IRDAI Introduces New Cybersecurity Regulations for Indian Insurance Sector
Stronger Cybersecurity Regulations Issued for Insurers in India
The Insurance Regulatory and Development Authority of India (IRDAI) has issued revised guidelines for insurers and intermediaries, aiming to enhance their cyber resilience and address the growing threat landscape.
- Mandatory stronger governance, regular risk reviews, and tightened controls over outsourcing and cloud infrastructure.
- New regulations require the Information Security Risk Management Committee to meet at least once every quarter, up from the previous biannual schedule.
- Boards of directors have been given a more significant role in overseeing cybersecurity efforts, including allocating sufficient budget and reviewing audit findings.
- The Chief Information Security Officer (CISO) has been granted greater autonomy, with a clear distinction from IT functions and a ban on setting business targets.
- Regulated entities must implement stricter controls over outsourcing and cloud infrastructure, including prior approval for subcontracting and utilizing pre-approved cloud service providers.
- A new IT Steering Committee at the senior management level will be established to align technology strategy with business objectives and regulatory requirements.
- Insurers and intermediaries are required to submit cybersecurity audit reports within 30 days of completion, accompanied by comments from relevant committees or boards.
- They must align their systems with the provisions of the Digital Personal Data Protection Act.
“According to the IRDAI, the updated framework is designed to help the insurance industry strengthen its defenses and governance mechanisms.”
These revisions aim to enhance the overall cybersecurity posture of the insurance industry in India and promote a culture of robust risk management and compliance.
About Author
English