IRDAI Information and Cyber Security Guidelines, 2023 — a practitioner reference

ControlForge free guide · 2026-05-24 · Reflects IRDAI Information and Cyber Security Guidelines, 2023 with the 24 March 2025 cyber incident and crisis preparedness amendments

Quick reference

Applies to: all insurers including life, general, and health insurers; Foreign Reinsurance Branches (FRBs); and the broad set of insurance intermediaries — brokers, corporate agents, web aggregators, Third-Party Administrators (TPAs), Insurance Marketing Firms (IMFs), insurance repositories, Insurance Self-Network Platforms (ISNPs), corporate surveyors, Motor Insurance Service Providers (MISPs), Common Service Centres (CSCs), and the Insurance Information Bureau of India (IIB). Individual agents, micro-insurance agents, point-of-sale persons, and individual surveyors are excluded.
Mandatory or voluntary: mandatory regulation issued under Section 14(2)(e) of the IRDA Act, 1999.
Year published: 24 April 2023, superseding the 2017 Guidelines (extended to intermediaries in September 2022). Compliance deadline April 2024 for full implementation. 24 March 2025 amendments added cyber incident response and crisis preparedness provisions.
Issuing body: Insurance Regulatory and Development Authority of India (IRDAI).
Penalties: monetary penalties up to ₹1 crore per default under the IRDA Act; supervisory action including operational restrictions, licence conditions, and public disclosure. The Insurance Ombudsman regime layers consumer redressal on top.
ControlForge density: 33 controls curated mapping to the NIST CSF-aligned structure used by IRDAI; cross-walked with RBI CSF, SEBI CSCRF, ISO/IEC 27001:2022, NIST CSF 2.0, and DPDPA.

What it is

The IRDAI Information and Cyber Security Guidelines, 2023 are the comprehensive cyber security framework for India's insurance sector. They replaced the 2017 Guidelines (which had been extended from insurers to all intermediaries in 2022) with a substantially expanded scope and a graded compliance approach based on the intermediary's level of system access and gross revenue.

Three structural features distinguish the 2023 Guidelines from their 2017 predecessor:

Graded applicability for intermediaries. Insurance intermediaries are classified by their access to insurer systems and by gross insurance revenue. Higher-classification intermediaries (those with deep system access or significant revenue) face proportionally heavier obligations; lower-classification intermediaries face a lighter compliance load. This was IRDAI's response to industry feedback that 2017's one-size-fits-all approach burdened smaller intermediaries disproportionately.
NIST Cybersecurity Framework alignment. Annexure I of the 2023 Guidelines explicitly maps IRDAI control areas to the NIST CSF functions (Govern / Identify / Protect / Detect / Respond / Recover under CSF 2.0; the 2023 IRDAI guidelines pre-date CSF 2.0 but the mapping carries forward). This provides a structural backbone that aligns IRDAI compliance with global cybersecurity practice.
Data-centric security approach. The 2023 Guidelines explicitly require data classification, data flow mapping, and data-centric security controls — a shift from the perimeter-and-system-centric framing of 2017 toward a model recognising that data flows extensively through cloud, SaaS, and intermediary networks.

The 24 March 2025 amendments added explicit provisions on cyber incident response and crisis preparedness — drawing lessons from incidents affecting Indian financial-sector entities through 2023–2024. These amendments tightened incident classification, escalation, and reporting expectations.

Structure at a glance

The 2023 Guidelines run to approximately 60 pages of substantive content plus four annexures:

Main body — governance, risk management, technical controls, audit, incident management.
Annexure I — Applicability of the NIST Framework to All Regulated Entities. Maps IRDAI control areas to NIST CSF functions and subcategories.
Annexure II — Classification of Insurance Intermediaries. Defines the graded categories based on system access and revenue.
Annexure III — Reporting templates (incident report, annual cyber report).
Annexure IV — Eligibility Criteria for the Audit Firm conducting the mandatory annual cyber audit.

The control framework is organised around:

Governance — Information and Cyber Security Policy (ICSP) approved by the Board; CISO appointment; cyber committee at Board / management level; risk management framework.
Identification — asset inventory, data classification, data flow mapping, risk assessment, third-party risk management.
Protection — access control with MFA, encryption at rest and in transit, network segmentation, secure configuration, vulnerability management, anti-malware, application security, secure development, employee training, physical security.
Detection — Security Operations Centre or equivalent monitoring, log management with 180-day retention in Indian jurisdiction, SIEM, threat intelligence, regular vulnerability assessment and penetration testing.
Response and Recovery — incident response procedure, cyber crisis management plan, business continuity and disaster recovery, breach notification to IRDAI, post-incident review.
Audit and Assurance — annual cybersecurity audit by an eligible firm, report submitted to IRDAI, IRDAI right of inspection.

The graded approach means smaller intermediaries face a reduced control set but the governance, incident reporting, and data protection requirements are universal.

Who must comply

The 2023 Guidelines apply to the following Regulated Entities (REs):

Insurers: life insurers, general insurers, health insurers, standalone health insurers, reinsurers.
Foreign Reinsurance Branches (FRBs): foreign reinsurers operating in India through branch mode.
Insurance intermediaries — the substantive expansion in 2023:
Insurance Brokers (direct, reinsurance, composite).
Corporate Agents (life, general, health, composite).
Web Aggregators.
Third-Party Administrators (TPAs) — health insurance claim processors.
Insurance Marketing Firms (IMFs).
Insurance Repositories — entities maintaining e-Insurance Accounts.
Insurance Self-Network Platforms (ISNPs) — entities selling insurance products directly.
Corporate Surveyors and Loss Assessors.
Motor Insurance Service Providers (MISPs) — typically automobile dealers selling motor insurance.
Common Service Centres (CSCs) — government-supported rural service delivery points.
Insurance Information Bureau of India (IIB).

Excluded from direct applicability: individual insurance agents, micro-insurance agents, point-of-sale persons, and individual surveyors. These categories are governed instead through the supervisory obligations of the principal entity that engages them.

The graded approach means an intermediary that handles low volumes of policyholder data via a web portal of the principal insurer (rather than building its own IT infrastructure) operates under a lighter scope than an intermediary with custom IT systems and direct system access to insurer databases.

Core obligations

Walking the major obligations across the framework:

Board-approved Information and Cyber Security Policy (ICSP). Documented, reviewed annually, covering the full scope of the Guidelines. The ICSP is the umbrella policy from which all specific procedures flow. Maps into ControlForge clusters cl-policy, cl-isms-context, and cl-roles-responsibilities.

CISO appointment and governance structure. Designated CISO with appropriate seniority, independence from IT operations, and direct reporting line to the MD/CEO or Board. For larger entities, a Board-level cyber security committee meets at least quarterly; for smaller entities, the function is integrated with the broader risk committee. Maps into cl-roles-responsibilities and cl-it-governance-board.

Data classification and data flow mapping. Personal data, sensitive personal data, payment data, and policyholder data identified and classified; data flows across systems, intermediaries, and third parties mapped and documented; flows are reviewed when material changes occur. The data-centric approach intersects directly with DPDPA's Data Fiduciary obligations from May 2027. Maps into cl-data-classification, cl-data-inventory, and cl-data-flow-mapping.

Access control with MFA. Identity lifecycle (joiner-mover-leaver) with documented procedures; multi-factor authentication mandatory for privileged access, customer-facing online portals, and access from outside the entity's network; quarterly access reviews for critical systems; privileged access management (PAM) for system administrators. Maps into cl-access-rights, cl-multi-factor-authentication, cl-authentication, and cl-joiner-mover-leaver.

Cryptography. Encryption in transit (TLS 1.2 minimum, TLS 1.3 preferred) for all communications carrying policyholder data; encryption at rest for sensitive databases and backups; documented key management. Maps into cl-cryptography and cl-encryption.

Vulnerability management and security testing. Quarterly internal vulnerability scans; annual external VAPT by a CERT-In empanelled firm; security testing after significant change; remediation tracked through documented closure. Maps into cl-vuln-identification, cl-vapt-cycle, and cl-patching.

Security Operations Centre and monitoring. SOC operational 24×7 for material entities; MSSP-based for smaller intermediaries; SIEM coverage of critical systems; threat intelligence integration; log retention 180 days within Indian jurisdiction. The Indian-jurisdiction log retention requirement is a hard-edged data localisation rule particular to IRDAI; cloud-based log storage outside India fails this control. Maps into cl-monitoring-activities, cl-logging, and cl-threat-intel-platform.

Cyber incident response and crisis preparedness (strengthened by March 2025 amendments). Documented incident response procedure with classification, escalation, and notification provisions; tested via at least annual tabletop exercise; integrated with the Cyber Crisis Management Plan. Incident notification to IRDAI within stipulated timelines; parallel CERT-In Direction 70B reporting within 6 hours; for personal-data breaches, parallel DPBI notification from May 2027 under DPDPA. Maps into cl-incident-response-execution, cl-ir-plan-prep, cl-ir-reporting, and cl-incident-reporting-external.

Third-party / intermediary risk management. Insurers are accountable for the cyber posture of intermediaries with access to their systems or policyholder data; documented vendor risk assessment; security obligations flow down via contractual clauses; periodic review of critical third parties. The graded approach for intermediaries operationalises this: the principal insurer's vendor management programme covers intermediaries based on their classification. Maps into cl-supplier-policy and cl-supply-chain-risk.

Annual cyber audit. REs must engage an audit firm meeting the Annexure IV eligibility criteria (typically CERT-In empanelment plus specific cyber-audit qualifications) to conduct an annual cybersecurity audit. The audit report is submitted to IRDAI and reviewed by the Board. Findings are tracked through documented closure. Maps into cl-mandatory-audit and cl-internal-audit.

The annual cyber audit is one of the more demanding obligations under the Guidelines. Annexure IV sets eligibility criteria substantially stricter than general IT-audit qualifications: the audit firm must hold CERT-In empanelment, must demonstrate specific cyber-audit experience (typically defined as a minimum number of completed engagements in the insurance or broader financial sector), and the lead auditor must hold relevant industry certifications. The annual audit is in addition to (not in lieu of) any general internal audit; for larger insurers the two functions are typically separated.

Penalty exposure and enforcement. Beyond direct monetary penalties, the 2023 Guidelines and the 2025 amendments are increasingly used by IRDAI as the framework for supervisory inspections and for grievance-redressal escalation. Where a cyber incident affects policyholders, IRDAI's combination of grievance-redressal authority + cyber compliance authority creates a multi-pronged supervisory exposure. Major insurers have experienced this pattern in the 2024–2025 period: an incident triggers grievance complaints; the grievance investigation reveals cyber control gaps; IRDAI follows with a supervisory examination focused on the Guidelines.

Business continuity and disaster recovery. Documented BCP and DR plans; annual testing including cyber-specific scenarios (ransomware, destructive attack); RTO and RPO defined per critical system; alternate-site capability. Maps into cl-bcp-ict-readiness and cl-backup.

Awareness and training. Annual cybersecurity awareness for all personnel; role-based training for IT staff, customer-facing personnel, and management; phishing simulation. Maps into cl-awareness.

How auditors test it

Three audit pathways operate in parallel:

Mandatory annual cyber audit under the Guidelines themselves. Conducted by an Annexure IV-eligible firm (CERT-In empanelment + specific qualifications). Scope: the full control framework with sampling proportionate to the entity's classification. Report submitted to IRDAI within the prescribed timeline; reviewed by Board; tracked findings closure.

IRDAI supervisory inspection. IRDAI inspectors conduct on-site reviews under the inspection authority of the IRDA Act. Increasing focus on cyber posture for larger insurers; intermediaries are inspected on risk-based selection. Inspector access to all documentation including the annual cyber audit report, ICSP, incident records, vendor management evidence, training records.

Internal audit — most insurers also maintain internal IS audit functions; for smaller intermediaries this overlaps materially with the mandatory annual cyber audit.

Evidence patterns at an IRDAI cyber audit:

ICSP and supporting procedure library with Board approval evidence.
CISO appointment letter and organogram.
Data classification and data flow maps.
Access reviews, PAM deployment, MFA enforcement evidence.
VAPT reports with CERT-In empanelment proof; remediation closure log.
SIEM coverage matrix and sample alerts traced to incident response actions.
Log retention evidence demonstrating 180-day Indian-jurisdiction storage.
Incident records and CIMS / CERT-In / IRDAI submission history.
Vendor risk assessment files for critical intermediaries and cloud / IT service providers.
BCP test reports including cyber-specific scenarios.
Annual training records and phishing simulation outcomes.

Common findings in recent inspections: - Log retention compliant in some systems but not others; some log data routed to non-India cloud regions. - VAPT with insufficient manual penetration testing depth; lead firm not Annexure IV-eligible. - Intermediary risk assessment shallow — TPAs and MISPs with substantial policyholder data access not assessed as critical vendors. - ICSP not refreshed after the March 2025 amendments; older incident response procedure references the 2017 Guidelines.

Sample sizes and audit depth. For larger insurers, annual cyber audit sampling typically covers: 25-50 systems across critical applications, infrastructure, customer-facing channels, and intermediary integrations; 12 months of incident records with at least one tabletop reconstruction; 12 months of access review and change management records; multi-quarter VAPT history; and complete sub-processor inventory verification. Smaller intermediaries follow proportionate sampling tied to their classification. The Annexure IV-eligible firms have professional judgement on sampling depth; audit reports document the sampling methodology.

Inspection patterns observed in 2024-2025. Public IRDAI orders and supervisory communications in the 2024-2025 period suggest examiners focus disproportionately on three areas: (i) data residency posture for cloud-resident systems, particularly logs and backups; (ii) intermediary classification methodology and whether the principal insurer's vendor risk programme actually covers high-classification intermediaries with appropriate depth; (iii) incident response evidence including tabletop test records and CIMS / CERT-In / IRDAI submission discipline for actual incidents during the audit window. Entities that have invested in these three areas tend to clear inspections with limited findings; entities that have a paper programme but weak operational evidence face material findings.

How it relates to other frameworks

IRDAI 2023 sits in the Indian financial-sector regulatory stack alongside:

RBI ITGRCA + CSF: for banks, NBFCs, payment system operators. IRDAI 2023 is structurally similar at the governance level; intermediaries that touch banking systems (e.g. bancassurance partners) face both regimes.
SEBI CSCRF: for SEBI REs in capital markets. Concept-aligned with IRDAI 2023; insurance-distribution arms within securities firms face both.
CERT-In Direction 70B: 6-hour reporting applies in parallel; IRDAI submission is layered on top.
DPDPA 2023 + Rules 2025: policyholder data is personal data; DPBI breach notification applies from May 2027 in addition to IRDAI submission.
NIST CSF 2.0: IRDAI 2023 Annexure I explicitly maps to NIST CSF. Holding a NIST CSF-aligned programme materially advances IRDAI compliance.
ISO/IEC 27001:2022: substantial control overlap; ISO 27001 certification reduces audit friction.
ISO/IEC 27018:2019: cloud PII processor extension; relevant for insurers using cloud services for policyholder data.
IRDAI Outsourcing Guidelines: vendor management for outsourcing arrangements; works alongside IRDAI 2023 cyber requirements.

ControlForge cross-walks IRDAI 2023 into general security clusters and into Indian-regulator-specific synthesis where the parallel reporting and accountability lines need coordinated implementation.

Common pitfalls

Five recurring failure patterns:

Log retention crossed an Indian-jurisdiction boundary unnoticed. Cloud services configured to default region (US, EU, Singapore) without explicit data residency. The 180-day Indian-jurisdiction requirement is a hard control. Fix: data residency review per system; explicit India-region configuration for log stores; documented exemption process for any exception.
Intermediary classification not exercised. The graded approach requires intermediaries to be classified; some principal insurers default all intermediaries to "high" (inflating compliance cost) or "low" (under-covering critical-access TPAs). Fix: documented classification methodology applied per intermediary annually; Board / management review of high-classification intermediaries.
Annual cyber audit firm not Annexure IV-eligible. The audit firm holds CERT-In empanelment but lacks the additional cyber-audit qualifications IRDAI Annexure IV specifies. Fix: verify eligibility against Annexure IV before engagement; re-engagement annually with current credentials.
CCMP and incident response not aligned with March 2025 amendments. The Cyber Crisis Management Plan was written against the 2023 Guidelines and not updated when the March 2025 amendments tightened crisis preparedness expectations. Fix: CCMP refresh against current Guidelines; tabletop test against the new expectations.
MFA scope incomplete for customer-facing portals. Customer-facing online portals (policy purchase, claims, document upload) often have weaker MFA than internal access. The Guidelines require MFA proportionate to the risk; policyholder portals handling sensitive information warrant strong authentication. Fix: risk-based MFA enforcement on customer-facing portals; SMS-OTP as minimum, with stronger factors (app-based, FIDO) for high-risk transactions.

Two further patterns worth flagging:

Data flow maps stale. The data-centric approach requires accurate data flow mapping; SaaS sprawl and new intermediary integrations have rendered initial maps inaccurate. Fix: data flow map refresh on material-change trigger (new vendor, new geography, new product); annual full refresh.
TPA / MISP cyber assessment shallow. TPAs process health-insurance claims with extensive PII; MISPs (dealer-network motor insurance) have customer-data access at the point of sale. Both categories have historically received less cyber scrutiny than they warrant under the graded approach. Fix: critical-classification review of TPAs and high-volume MISPs; direct cyber assessment rather than vendor self-attestation.

When to use this framework

IRDAI 2023 compliance is mandatory for the entities in scope. Implementation considerations:

Phased build common. Mid-2024 compliance deadline allowed phased build for many entities; March 2025 amendments triggered a second wave of programme update.
Layering with ISO 27001. Insurers and large intermediaries often layer ISO 27001 certification on top of IRDAI 2023 compliance — the ISO certification adds international procurement value and reduces IRDAI audit friction.
DPDPA convergence. The May 2027 DPDPA enforcement date will require IRDAI 2023 programmes to integrate DPBI breach notification, Data Fiduciary obligations, and data subject rights handling. Planning this convergence pre-2027 is more efficient than retrofitting.
Outsourcing alignment. Insurance outsourcing arrangements (TPA, MISP, IT services, customer service) carry their own IRDAI Outsourcing Guidelines obligations; IRDAI 2023 cyber requirements layer on top.