HYDERABAD – In a bid to enhance cybersecurity resilience in the insurance sector, the Insurance Regulatory and Development Authority of India (IRDAI) has issued a new directive mandating regulated entities, insurance intermediaries, and training institutes to report cyber incidents within six hours of detection. This move comes as part of IRDAI’s ongoing efforts to strengthen cybersecurity governance, ensure rapid response mechanisms, and minimize potential damage caused by cyber threats.
Rapid Cyber Incident Reporting Now Mandatory
According to the latest circular, regulated entities (REs) must immediately notify IRDAI of any cyber incident in a prescribed format within six hours of detection or being informed. This strict timeline aligns with the growing need for proactive cybersecurity measures in an era where data breaches and ransomware attacks have become increasingly common.
Failure to comply with the reporting requirements may lead to regulatory scrutiny and potential penalties, reinforcing the necessity for organizations to have a well-structured incident response plan.
Enhanced Cybersecurity Measures for Insurance Entities
Apart from fast-tracking cyber incident reporting, the IRDAI directive highlights several key cybersecurity requirements that regulated entities must follow to ensure better risk management and data security:
1. Maintaining and Monitoring ICT Logs for 180 Days
Organizations are required to store and continuously monitor all ICT infrastructure and application logs for a rolling period of 180 days. This measure ensures better traceability of cyber threats and helps forensic teams investigate security breaches effectively.
2. Synchronizing System Clocks for Accuracy
To ensure proper correlation of cybersecurity events, all critical systems must synchronize their clocks with authorized Network Time Protocol (NTP) servers, such as those managed by the National Informatics Centre (NIC) or the National Physical Laboratory (NPL). This step will help eliminate discrepancies in forensic investigations.
3. Implementation of a Cyber Crisis Management Plan (CCMP)
The directive mandates the adoption of a Cyber Crisis Management Plan (CCMP), which acts as a proactive approach to cyber threats by outlining specific response procedures for cyber-attacks. This ensures business continuity and minimal disruption in case of a breach.
4. Onboarding Certified Forensic Experts Without Delay
Regulated entities must empanel forensic auditors in advance and be prepared to onboard them immediately to conduct investigations and root cause analysis of cyber incidents. This proactive approach is intended to eliminate delays in forensic investigations and ensure faster mitigation of security breaches.
5. Avoiding Conflicts of Interest in Cybersecurity Operations
To uphold the integrity of forensic investigations, IRDAI has emphasized that vendors handling Security Operation Centres (SOC), attack surface monitoring, Red Teaming, or cybersecurity audits must not serve as forensic auditors for the same entity. This provision ensures impartiality and prevents potential conflicts of interest in cybersecurity assessments.
ALSO READ: Now Open: Pan-India Registration for Fraud Investigators!
Board-Level Accountability & Compliance Reporting
To reinforce strict compliance, IRDAI has directed all regulated entities, including insurance intermediaries, to present these cybersecurity measures to their Board in the next meeting and submit the minutes to IRDAI. This ensures greater accountability at the highest levels of organizational decision-making.
Strengthening Cyber Defenses in the Insurance Sector
With cyber threats evolving at an unprecedented pace, IRDAI’s latest mandate signifies a firm stance on cybersecurity governance in India’s insurance sector. By enforcing swift incident reporting, real-time monitoring, and forensic readiness, the regulatory body aims to build a resilient digital infrastructure capable of mitigating risks and protecting customer data.
These new cybersecurity provisions place greater responsibility on insurance companies and intermediaries to stay vigilant, proactive, and well-prepared against emerging cyber threats. Failure to comply with these mandates may lead to regulatory consequences, making it imperative for organizations to align their cybersecurity strategies with IRDAI’s guidelines.
As cyber risks continue to pose serious threats to financial institutions, IRDAI’s directive serves as a wake-up call for the insurance sector to elevate its cybersecurity readiness and ensure customer trust and business continuity in the face of digital threats.