IRDAI Tightens Cybersecurity Norms: 6-Hour Reporting Rule for Insurers and Intermediaries

In a move aimed at bolstering cyber security across the insurance sector, the Insurance Regulatory and Development Authority of India (IRDAI) has issued a directive requiring all insurers and intermediaries to report cyber incidents within 6 hours of detection. This significantly shortens the previous 24-hour reporting window and brings the insurance industry in line with global best practices.

New Compliance Timeline: 6-Hour Cyber Incident Reporting

As per the updated guideline, insurance companies and all licensed intermediaries—such as brokers, corporate agents, insurance marketing firms, and web aggregators—must notify both IRDAI and the Indian Computer Emergency Response Team (CERT-In) within 6 hours of any cyber incident. This accelerated timeframe is intended to ensure quicker containment and response to potential threats.

Enhanced Monitoring and Infrastructure Requirements

The new regulation also mandates continuous vigilance over all Information and Communication Technology (ICT) systems. Insurers are required to maintain and monitor all ICT infrastructure and application logs for a rolling period of 180 days. This move is expected to strengthen audit trails and facilitate more effective forensic investigations in the event of cyber incidents.

Key Requirements Under the New Cybersecurity Framework

IRDAI’s directive outlines several critical measures that insurers and intermediaries must comply with:

• Time-Synchronised Systems: All ICT systems must align with the official Network Time Protocol (NTP) of India to ensure consistency in event logging and forensic analysis.

• Cyber Crisis Preparedness: Insurers are now obligated to maintain a Cyber Crisis Management Plan, enabling swift action in case of a cyber attack or data breach.

• Certified Investigators Only: In the event of a serious cyber issue, investigations must be conducted solely by CERT-In-certified experts to ensure credibility and adherence to standard protocols.

• Strict Adherence to CERT-In Guidelines: Insurers must fully comply with the cybersecurity guidelines laid out by CERT-In to maintain uniformity in protection and response standards.

• Avoiding Conflicts of Interest: Companies involved in identifying cyber risks must not be the same as those conducting the investigation. This separation of duties ensures objectivity and transparency.

• Mandatory Board-Level Oversight: All entities—insurers and intermediaries—must report their compliance status to their respective Boards of Directors and submit the meeting minutes to IRDAI as evidence of adherence.

Strengthening Cyber Resilience in the Insurance Sector

The IRDAI’s updated directive highlights the growing importance of cybersecurity in financial services. With the increasing digitisation of insurance services and sensitive data being handled across digital platforms, this move is a proactive step toward reducing systemic vulnerabilities.

Although these new measures may increase compliance costs and operational overheads, they are expected to enhance the overall cyber resilience of the insurance ecosystem, protecting both insurers and policyholders from potential data breaches and cyber threats.

Disclaimer: This blog has been written exclusively for educational purposes. The securities mentioned are only examples and not recommendations. This does not constitute a personal recommendation/investment advice. It does not aim to influence any individual or entity to make investment decisions. Recipients should conduct their own research and assessments to form an independent opinion about investment decisions. 

Investments in the securities market are subject to market risks, read all the related documents carefully before investing.