IRDAI Cyber Security
Guidelines

IRDAI's Cyber Security Guidelines 2026 supersede the 2023 framework with quarterly ISRMC, CISO independence, and stricter outsourcing and cloud controls. Compliance is mandatory from the current financial year.

Achieve IRDAI Compliance All Compliance
Independent CISO Quarterly ISRMC Meetings 30-Day Audit Submission CERT-In 6-Hour Notification
Insurance Shield Grid
Cyber Security
Compliant
Data Protection
Mapped
IT Governance
Active
BCP & DR
Tested
Access Control
Enforced
VAPT Cycle
Annual
Cyber Security Policy & Governance
Customer Data Protection Framework
IT Outsourcing & Vendor Oversight
Incident Reporting to IRDAI
IRDAI Ready
InsurSec
Policy Guard
Compliant
What We Do

IRDAI Cyber Security Compliance

The IRDAI Information and Cyber Security Guidelines 2026 (dated 6 April 2026) supersede the 2023 framework. Key changes: quarterly ISRMC meetings (up from semi-annual), CISO independence from IT with no business targets, new IT Steering Committee, 30-day audit submission, DPDPA alignment, stricter outsourcing and cloud controls, and post-quantum cryptographic readiness.

CISO Appointment and Independence

Appoint CISO separated from IT with no business targets per 2026 Guidelines Clause 6, responsible for scenario-based IRP and CERT-In compliance.

Board-Approved IS Policy and DPDPA Alignment

Develop board-approved IS Policy per Clause 8 covering data classification, IAM, cryptography, and DPDPA integration.

Annual VAPT Programme

Annual VAPT per Clause 18 covering external perimeter, internal network, web applications, and critical insurance systems.

ISRMC and Steering Committee Gap Review

Assess governance structures against 2026 requirements for quarterly ISRMC per Clause 5 and IT Steering Committee per Clause 7.

Outsourcing Risk Assessment

Evaluate IT vendors against 2026 outsourcing controls per Clauses 28-32: prior sub-outsourcing approvals, empanelled CSPs, and data deletion.

Post-Quantum Readiness Evaluation

Assess cryptographic infrastructure against post-quantum readiness per Clause 20, building a crypto asset inventory and migration roadmap.

SOC Design and Implementation

Design 24/7 SOC per Clause 19 meeting IRDAI detection, alerting, and response obligations for policyholder data and core operations.

Outsourcing and Cloud Controls

Implement 2026 outsourcing/cloud controls per Clauses 28-32: prior sub-outsourcing approvals, empanelled CSPs, data deletion at contract end.

CERT-In Reporting and Incident Response

Implement scenario-based IRPs per Clause 14, 6-hour CERT-In notification, and IRDAI cyber incident templates with tabletop exercises.

Cryptographic Asset Inventory

Build crypto asset inventory and post-quantum readiness measures per Clause 20, covering key management and algorithm migration.

Data Classification and IAM

Implement data classification and IAM per IS Policy Clause 8, covering RBAC, PAM, and MFA for insurance systems.

Scenario-Based IRP Development

Develop scenario-based IRPs per Clause 14 covering ransomware, data breach, insider threat, and cloud incident scenarios.

Quarterly ISRMC Reviews

Prepare materials and support quarterly ISRMC reviews per Clause 5 with compliance status, risk assessments, and board reporting.

30-Day Audit Submission

Prepare audit reports for 30-day submission per Clause 22, including evidence organisation, control validation, and auditor coordination.

Annual VAPT Programme

Ongoing annual VAPT per Clause 18 with remediation tracking and retest validation across all scoped systems.

CISO Independence Assurance

Periodic review ensuring CISO independence from IT per Clause 6, no business targets, and correct reporting lines.

Vendor Security Monitoring

Continuous monitoring of IT vendors against outsourcing/cloud controls per Clauses 28-32 including sub-outsourcing and data deletion.

Regulatory Update Tracking

Track IRDAI circulars, guideline amendments, and CERT-In directions, implementing changes within regulatory timelines.

Who Needs IRDAI Cyber Security Guidelines Compliance

Does the IRDAI Cyber Security Guidelines Apply to Your Organisation?

All Insurers Including FRBs

All insurance companies regulated by IRDAI, including life, non-life, health, reinsurance, and Foreign Reinsurance Branches (FRBs), must comply with the 2026 Guidelines and submit audit reports within 30 days.

Insurance Intermediaries and Brokers

Insurance brokers, corporate agents, web aggregators, IMFs, Insurance Repositories, ISNPs, corporate surveyors, MISPs, and CSCs are all covered for policyholder data protection and incident reporting.

TPAs, IIB and Other Entities

Third-Party Administrators processing health claim data, the Insurance Information Bureau of India (IIB), and all other covered entities must meet the 2026 Guidelines including VAPT, CISO appointment, and incident reporting.

Methodology

How We Build Your IRDAI 2026 Compliance Programme

A structured six-phase process from initial gap assessment against the 2026 Guidelines through to ongoing quarterly reviews and audit submission.

Phase 01
IRDAI 2026 Guidelines Gap Assessment

Gap-assess current IS controls against the IRDAI 2026 Guidelines for your entity type, covering ISRMC, CISO independence, IT Steering Committee, and DPDPA alignment requirements.

01
02
Phase 02
CISO Appointment and Governance Setup

Appoint CISO with IT independence, establish ISRMC and IT Steering Committee with quarterly cadences, develop board-approved IS Policy, and integrate DPDPA compliance.

Phase 03
IS Policy and DPDPA Alignment

Develop comprehensive board-approved IS Policy covering data classification, IAM, cryptography, network security, third-party risk, BCP, and incident response with DPDPA integration.

03
04
Phase 04
VAPT, SOC, and Cloud Controls

Execute annual VAPT, design or evaluate SOC capability, implement outsourcing and cloud controls (sub-outsourcing approvals, empanelled CSPs, data deletion), and build cryptographic asset inventories for post-quantum readiness.

Phase 05
Audit Submission and Incident Reporting

Prepare audit reports for 30-day submission to IRDAI, document CERT-In and IRDAI incident reporting, develop scenario-based incident response plans, and conduct tabletop exercises.

05
06
Phase 06
Ongoing Quarterly Reviews and Assurance

Quarterly ISRMC reviews, 30-day audit submissions, annual VAPT, vendor security monitoring, CISO independence assurance, and regulatory update tracking to sustain IRDAI 2026 compliance year-round.

FAQ

Questions We Get Asked Often

IRDAI Cyber Security Guidelines 2026 supersede the 2023 guidelines, mandating quarterly ISRMC oversight, CISO independence from IT, IT Steering Committee establishment, 30-day audit submission, DPDPA alignment, outsourcing and cloud controls, and post-quantum readiness for all IRDAI-regulated entities.

All IRDAI-regulated entities including insurers, intermediaries, FRBs, and IIB must comply with the updated cyber security guidelines.

The 2026 guidelines require CISO independence from IT functions, IT Steering Committee formation, quarterly ISRMC reviews, 30-day audit submission timelines, DPDPA alignment, cloud security controls, and post-quantum cryptography readiness.

IRDAI can impose penalties up to ₹1 crore per day of non-compliance, direct remedial measures, and in severe cases restrict new business or licence renewals. The 30-day audit submission window is strictly enforced.

Insurance companies with existing IS governance typically achieve compliance in 3 to 5 months. New insurers or those requiring SOC and VAPT programmes may need 6 to 9 months.
Get Compliant

Meet the IRDAI Cyber Security Guidelines 2026

Start with a gap assessment against the IRDAI 2026 Guidelines for your entity type and build a clear roadmap to compliance.

Book an IRDAI 2026 Assessment All Compliance