be classified into one of four tiers: Public, Internal, Restricted, or Confidential, with security controls calibrated to each level.
  • Dual-tag any Personally Identifiable Information (PII): classified under the standard four-tier system and separately flagged as PII.
  • Encrypt confidential information when transmitting it outside the organisation’s network, including over the internet, and when stored on mobile or removable media.
  • Review classification labels at least every two years.
  • Sensitive data that is not regularly accessed must be removed from the network and either…

Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: April 17, 2026