Revisions to Cyber Security Guidelines by IRDAI Enhance Insurance Sector's Governance

On April 6, 2026, the Insurance Regulatory and Development Authority of India (IRDAI) announced revisions to its Information and Cyber Security Guidelines for the insurance sector, originally established in 2023. These amendments maintain the core framework but introduce enhanced governance protocols, role clarifications, updated compliance timelines, and specific security controls. Insurance companies are urged to reassess their committee structures, reporting protocols, policies, and audit processes to align with these new directives.

The amendments mandate the Information Security Risk Management Committee to meet quarterly instead of semi-annually, highlighting the need for continuous cyber risk management. This change reflects the significance of ongoing vigilance against emerging cyber threats. The committee is now required to report any cybersecurity audit non-conformities to the risk management committee, which can escalate critical issues to the Board.

An IT Steering Committee has been established, tasked with integrating business strategies into IT and cybersecurity directives. This committee will meet at least quarterly, led by the Chief Technology Officer, showing a commitment to incorporate cybersecurity into enterprise decision-making processes.

The Chief Information Security Officer (CISO) role has gained independence from IT leadership, ensuring unbiased security judgments. Responsibilities of the CISO now include developing scenario-based incident response plans and managing security exceptions. The designation of Chief IT Security Officer has been removed, streamlining responsibilities while maintaining accountability.

Board responsibilities have grown to treat cybersecurity as a central enterprise risk rather than merely a technical issue. Boards must ensure cybersecurity initiatives receive adequate funding aligned with the institution's risk profile and address cybersecurity gaps identified in annual audits. The dissolution of the Control Management Committee centralizes its functions within the Risk Management Committee, which now includes independent external experts in IT or cybersecurity.

The guidelines also cater to Foreign Reinsurance Branches by eliminating the requirement for separate branch-level governance, contingent on higher-level responsibility fulfillment. A "comply or explain" approach for audit report controls aligns with maintaining security obligations while recognizing diverse structural needs.

These amendments signify a proactive move to elevate information and cybersecurity governance standards across insurers, intermediaries, and foreign reinsurance entities. The IRDAI emphasizes not just compliance, but also posits cyber resilience as integral to organizational governance and business sustainability. Insurance boards and management are encouraged to deepen their cybersecurity knowledge to supervise these critical areas effectively, moving beyond solely relying on IT departments.