Issued by the Insurance Regulatory and Development Authority of India, these guidelines establish mandatory cybersecurity standards for all insurance entities operating in India. The framework requires insurers to implement Information Security Management Systems (ISMS), appoint Chief Information Security Officers (CISOs), conduct regular security audits, and establish incident response mechanisms. It covers data protection, business continuity, vendor management, secure software development, and mandates reporting of material cyber incidents to IRDAI within specified timelines, aligning with broader digital India initiatives.

• Mandates board-level accountability with designated CISO roles, ensuring cybersecurity receives C-suite attention and adequate resource allocation across insurance organizations
• Establishes standardized incident response protocols and breach notification timelines (6 hours for critical incidents), enabling faster regulatory coordination and policyholder protection
• Requires periodic third-party security audits and vulnerability assessments, helping insurers identify and remediate weaknesses before exploitation
• Strengthens protection of sensitive policyholder data including health records, financial information, and KYC documents through encryption and access control mandates
• Promotes cyber insurance adoption within the insurance industry itself, creating awareness and driving market development for cyber risk products

• Many smaller insurance brokers and corporate agents lack dedicated cybersecurity teams and struggle with CISO appointment requirements due to cost and talent scarcity
• Inconsistent implementation of encryption standards across legacy policy administration systems, with several insurers still operating on outdated mainframe architectures vulnerable to modern threats
• Weak vendor risk management practices, particularly with third-party administrators (TPAs), web aggregators, and point-of-sale agents who handle significant customer data without adequate oversight
• Limited cyber incident reporting compliance, with delays beyond mandated timelines and underreporting of incidents categorized as 'non-material' despite potential cumulative impact
• Inadequate employee security awareness training, evidenced by continued success of phishing attacks targeting insurance agents and back-office staff accessing core systems

• Star Health and Allied Insurance suffered a massive data breach in 2023 exposing 31 million customers' sensitive medical records, Aadhaar details, and policy information on Telegram channels and dark web, highlighting gaps in database access controls and third-party API security despite IRDAI guidelines being in place.
• HDFC Life Insurance reported a ransomware incident in 2021 affecting internal systems, requiring immediate incident reporting to IRDAI and triggering business continuity protocols, demonstrating the operational resilience testing aspects of the guidelines.
• SBI General Insurance faced phishing attacks in 2022 targeting customer portals, prompting IRDAI to issue specific advisories on multi-factor authentication implementation and secure customer communication channels across the insurance sector.

• Implement zero-trust architecture and micro-segmentation across policy administration, claims processing, and distribution systems to limit lateral movement during breaches
• Establish comprehensive third-party risk management programs with contractual security obligations, regular audits of TPAs, insurance repositories, and aggregator platforms handling policyholder data
• Deploy advanced threat detection tools including Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), and automated incident response capabilities beyond basic compliance
• Conduct regular red team exercises and breach simulation drills involving business continuity teams, with specific scenarios for ransomware, DDoS attacks, and insider threats unique to insurance operations