IRDAI's Information and Cyber Security Guidelines, issued in April 2023, replace the 2017 and 2022 versions and extend coverage beyond insurers to reinsurers, brokers, web aggregators and insurance repositories. The guidelines are organised into 14 security domains spanning governance, people, assets, access, cryptography, operations, suppliers, incidents, continuity and audit.

Governance anchors the framework: the board must constitute an Information Security Committee (ISC), appoint a CISO, and approve the IS policy annually. Every domain carries explicit evidence expectations — board minutes, training records, access-review reports, patch logs — which makes the guidelines unusually audit-ready compared with peer regulators.

The signature filing is the annual Security Audit Report (SAR): a qualified IS auditor assesses the entity against all 14 domains and the report is submitted to IRDAI. Cyber incidents must be notified to IRDAI within 6 hours (in parallel with CERT-In), with a post-incident report inside 21 days.

Uniquely among Indian financial regulators, IRDAI mandates special controls for health data: explicit consent for processing, restricted access to medical records and a prohibition on sharing without consent — obligations that now interlock with the DPDP Act's consent and significant-data-fiduciary regimes.

The layers below give you the full 14-domain catalogue with evidence requirements, an applicability matrix across the five regulated entity classes, the filing calendar and the penalty framework under the Insurance Act.