The Insurance Regulatory and Development Authority of India has issued revised information and cyber security guidelines for regulated entities, aimed at strengthening cyber resilience across insurers and intermediaries through tighter governance, enhanced oversight, and more frequent risk assessments.
Stronger Oversight and Governance Requirements
Under the revised norms, the Information Security Risk Management Committee will now be required to meet at least once every quarter, replacing the earlier requirement of two meetings annually. The move reflects a shift towards continuous monitoring in response to a rapidly evolving threat landscape. The regulator said the updated framework is intended to help the insurance industry strengthen its defences and governance mechanisms to deal with emerging cyber risks.
Meet Your vCISO Partner: Strengthening BFSI Cyber Security with Expert Leadership
Enhanced Role of Boards and Security Leadership
The revised framework expands the responsibilities of boards, requiring them to allocate adequate budgets for cybersecurity, review audit findings on non conformities, and ensure closure of identified gaps within a 12 month period. The Chief Information Security Officer has been granted greater independence, with a clear separation from IT functions and a prohibition on business targets. The CISO will also be responsible for developing scenario based incident response plans and ensuring compliance with directions issued by the Indian Computer Emergency Response Team.
Operational Controls and Compliance Measures Tightened
The amendments introduce stricter controls around outsourcing and cloud infrastructure, including requirements for prior approvals for sub outsourcing, use of empanelled cloud service providers, and mandatory data deletion protocols at the end of contracts. Regulated entities must maintain updated inventories of cryptographic assets to prepare for post quantum security environments and ensure resilient backup systems for critical hardware.
The framework also introduces an IT Steering Committee at the senior management level to align technology strategy with business objectives and regulatory requirements, with quarterly meetings to oversee IT architecture, procurement decisions, and data protection controls. The regulator has removed the requirement for a separate Chief IT Security Officer, directing entities to integrate these responsibilities within the roles of the CISO and Chief Technology Officer.
Insurers and intermediaries are required to submit cybersecurity audit reports within 30 days of completion, along with comments from relevant committees or boards. Entities have also been asked to align their systems with the provisions of the Digital Personal Data Protection Act.
