admissions@cyberlawacademy.com | +91-XXXXXXXXXX
DPDPA ResourcesLegal Services
Part 5 of 6

IRDAI IT & Cyber Security Guidelines

Understand the Insurance Regulatory and Development Authority of India's requirements for IT governance, information security, and business continuity in the insurance sector.

Duration: ~70 minutes Sections: 4 Quiz: 8 Questions

5.1 Insurance Sector Requirements

IRDAI has issued comprehensive guidelines on Information and Cyber Security applicable to all registered insurers including life, general, health, and reinsurance companies.

Applicable Entities

  • Life Insurance Companies: All life insurers registered with IRDAI
  • General Insurance Companies: Motor, property, liability insurers
  • Health Insurance Companies: Standalone health insurers
  • Reinsurance Companies: Reinsurers operating in India
  • Insurance Intermediaries: Brokers, TPAs, surveyors (proportionate requirements)

Key IRDAI Circulars

CircularFocus AreaKey Requirements
Information and Cyber Security Guidelines 2017Core security frameworkIS Policy, CISO appointment, security controls
Outsourcing Guidelines 2017Third-party riskDue diligence, contracts, oversight
Cloud Computing Guidelines 2020Cloud adoptionData localization, security requirements
Master Circular on E-Insurance 2023Digital insuranceElectronic policy, authentication

Data Classification

Sensitive Insurance Data

Insurers handle highly sensitive data including: health records (medical underwriting, claims), financial information (income, assets), personal identifiers (Aadhaar, PAN), beneficiary details. Protection of policyholder data is a regulatory priority.

  • Critical: Core insurance systems, policy databases, claims records
  • Sensitive: Medical records, financial data, underwriting information
  • Internal: Employee data, operational procedures
  • Public: Product information, marketing materials

5.2 IT Governance

IRDAI mandates robust IT governance structures within insurance companies to ensure alignment of IT strategy with business objectives and effective risk management.

Board-Level Oversight

IT Strategy Committee
Insurers must constitute an IT Strategy Committee at Board level responsible for: approving IT strategy, reviewing major IT investments, overseeing cyber security posture, and ensuring regulatory compliance.

Key Appointments

RoleRequirementResponsibility
Chief Information Officer (CIO)Mandatory for large insurersIT strategy, operations, digital transformation
Chief Information Security Officer (CISO)Mandatory for all insurersInformation security, incident response, compliance
Data Protection Officer (DPO)As per DPDPA requirementsDPDPA compliance, data subject rights
Chief Risk Officer (CRO)MandatoryEnterprise risk including cyber risk oversight

Policies and Procedures

Insurers must maintain documented policies covering:

  1. Information Security Policy: Board-approved, annual review
  2. Acceptable Use Policy: Employee responsibilities, prohibited activities
  3. Access Control Policy: User management, privileged access
  4. Incident Management Policy: Detection, response, escalation
  5. Business Continuity Policy: BCP and DR procedures
  6. Outsourcing Policy: Third-party risk management

Security Controls

  • Network Security: Firewalls, segmentation, intrusion detection
  • Endpoint Security: Anti-malware, host-based controls, encryption
  • Application Security: Secure coding, testing, change management
  • Data Security: Encryption, masking, DLP for sensitive data
  • Identity Management: SSO, MFA for critical systems, access reviews
Compliance Tip

IRDAI expects insurers to adopt industry frameworks like ISO 27001. Many insurers pursue ISO 27001 certification to demonstrate compliance and may reference it in regulatory submissions.

5.3 BCP/DR Requirements

Business Continuity Planning and Disaster Recovery are critical for insurance operations. IRDAI mandates comprehensive BCP/DR capabilities to ensure policyholder protection and claims processing continuity.

Business Continuity Management

Business Impact Analysis (BIA)
Insurers must conduct BIA to identify critical business processes, assess impact of disruption, and determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical function.

Critical Insurance Functions

  • Claims Processing: Must continue even during disasters - policyholder protection priority
  • Policy Issuance: New business continuation with defined RTO
  • Premium Collection: Payment gateway and reconciliation systems
  • Customer Service: Call center and grievance handling
  • Regulatory Reporting: IRDAI submission capabilities

DR Site Requirements

AspectRequirement
LocationGeographically separated, different seismic zone preferred
CapabilityMust handle full production load
Data SyncReal-time or near-real-time replication for critical data
TestingAnnual DR drill mandatory with documented results
SwitchoverDefined procedures and trained personnel

Testing Requirements

Mandatory DR Drills

IRDAI requires annual DR drills with actual switchover to DR site. Results must be documented, gaps identified, and remediation tracked. Board must be apprised of DR drill outcomes.

  • Annual Full DR Drill: Complete switchover to DR site
  • Half-Yearly Table-Top: Scenario-based discussions
  • Component Testing: Individual system recovery testing
  • Documentation: Test plans, results, gaps, remediation

5.4 Outsourcing Guidelines

Insurers extensively outsource IT and business processes. IRDAI has specific guidelines governing outsourcing to manage associated risks while enabling operational efficiency.

Categories of Outsourcing

  • Core Insurance Activities: Claims processing, underwriting support (limited outsourcing)
  • IT Infrastructure: Data center, network, cloud services
  • Application Services: Core system vendors, policy admin
  • Business Processes: TPA services, call centers, back-office

Due Diligence Requirements

  1. Financial Assessment: Vendor financial stability and viability
  2. Technical Capability: Skills, experience, certifications
  3. Security Posture: Security controls, incident history, compliance
  4. Reference Checks: Existing client feedback, performance history
  5. Legal Review: Contract terms, liability, jurisdiction

Contractual Requirements

Mandatory Clauses

Outsourcing agreements must include: confidentiality provisions, data protection obligations, audit rights (including IRDAI access), SLAs with penalties, termination and transition assistance, sub-contracting restrictions.

Cloud Adoption

AspectIRDAI Requirement
Data LocationPolicyholder data must be stored in India
CSP SelectionDue diligence, security assessment, contractual protections
EncryptionData encrypted at rest and transit, key management with insurer
Audit AccessCSP must allow IRDAI inspection/audit rights
Exit StrategyDocumented plan for CSP transition/exit
Compliance Strategy

Maintain a vendor register with risk ratings. Conduct periodic vendor assessments. Include cyber security requirements in all RFPs. Monitor vendor performance against SLAs. Have exit plans for critical vendors.

Key Takeaways

  • IRDAI guidelines apply to all registered insurers and proportionately to intermediaries
  • IT Strategy Committee at Board level is mandatory for oversight
  • CISO appointment is required for all insurers
  • Annual DR drills with actual switchover are mandatory
  • Policyholder data must be stored in India for cloud deployments
  • Outsourcing agreements must include IRDAI audit access rights
  • Medical and financial data require enhanced protection measures

Part 5 Assessment Quiz

Test Your Knowledge

8 questions on IRDAI IT & Cyber Security requirements

0/8
Questions Correct