Spice Route Legal
Beyond Compliance: Insights from the IRDAI Cybersecurity Guidelines
INTRODUCTION
On 6 April 2026, the Insurance Regulatory and Development Authority (“IRDAI”) issued Information and Cyber Security Guidelines, 2026 (“Guidelines”) replacing the erstwhile 2023 framework. The Guidelines are applicable to all insurers (including foreign re-insurance branches) and insurance intermediaries (“Regulated Entities”).
The Guidelines are a direct regulatory reaction to a recent series of high-profile data breaches within the insurance sector, and this article summarises the key changes introduced by the Guidelines.
GOVERNANCE STRUCTURE
The Guidelines streamline the IT governance structure by making the following key changes:
- Accountability for the board of directors: Earlier, the board of directors’ role was generically defined. The regulator now explicitly requires the board of directors to receive and review the status of non-conformities identified during the annual cybersecurity audit, approve timelines for closure of gaps and ensure that gaps are closed within 12 months of reporting.
- IT Steering Committee: The Guidelines require each Regulated Entity to constitute an IT Steering Committee (“ITSC”), responsible for the IT strategy of the organisation and implementation of IT architecture meeting statutory and regulatory compliance.
The creation of the ITSC separates the “IT execution” function from “security oversight”. The Information Security Risk Management Committee is expected to focus on risk and compliance, whereas the ITSC is expected to focus on implementation. - Appointment of an IT expert: The Guidelines require Regulated Entities to appoint one or more independent external experts to the Risk Management Committee. These experts must possess substantial IT or cybersecurity expertise.
This is a notable requirement, as at least one independent voice with cybersecurity expertise is expected to scrutinise the entire programme from outside the management chain. - Board Budgeting: The regulator requires the board of directors of each Regulated Entity to provide a sufficient cybersecurity budget that is proportional to the organisation’s risk appetite.
The requirement for “sufficient” and “proportional” budgeting lacks any defined benchmark and creates a “hindsight trap”, where a Regulated Entity could be held liable post-breach simply because the regulator determines, in retrospect, that the budget was insufficient, regardless of the actual sum spent.
- Independence of CISO: To prevent business functions from influencing cybersecurity functions, the Guidelines explicitly prohibit Regulated Entities from making the Chief Information Security Officer (“CISO”) report to the head of IT (usually the Chief Technology Officer (“CTO”)). The CISO cannot be assigned business targets.
Additionally, the CISO is designated to be the convener of the Information Security Risk Management Committee (which reports to the Risk Management Committee) and a permanent invitee to the newly mandated IT Steering Committee.
Further, the regulator requires CISO to be “adequately staffed with people having relevant technical expertise”, implying that a solo CISO with no team would be non-compliant. Regulated Entities must therefore budget for an entire CISO office.
- Elimination of Control Management Committee and Chief Information Technology Security Officer: The regulator has abolished the erstwhile requirement to constitute a “Control Management Committee”, merging its functions into the “Risk Management Committee”. The regulator has also abolished the requirement to appoint a “Chief Information Technology Security Officer”, whose functions are now to be absorbed by the CISO and the CTO.
- Frequent meetings: The frequency at which the Information Security Risk Management Committee is supposed to convene has increased from twice a year to quarterly, signalling that the regulator requires Regulated Entities to view cyber risk as an evolving threat that demands frequent scrutiny.
SECURITY DOMAIN POLICIES
Unlike other Indian financial sector regulators that favour principles-based frameworks allowing for institutional flexibility, IRDAI remained uniquely prescriptive under the erstwhile framework. It specified the terms of information security policies (such as data classification policy, cloud security policy, etc.) required to be implemented by Regulated Entities.
The Guidelines attempt to soften the regulator’s prescriptive image, clarifying that these information security policies constitute “guidance” for Regulated Entities to frame their own policies.
The latest Guidelines mandate that these domain policies “shall be a part of” the Regulated Entity’s approved infosec policy, and many of the specific controls within these policies are mirrored word-for-word as controls that an auditor is required to assess as part of the annual cybersecurity audit.
In practice, we presume Regulated Entities are likely to be expected to adopt the guidance prescribed, unless any deviation can be adequately justified on the basis that such deviation does not conflict with the guidance or give rise to cyber security risks.
SUB-CONTRACTING
The Guidelines prescribe nuances and stringent supply chain controls to be implemented by Regulated Entities. Regulated Entities must now include provisions that prohibit third-party service providers from further outsourcing any activity without prior written permission.
Requiring prior written permission for sub-outsourcing is incompatible with the modern-day tech economy. Hyperscale service providers (for instance, large cloud service providers) change sub-processors frequently and will not be able to seek permission from thousands of Regulated Entities, effectively forcing Regulated Entities to choose between technical non-compliance and abandoning major service providers. That said, we believe careful implementation of “deemed consent” provisions (wherever appropriate) for subcontracting would enable Regulated Entities to meet the regulatory bar.
CLOUD SERVICES AND LOCALISATION
The regulator’s security domain policies prohibit Regulated Entities from using any cloud service providers unless they are empanelled with the Ministry of Electronics and Information Technology with a valid STQC audit status. For any cloud service provider to be empanelled with the Ministry of Electronics and Information Technology, it must have data centres in India.
While the insurance regulator has indicated in the past that certain datasets must be stored on data centres in India, the localisation requirement under the Guidelines broadly applies to any cloud service provider, including “software-as-a-service provider”. Most specialised software-as-a-service tools (from actuarial modelling to niche HRMS systems) operate on a globally distributed basis and may not use government empanelled data centres in India. The IRDAI has, like the securities regulator, effectively outlawed overseas deployment of software stacks offered by global players.
The Guidelines also require all Regulated Entities to bind their cloud service providers to “completely eliminate any trace” of data upon termination of their engagement.
Accordingly, Regulated Entities must review all their cloud service provider relations for government empanelment and renegotiate contracts to include mandatory data deletion clauses.
SEGREGATION
Taking a cue from the securities regulator and to prevent group security incidents spilling over to the Regulated Entity’s infrastructure, the IRDAI requires infrastructure, networks, and databases to be logically and/or physically segregated, where a Regulated Entity shares resources with its group companies.
Where a service provider provides services to group companies, IT personnel with cross-entity access must also be segregated wherever possible.
As a matter of practice, most Regulated Entities share IT resources (for instance, data centres, network backbone, security operations centre, employees, etc.) across their group, and sometimes even through an in-house “shared services” entity. Large insurance groups, consisting of life insurance, general insurance, asset management, and sometimes a broking arm, all draw from the same infrastructure pool.
The Guidelines now require these Regulated Entities to review their segregation practices.
COMPLIANCE WITH THE DIGITAL PERSONAL DATA PROTECTION ACT
The Guidelines explicitly require all insurers and insurance intermediaries to implement technical and organisational measures to comply with the Digital Personal Data Protection Act, 2023 (“DPDPA”). Compliance in this regard would be evaluated as part of the regulatory annual audit.
Accordingly, the compliance requirement for a Regulated Entity is now three-tiered: CERT-In directions, Guidelines (concerned with information and cybersecurity), and DPDPA (concerned with lawfulness of processing and data rights).
PENETRATION TESTING STANDARDS
The regulator has moved from less intrusive “black box penetration testing” to more intrusive “grey/white box penetration testing” for all internet-facing information systems. Moreover, these tests must now be conducted by a CERT-In empanelled auditor.
Grey and white box testing may require Regulated Entities to provide auditors with internal architectural details, credentials, or source code. This requirement assumes that the Regulated Entity possesses an exhaustive inventory of all components that constitute internet-facing systems, even where it relies on third parties for these systems. Accordingly, Regulated Entities must gear up to secure this inventory from their third-party service providers in sufficient granularity.
Additionally, this requirement creates a risk of disclosure of critical information (quite often, trade-secret data) to auditors that may often serve competitors of the auditee. Putting in place appropriate confidentiality controls for the auditor’s team that undertakes testing therefore becomes imperative.
KEY TAKEAWAYS
The Guidelines represent the regulator’s response to the structural vulnerabilities exposed by recent data breaches in the insurance sector. The regulator has fundamentally altered the governance architecture within which cybersecurity decisions are made and imposed significant new obligations on Regulated Entities. The regulator’s effort to prescribe fewer committees and clearer reporting lines creates accountability and transparency.
Grey-box and white-box penetration testing, local server requirements, sub-outsourcing restrictions and the obligation to segregate IT resources across group entities, each of these demands careful implementation and, in many cases, contractual renegotiation with third-party vendors. In practice, this will require the incorporation of provisions relating to minimum security standards, audit and inspection rights, incident notification timelines, subcontracting controls, business continuity commitments, vulnerability management, and cooperation with regulatory or audit requirements.
By incorporating DPDPA compliance into the annual cybersecurity audit, the regulator has confirmed that data protection and cybersecurity are not parallel obligations but overlapping mandates with distinct authorities, obligations, and penalty regimes.
The changes introduced by the Guidelines signal the regulatory intent that cybersecurity is a core governance obligation that requires board attention, independent oversight and adequate resourcing. For Regulated Entities, the immediate priority is implementation; and demonstrating that implementation to auditors, the regulator, and the market.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.