IRDAI Information & Cyber Security Guidelines 2026

IRDAI Information and Cyber Security Guidelines 2026 (circular IRDAI/GA&HR/CIR/MISC/51/4/2026 dated 6 April 2026) — supersedes the 2023 Guidelines. Applicable to all insurers including FRBs, insurance intermediaries (Brokers, Corporate Agents, Web Aggregators, TPAs, IMFs, Insurance Repositories, ISNP, Corporate Surveyors, MISPs, CSCs) and the Insurance Information Bureau of India (IIB). 24 security domains covering governance, asset management, access control, cryptography, network security (including WAF), endpoint, cloud, application security, data security & privacy, mobile, email, physical security, monitoring & logging, vendor risk, BCP/DR, and audit. Annexure III contains 347 audit controls mapped to NIST CSF functions plus IRDAI-specific Work From Remote Location and IGDM Rules 2021 categories. Cyber incident reporting timelines: CERT-In within 6 hours, IRDAI within 24 hours (per March 2025 Cyber Incident or Crisis Preparedness circular). Annual independent audit by CERT-In empanelled / Annexure-IV-eligible auditor; report submission to IRDAI within 90 days of FY-end or 30 days of audit completion (whichever is earlier).

Composition

33 controls currently indexed; participates in 32 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Anti-malware protection with EDR and email/web safeguards
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Board-level IT/IT Strategy Committee with documented charter
• Business continuity and ICT recovery readiness
• CISO role — independence, authority, Board access
• Centralised logging with retention, tamper protection, and integrity
• Comprehensive asset inventory with classification and ownership
• Continuous monitoring of networks, systems, applications, and outsourced development
• Cryptographic controls, key management, and post-quantum readiness
• Cyber resilience metrics — KPIs, KRIs, Board reporting cadence
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data subject / Data Principal rights — operational rights mechanism
• Data-at-rest protection — encryption, access, processor controls
• Data-in-transit protection and physical media handling
• Incident response execution — detection through eradication, recovery, and lessons learned
• Incident response plan preparation, independent review, and risk-response planning
• Logical and physical access restriction — least privilege baseline
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-regulator incident notification with coordinated submission timelines
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• Physical access controls — secure areas, entry monitoring, asset protection
• Privacy governance — legal, regulatory, contractual, and algorithmic obligations
• Privileged access management and access rights lifecycle
• Ransomware-resilient backup architecture
• Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
• Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting
• VAPT cycle — vulnerability assessment and penetration testing programme
• Workforce security awareness, role-based training, and human-factor controls