IRDAI Information & Cyber Security Guidelines 2023 — Insurer Playbook

TL;DR for founders

If your InsurTech business sells or services through an Indian insurer, broker, TPA or web aggregator, your partner is bound by the IRDAI Information and Cyber Security Guidelines, 2023 (issued 24 April 2023). That means you will face an ISO 27001-shaped security questionnaire, a Board-signed risk rating under Annexure III Part C, a 6-hour CERT-In reporting flow-down, and annual re-verification by a CERT-In-empanelled external auditor. Budget ₹8–15 lakh for first-time ISO 27001 certification and a current VAPT. First step this week: ask each insurer partner for a copy of their Information Security Risk Management Committee (ISRMC) questionnaire and the Annexure III Part C risk-rating template.

Who this playbook is for

In scope — "Regulated Entities" directly bound by the Guidelines (Clause 1.4):

• Insurers — every life insurer, general insurer, health insurer and reinsurer registered with IRDAI
• Foreign Re-Insurance Branches (FRBs) — with a specific Annexure VI audit certificate track where IT systems interface with overseas parent companies
• Insurance Intermediaries — Insurance Brokers, Third-Party Administrators (TPAs), Insurance Web Aggregators, Insurance Marketing Firms (IMFs), Corporate Agents, Insurance Self-Network Platforms (ISNPs), Insurance Repositories, and every other entity regulated by the IRDAI

Not in scope (Clause 1.4, second paragraph):

• Insurance Agents, Micro-Insurance Agents, Point of Sale Persons, Individual Surveyors
• BUT — the Insurer is responsible for ensuring these entities follow a minimum security framework under the Insurer's Board-approved policy. The flow-down is contractual, not regulatory-direct.

Contractually in scope (non-REs):

• InsurTech technology vendors, SaaS partners, cloud providers and managed security service providers serving any regulated entity — caught through Policy 2.14 (Third-party service providers) of the Guidelines, which mandates annual third-party security assessments as part of the insurer's Assurance Audit.
• IT Systems interfacing with overseas parent companies in an FRB setup — explicitly addressed in Clause 1.10, fifth paragraph, with its own Annexure VI audit track.

Key definitional anchor: "Information Assets" under Clause 1.2 covers data in electronic, printed, written, facsimile and spoken form, including servers, desktops, network equipment, network media, storage media and paper — the definition is deliberately broad and applies throughout the information lifecycle from creation to disposal.

Prerequisites

Everything below must be in place before the insurer's Audit Committee can credibly sign off on the annual Assurance Audit report. The Guidelines are a policy-and-assurance instrument — the evidence lives in Board minutes, ISRMC minutes, the Information and Cyber Security Policy (ICSP) and the 24 domain policies (Sections 2.1 through 2.24).

Documents needed:

• Board-approved Information and Cyber Security Policy (ICSP) owned by the CISO and maintained by the Information Security Team (Clause 1.5 Para III)
• 24 Security Domain Policies (Sections 2.1 through 2.24 of the Guidelines — Data Classification, Access Control, Personnel Security, Third-Party Service Providers, Monitoring/Logging/Assessment, Cloud Security, Cyber Resilience, Email Security, Work from Remote Location, Dealing Room Operations, IT Rules 2021, and 13 more)
• Board-approved Business Continuity Plan and Disaster Recovery Plan with stated RTO/RPO per critical service (Policy 2.13) and an annual live DR test
• Information asset register with classification per Policy 2.1 (Public / Internal / Restricted / Confidential) and a PII sub-tag
• Vendor inventory classified by information security risk per Policy 2.14, with vendor risk-assessment cadence
• NIST Cybersecurity Framework applicability matrix per Annexure I (the Guidelines explicitly adopt NIST CSF functions: Identify, Protect, Detect, Respond, Recover)
• Gross Insurance Revenue classification per Annexure II (for intermediaries — drives the depth of controls required)
• CERT-In Annexure II Point of Contact submission current
• Annual Audit plan approved by the Audit Committee / Board / Principal Officer per Clause 1.10

Roles required (Clause 1.6):

• Board of Directors — receives quarterly Information Security updates; approves CISO appointment and the ICSP
• Information Security Risk Management Committee (ISRMC) — CRO, CISO, CITSO, CSO, CHRO, CTO, function heads of Operations, Finance, Legal, Compliance; meets at least twice a year with the CISO and at least two members present (Clause 1.5 Para II)
• Chief Information Security Officer (CISO) — sufficiently senior, with requisite technical background; reports directly to the top executive overseeing risk management, or in his absence to the CEO directly; responsible for ICSP ownership, IS standards, incident escalation to regulators
• Chief Risk Officer (CRO) — assumes CISO responsibilities in the CISO's absence; overall risk management including IS risk in purview
• Chief Technology Officer (CTO) — information security technology implementation; planning, budgeting, architecture; oversees mitigation of vulnerabilities
• Chief IT Security Officer (CITSO) — reports to the CTO; IT security operations (SOC, LAM, DLP, TRA); reports incidents to the CISO
• Internal Audit function — works synergistically with the IS function, apprises the Audit Committee of emerging risks, identifies weaknesses
• IS Team / Information Security Office — supports the CISO with reviews, vendor classification standards, incident management

Approvals needed:

• Board resolution constituting the ISRMC with Terms of Reference
• Board resolution approving the ICSP and all 24 domain policies (refreshed at least annually per Clause 1.5 Para IV)
• Audit Committee approval of the annual Assurance Audit plan
• Board comments on the annual Audit Report (Annexure III) before IRDAI filing

Step-by-step compliance process

Step 1: Constitute the Information Security Risk Management Committee (ISRMC)

What: Formally constitute the ISRMC under Clause 1.5 Para II, with the composition, quorum and cadence the Guidelines prescribe.

Where: Board meeting; recorded in Board minutes; ISRMC charter filed with the Company Secretary.

How: The ISRMC must comprise the CRO, CISO, CITSO, CSO, CHRO, CTO and function heads of Operations, Finance, Legal and Compliance. Quorum: CISO plus at least two members. Cadence: at least two meetings per financial year — more during major transformation or incident response. ISRMC owns approvals of changes to the ICSP.

Templates: See Section 6 below — ISRMC Charter Excerpt.

Common mistakes: Treating the IT Steering Committee as the ISRMC (it is not); CISO missing from quorum; omitting the CHRO — the CHRO is explicitly named in Clause 1.5 Para II because personnel security (Policy 2.4) and HR-IS handoffs are first-class obligations.

Step 2: Appoint the CISO and wire the reporting line to risk, not IT

What: Appoint a sufficiently senior CISO with requisite technical background and a reasonable minimum term, reporting to the top executive overseeing the risk management function — or in the absence of such executive, directly to the CEO.

Where: Board resolution; CISO appointment letter; reporting line documented in the ICSP.

How: The CISO is the policy owner and ultimate regulatory interface for Information Security. Clause 1.6 mandates the CISO's responsibilities include ICSP ownership, IS-standard setting (procedures, TRA methodology, BCP/DR standards, project risk, application security, vendor risk), security testing baselines for VAPT, engagement of external forensic experts when required, and direct responsibility for reporting critical or high-severity incidents to regulators.

Common mistakes: CISO reporting into the CTO or CIO (breach of the functional-independence principle — Clause 1.6 Step 3); under-sizing the CISO role to a part-time responsibility on a lead analyst; bundling the CISO budget into IT OpEx with no ring-fence.

Step 3: Author the Information and Cyber Security Policy (ICSP) and 24 domain policies

What: Adopt a Board-approved ICSP (Clause 1.1) covering the 9 principles (Information Protection, User Authentication, Accountability, Availability, Integrity, Trust, Continuity, Cyber Security Resilience, Regulatory Compliance) and 24 domain policies (Sections 2.1–2.24).

Where: Policy document stack maintained by the IS Team; version-controlled; distributed via intranet, refresher training and posters.

How: Policies span Data Classification (2.1), Asset Governance (2.2), Access Controls (2.3), Human Resource Security (2.4), Security Awareness and Training (2.5), Security Awareness and Resource (2.6), Mobile Security Policy (2.7), Acceptable Usage and BYOD (2.8), Change Management (2.9), Incident and Problem Management (2.10), Network Security (2.11), Cryptography (2.12), Business Continuity (2.13), Third-Party Service Providers (2.14), Physical and Environmental Security (2.15), Monitoring, Logging and Assessment (2.16), Legal and Regulatory Compliance (2.17), Situational Awareness (2.18), Cloud Security Policy (2.19), Cyber Resilience (2.20), Email Security (2.21), Work from Remote Location (2.22), Dealing Room Operations (2.23) and IT Rules 2021 (2.24). Each policy maps to the RACI matrix in Annexure B.

Common mistakes: Copy-pasting an ISO 27001 policy pack without mapping to the 24 domains; missing the Dealing Room Operations policy (relevant to insurers with treasury exposure); omitting the IT Rules 2021 policy (Section 2.24 explicitly incorporates Rule 3(1)(d) intermediary due-diligence obligations where the insurer operates an online consumer-facing portal).

Step 4: Populate the information asset inventory and classify PII

What: Under Policy 2.1 (Data Classification), maintain an Information Owner-driven inventory classified across four levels — Public, Internal, Restricted, Confidential — with a mandatory PII sub-tag.

Where: Governance, Risk and Compliance (GRC) tool; controlled spreadsheet acceptable for smaller intermediaries.

How: Review classification at least every two years per Clause 3.3 of Policy 2.1. Assign a designated Information Owner to every asset; Owners are accountable even when day-to-day custodianship is delegated. PII is identified and classified separately under Clause 3 of Policy 2.1 — this is a mandatory cross-classification, not optional. Unauthorised disclosure of confidential information must be treated as an incident under Policy 2.10.

Common mistakes: No owner assignment; PII flagged only on customer-facing systems and missed on internal HR/payroll repositories; review cycle missed — the two-year mandatory refresh is a common audit finding.

Step 5: Enforce access controls and privileged access management (Policies 2.3, 2.11)

What: Role-based access control under Policy 2.3 with least-privilege, user account reviews, and Privileged Access Management for admin access.

Where: Identity management stack; PAM tool; Leaver/Joiner/Mover process.

How: Unique user identifiability (Principle 2 under Clause 1.3); strong authentication with dynamic or non-replicable factors for sensitive systems; quarterly access reviews led by business owners; automated leaver-access revocation on day of separation. All system administrator and system operator activities must be logged and the logs regularly reviewed (Policy 2.16 Clause 16).

Common mistakes: Shared admin accounts outside PAM; role-based access control matrix maintained by LAM team without CISO oversight — Clause 1.6 expressly requires CISO review of LAM role definitions to ensure Segregation of Duties and IS principles are considered.

Step 6: Run the Incident and Problem Management regime with the 6-hour CERT-In clock wired in

What: Under Policy 2.10, operate a documented incident response regime that integrates the 6-hour CERT-In rule with copy to IRDAI.

Where: Incident response runbook; 24x7 SOC; ticketing system; CISO escalation tree.

How: Clause 3.5 of Policy 2.10 mandates that the organisation shall "mandatorily report cyber incidents to CERT-In within 6 hours of noticing or being brought to notice about such incidents with a copy to IRDAI and other concerned regulators / authorities" in the methods and formats published on the CERT-In website. Under Clause 3.5 Clause 4, the entity must also maintain current contact details for IRDAI, CERT-In, CSIRT-Fin, NCIIPC and the Cyber Swachhta Kendra. Root cause analysis (Clause 3.6) and knowledge management (Clause 3.6 second instance) feed continuous improvement. Where the incident also exposes personal data, a parallel intimation under Section 8(6) of the Digital Personal Data Protection Act, 2023 to the Data Protection Board is required in the form and manner under Rule 7 of the DPDP Rules 2025.

Common mistakes: Treating the 6-hour CERT-In filing as discharging the IRDAI copy obligation (it does not — IRDAI requires a copy to be marked); missing parallel DPDP reporting when personal data is involved; insufficient NTP sync across the estate, leaving the detection timestamp unverifiable.

Step 7: Operate Monitoring, Logging and VAPT (Policy 2.16)

What: Continuous monitoring, 180-day log retention within Indian jurisdiction, periodic VAPT and six-monthly external penetration testing.

Where: SIEM; WORM log archive; VAPT vendor panel.

How: Policy 2.16 Clause 14 mandates ICT infrastructure logs maintained for a rolling period of 180 days and within Indian jurisdiction per CERT-In directions. VAPT of internet-facing applications or infrastructure components at least once a year (Clause 2); external Blackbox Penetration Testing on all internet-facing information assets every six months (Clause 5); mandatory security testing before any change to internet-facing assets (Clause 3); business applications including APIs and web services undergo VAPT plus secure code review periodically and before go-live (Clauses 4 and 6). High-risk VAPT gaps must be closed within one month followed by validation testing (Clause 9); all audit gaps must be closed within two months (Clause 10).

Common mistakes: Quarterly PT dropped in favour of annual-only (Clause 5 requires six-monthly for external blackbox); VAPT gaps tracked but not retested after remediation; logs stored outside India without written CERT-In production SLA.

Step 8: Third-party service provider risk management (Policy 2.14)

What: Under Policy 2.14, conduct pre-engagement due diligence, annual review and contractual audit rights over every IT service provider.

Where: Vendor lifecycle management system; outsourcing contracts; cloud governance artefacts.

How: Classify each vendor by information security risk per Policy 2.14. Onboarding due diligence must include ISO 27001 / SOC 2 evidence, latest VAPT, financial stability and BCP posture. Contracts must flow down the 6-hour CERT-In reporting obligation, logs-to-India requirement, IRDAI inspection rights, data protection clauses, and an exit plan. The Insurer is responsible under Clause 1.10 to ensure "insurance intermediaries engaged by them comply with these guidelines during the currency of their engagement" and must maintain a Board-approved policy setting the maximum risk rating from Annexure III Part C. Intermediaries that retain only physical data or do not access insurer systems require an annual self-certification before business continuance.

Common mistakes: SaaS purchases treated as "non-outsourcing"; contracts silent on IRDAI audit rights; cloud concentration without an articulated risk acceptance at the ISRMC; no written exit plan for Critical cloud workloads.

Step 9: Business Continuity and Disaster Recovery (Policy 2.13)

What: Under Policy 2.13, maintain a BCP/DRP with stated RTOs and RPOs per critical service and an annual live DR test.

Where: BCP/DR plan; DR site contracts; test reports tabled to the ISRMC.

How: Classify services as Critical / Important / Non-Critical; define RTO and RPO per service; conduct capacity monitoring and planning (Clause 3.1.1); define system acceptance criteria that include resistance to disruptions (Clause 3.1.2); convene a Crisis Management Committee during major events reporting to the Board Risk Management Committee; conduct a full DR drill annually and remediate findings within 90 days. Test backed-up data and applications for digital products at least half-yearly where relevant (consistent with adjacent RBI Digital Payment Security Controls expectations for REs with digital payment footprints).

Common mistakes: Table-top exercises being reported as DR drills; RTO stated as aspiration but not measured; no alternate-site connectivity test; Crisis Management Committee charter missing.

Step 10: Commission the annual independent Assurance Audit (Clause 1.10)

What: Commission and complete an independent Assurance Audit every year, with the annual Audit plan and reports presented to the Audit Committee of the Board / Board / Principal Officer.

Where: External audit firm meeting Annexure IV eligibility criteria; internal IS audit function running in parallel.

How: The Audit Firm must produce the Audit Summary, overall findings, non-compliances and risk ratings as per Annexure III; issue an Audit Certificate in the form of Annexure V (for Insurers) or Annexure VI (for FRBs). The Audit checklist in Annexure III is the scoping document — cover all 24 security domain policies plus third-party controls plus FRB-specific IT interfaces with overseas parents.

Common mistakes: Using an auditor who does not meet Annexure IV eligibility; auditor scope silently narrower than Annexure III checklist; audit findings open for the following year — the audit is an attestation, not a remediation plan.

Step 11: File Annexure III with Board comments to IRDAI

What: Under Clause 1.10, submit the signed Annexure III Audit Report with Board comments to IRDAI within 90 days of financial-year end or within 30 days of audit completion, whichever is earlier.

Where: IRDAI's filing channels (document-submission portal); parallel email to the IRDAI supervisory officer-in-charge.

How: Insurers file Annexure III plus Board comments. Intermediaries first file Annexure III with compliance evidence and Board comments to the engaged Insurer on an annual basis (Clause 1.10, second paragraph) — the Insurer aggregates and relies on these in its own filing. FRBs additionally file Annexure VI audit certificate at the end of every financial year. Calendar the filing — this is the single hardest deadline in the Guidelines.

Common mistakes: Filing Annexure III without Board comments (rejectable); FRB filing Annexure V instead of Annexure VI; missing the whichever-is-earlier trigger when an audit finishes early but the team targets the 90-day outer limit.

Step 12: Continuously align with adjacent frameworks — CERT-In, RBI, DPDP, IT Rules 2021

What: Keep the Guidelines compliance posture aligned with adjacent obligations — the 28 April 2022 CERT-In Directions, the RBI IT Governance MD 2023 (for bancassurance groups), the DPDP Act 2023 and DPDP Rules 2025, the IT Rules 2021 (explicitly at Policy 2.24), and the Aadhaar (Data Security) Regulations 2016 where applicable.

Where: Compliance calendar; ISRMC dashboard; control-to-regulation mapping matrix.

How: Maintain a single controls matrix mapping each control to each framework. When any framework issues a clarification (e.g., DPDP Rules 2025 G.S.R. 846(E) of 13 November 2025, or any IRDAI circular amending the 2023 Guidelines), refresh the matrix within 60 days and table the delta at the next ISRMC.

Common mistakes: Running each framework in a silo; duplicating controls rather than mapping; missing DPDP Rule 7 breach-intimation integration into Policy 2.10 incident response runbooks.

Timeline

The Guidelines do not provide a blanket transition runway — a regulated entity operating at the 24 April 2023 issuance date is expected to bring governance and assurance practices into materially compliant operating state. A 9–12 month remediation runway is a project-management view, not a regulatory grace period.

Template clauses / language

Template A — Third-Party Security Clause for InsurTech Vendor Contracts (Policy 2.14)

Clause [X] — Information and Cyber Security Compliance

1.  The Service Provider acknowledges that the Customer is a Regulated Entity
    within the scope of the Information and Cyber Security Guidelines, 2023
    issued by the Insurance Regulatory and Development Authority of India on
    24 April 2023 ('IRDAI Guidelines'), and shall comply with all controls of
    the IRDAI Guidelines that the Customer may flow down in writing from time
    to time, including Policies 2.1 (Data Classification), 2.3 (Access
    Controls), 2.10 (Incident and Problem Management), 2.14 (Third-party
    Service Providers), 2.16 (Monitoring, Logging and Assessment) and 2.19
    (Cloud Security Policy).

2.  The Service Provider shall: (a) maintain a valid ISO/IEC 27001 certification
    or SOC 2 Type II report throughout the Term; (b) conduct, at its own cost,
    an annual Vulnerability Assessment and Penetration Test of the services
    provided to the Customer by a CERT-In empanelled auditor, and additionally
    an external blackbox Penetration Test at least once every six months on
    internet-facing components, remediating High-risk findings within thirty
    (30) days; (c) retain all ICT infrastructure logs relating to the services
    for a rolling period of one hundred and eighty (180) days within Indian
    jurisdiction, in accordance with CERT-In directions issued from time to
    time.

3.  The Service Provider shall report to the Customer's Chief Information
    Security Officer every cyber incident within two (2) hours of noticing, so
    that the Customer is able to discharge its 6-hour notification obligation
    to CERT-In under Direction (ii) of the CERT-In Directions dated 28 April
    2022 (No. 20(3)/2022-CERT-In) issued under Section 70B(6) of the
    Information Technology Act, 2000 and to mark a copy to the IRDAI under
    Clause 3.5 of Policy 2.10 of the IRDAI Guidelines.

4.  The Service Provider grants the Customer, the Customer's internal and
    external auditors, and the IRDAI and any authority acting for it, the
    right to inspect the Service Provider's premises, systems and records
    relating to the services, on reasonable prior notice.

5.  Where the services involve processing of personal data, the Service
    Provider shall additionally comply with its obligations under the Digital
    Personal Data Protection Act, 2023 and the Digital Personal Data
    Protection Rules, 2025 (G.S.R. 846(E) of 13 November 2025), including
    Rule 6 safeguards and Rule 7 breach-intimation procedures.

Template B — Initial Incident Notification to IRDAI (Parallel to CERT-In Filing)

To: [IRDAI supervisory officer email; copy to the CS Department distribution]
Subject: Cyber Incident — [Insurer / Intermediary Name] — [Annexure I Category] — [YYYY-MM-DD HH:MM IST]

Dear Sir / Madam,

This is an initial cyber incident intimation under Clause 3.5 of Policy 2.10
of the IRDAI Information and Cyber Security Guidelines, 2023. A parallel
notification has been filed with CERT-In today at [HH:MM IST] within the 6-hour
window prescribed by Direction (ii) of the CERT-In Directions dated 28 April
2022 (No. 20(3)/2022-CERT-In) issued under Section 70B(6) of the Information
Technology Act, 2000.

1. Reporting entity: [Legal name, registered office, CIN, IRDAI registration
   number]
2. CISO / Annexure II PoC: [Name, Mobile, Email]
3. Incident type (CERT-In Annexure I category): [e.g., "(v) Ransomware",
   "(xi) Data Breach"]
4. First noticed / brought to notice: [YYYY-MM-DD HH:MM IST / UTC]
5. Affected systems / services (preliminary): [brief list; highlight any
   customer-facing systems]
6. Customer / policyholder impact — assessed so far: [count of policyholders
   affected, if known; else "under assessment"]
7. Containment actions taken: [brief list]
8. Supplementary report to follow: expected within 72 hours; closure report on
   remediation

The Information Security Risk Management Committee has been convened and the
Board will be apprised within 72 hours.

Respectfully,
[CISO Name, Designation]
[Entity]

Internal audit checklist

Run before the Audit Committee of the Board tables the annual Annexure III filing.

• ISRMC composition and quorum — CRO, CISO, CITSO, CSO, CHRO, CTO, function heads of Ops/Finance/Legal/Compliance; minuted attendance ≥ 2 meetings in the FY; CISO present at quorum.
• CISO appointment letter — reporting line to top risk executive (or CEO in absence); minimum-term recorded.
• ICSP and 24 domain policies — Board-approved within the last 12 months; version-controlled.
• Information asset register — classification refreshed within the last 24 months; PII sub-tag applied.
• Access controls — PAM in place; quarterly access reviews evidenced; dormant accounts suspended.
• Monitoring, logging, VAPT — 180-day rolling retention within India; VAPT at least annual; external blackbox PT every 6 months; High findings closed in 1 month, all findings in 2 months.
• Vendor inventory — Annexure III Part C risk rating applied; Board-approved policy on maximum acceptable rating on record; annual re-assessment evidenced for Critical vendors.
• Cloud posture — Policy 2.19 compliance: shared-responsibility, Indian-region for Indian data where required, written exit plan for each Critical cloud workload.
• BCP/DR — stated RTO/RPO per Critical service; live DR drill in the FY; Crisis Management Committee charter on record.
• Incident response runbook — 6-hour CERT-In filing path wired, copy-to-IRDAI in Policy 2.10 runbook; DPDP Rule 7 parallel intimation integrated.
• Auditor eligibility — Annexure IV criteria verified; independence declared.
• Annexure III filing — Audit Report signed by auditor + Board comments; filing within 90 days of FY end or 30 days of audit completion, whichever earlier.
• FRB Annexure VI certificate — where applicable, filed at FY end.
• Intermediary self-certifications — where intermediary retains only physical data, annual self-certification received before continuance of business.
• Cross-framework map — CERT-In Directions 2022 / RBI IT Governance MD 2023 (bancassurance) / DPDP Act 2023 + Rules 2025 / IT Rules 2021 / Aadhaar Regulations reconciled.

What if things go wrong

Failure 1 — CISO reports into CTO

• Symptom: IRDAI on-site inspection finding that the CISO lacks functional independence from IT operations.
• Cause: Legacy reporting line adopted pre-2023 never rewired.
• Action: Rewire reporting to the CRO or directly to the CEO per Clause 1.6; update the ICSP; minute the change at the next ISRMC; file a corrective action plan with IRDAI within the timeline in the inspection letter.

Failure 2 — Annexure III filed without Board comments

• Symptom: IRDAI rejects the filing for non-compliance with Clause 1.10.
• Cause: Audit Committee sign-off treated as equivalent to Board comments.
• Action: Convene a Board meeting to minute comments on the Audit Report; re-file Annexure III plus Board comments within the balance of the 90-day / 30-day window. Do not file the first iteration and the refiling as separate submissions — re-file as a single corrected package.

Failure 3 — Reportable incident missed the CERT-In 6-hour window; IRDAI copy also late

• Symptom: SOC logged the incident overnight but escalation stalled until the next business day.
• Cause: 24x7 on-call not in place at the CISO / CERT-In PoC level.
• Action: File the CERT-In notification immediately with a transparent cover note on the first-noticed time; mark the parallel copy to IRDAI with an explanatory note; file the DPDP intimation under Rule 7 DPDP Rules 2025 if personal data is involved; brief the ISRMC within 72 hours; refile Annexure II PoC; stand up a 24x7 rotating on-call.

Failure 4 — VAPT high-risk findings open beyond one month

• Symptom: Internal audit finds internet-facing applications carrying High VAPT findings past the one-month SLA.
• Cause: Remediation dependency on a third-party application vendor.
• Action: Escalate to the ISRMC and to the vendor's leadership; implement compensating controls (WAF tuning, temporary functional carve-outs); treat the open finding as a Risk Acceptance requiring ISRMC approval until closure, with a time-bound remediation plan.

Failure 5 — Third-party vendor resists IRDAI audit-rights clause

• Symptom: Hyperscaler or InsurTech vendor template contract excludes regulator inspection.
• Cause: Boilerplate adopted without negotiation.
• Action: Negotiate via the vendor's enterprise addendum; where the vendor refuses and is Critical, document a Risk Acceptance at the ISRMC and Board Risk Management Committee with a migration plan; proactively brief IRDAI if the vendor is irreplaceable.

Founder checklist

• Map every IRDAI-regulated partner this week — each insurer, broker, TPA or web aggregator you serve is required by Clause 1.10 of the Guidelines to treat you as a Policy 2.14 third party; ask for their Annexure III Part C questionnaire and the maximum-risk-rating policy.
• Get ISO 27001 or SOC 2 Type II certified by 30 September 2026 — budget ₹8–15 lakh for first-time ISO 27001 certification; your latest VAPT must be within the last 12 months and External Blackbox PT within the last 6 months to be accepted.
• Wire the 6-hour CERT-In clock into your runbook with a 2-hour internal notification to your insurer partner — Policy 2.10 Clause 3.5 of the Guidelines requires the insurer's CERT-In filing to be copied to IRDAI; you must not be the reason the insurer misses the 6-hour window.
• Build a cloud exit story — name primary and secondary cloud, state your data-portability plan, and document how the insurer partner can operate if you disappear overnight; Policy 2.19 requires a written exit plan for every cloud-sourced service.
• Budget ₹2–5 lakh/year for a CERT-In-empanelled auditor retainer — your insurer partner's Annexure III audit will drag you in; having your own attestation package pre-built cuts diligence time from six weeks to two.

FAQ

Do InsurTech startups need to comply directly with the IRDAI Guidelines?

Not directly unless they are themselves IRDAI-registered (e.g., licensed web aggregator, broker, corporate agent, IMF or TPA). Pure technology vendors serving insurers are caught contractually via Policy 2.14 (Third-party service providers). Every Insurer is required under Clause 1.10 of the Guidelines to ensure that intermediaries it engages "comply with these guidelines during the currency of their engagement" and to maintain a Board-approved policy setting the maximum acceptable risk rating from Annexure III Part C. The diligence standard is converging on the RBI IT Governance Master Direction baseline — expect the same flow-down vigour.

How does IRDAI compliance overlap with the RBI IT Governance Master Direction dated 7 November 2023?

Where the same legal entity holds both an IRDAI licence and an RBI licence (e.g., a bancassurance group company or a composite financial services group), both frameworks apply in parallel. Controls can be harmonised through a single policy stack — the IRDAI framework explicitly incorporates the NIST Cybersecurity Framework in Annexure I and references the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 in Policy 2.24, so the control language is compatible. The stricter requirement wins; the Information Security Risk Management Committee minutes should record the dual-framework position with a written controls-to-frameworks mapping.

What is the mandated VAPT frequency?

Policy 2.16 of the Guidelines requires VAPT of internet-facing applications or infrastructure at least once a year (Clause 2), external blackbox Penetration Testing on all internet-facing assets every six months (Clause 5), and mandatory security testing before any change to internet-facing information assets (Clause 3). High-risk VAPT gaps must be closed within one month followed by validation testing (Clause 9), with the outer limit for closure of all audit gaps at two months (Clause 10). Business applications including APIs and web services undergo VAPT plus secure code review periodically and before go-live (Clauses 4 and 6).

What triggers an IRDAI ad-hoc cyber incident report?

Policy 2.10 (Incident and Problem Management) — specifically Clause 3.5 on "Notification to regulatory authorities" — requires every regulated entity to report cyber incidents mandatorily to CERT-In within 6 hours of noticing, with a copy to IRDAI and other concerned regulators. The regulated entity must maintain current contact details for IRDAI, CERT-In, CSIRT-Fin, NCIIPC and the Cyber Swachhta Kendra, and file in the format published on the CERT-In website. This ad-hoc obligation is in addition to the annual Assurance Audit filing under Clause 1.10.

How does this interact with the DPDP Act 2023 and the Data Protection Board?

The Guidelines define personally identifiable information (PII) as a mandatory sub-classification under Policy 2.1 (Data Classification) and require "reasonable and appropriate safeguards" — terminology that maps forward to Rule 6 of the Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E) of 13 November 2025). Once the DPDP Act, 2023 (Act No. 22 of 2023) is fully operational, every insurer that is a Data Fiduciary must additionally file a personal-data breach intimation with the Data Protection Board under Section 8(6) DPDP Act in the form and manner under Rule 7 DPDP Rules 2025. That is a separate obligation from the 6-hour CERT-In and copy-to-IRDAI route.

Sources

1. Information and Cyber Security Guidelines, 2023 — Insurance Regulatory and Development Authority of India, issued 24 April 2023. Document page: https://irdai.gov.in/document-detail?documentId=3314780 ; Full text PDF: https://irdai.gov.in/documents/37343/366029/IRDAI+CS+Guidelines+2023.pdf/81730785-1f51-977b-5a92-d9cfd7eb2cd6

2. IRDAI Documents Index — https://irdai.gov.in/documents

3. CERT-In Directions under Section 70B(6) of the IT Act, 2000 — dated 28 April 2022 (No. 20(3)/2022-CERT-In). Available at https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

4. RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices — 7 November 2023, effective 1 April 2024. Available at https://www.rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=12562

5. Insurance Act, 1938 — Section 102 (monetary penalties). Available at https://www.indiacode.nic.in/

6. IRDAI Act, 1999 — supervisory powers. Available at https://www.indiacode.nic.in/

7. Information Technology Act, 2000 — Section 43A (sensitive personal data) and Section 70B (CERT-In). Available at https://www.indiacode.nic.in/handle/123456789/1999

8. Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), Sections 8 and 33; DPDP Rules 2025 (G.S.R. 846(E), 13 November 2025).

This playbook is prepared by Veritect Legal Intelligence for general informational purposes and does not constitute legal advice. Regulated entities should consult qualified counsel for institution-specific advice. Statutory citations are current as of 21 April 2026.