More Stories

Informist, Thursday, Apr. 9, 2026

 

MUMBAI – The Insurance Regulatory and Development Authority of India Wednesday issued revised guidelines on information and cybersecurity, making it mandatory for the Information Security Risk Management Committee to meet "at least on a quarterly basis", compared with "at least twice in a year" in the prior guidelines. The new guidelines should be complied with from the current financial year, IRDAI said. The revised guidelines are based on feedback received from industry members and the recommendations of internal committees, it said.

 

The guidelines are applicable to insurers, which include foreign re-insurance branches and insurance intermediaries. The directions do not apply to insurance agents, micro-insurance agents, point-of-sale persons and individual surveyors. The revision includes conditions for applicability to foreign re-insurance branches. These entities need not form the necessary committees at a branch level if the mandated governance is carried out at the regional or head office, as per the revisions. 

 

The revised guidelines do away with the need for insurers to have a board-level Control Management Committee, and instead, require that functions of this committee become part of the Risk Management Committee. The revisions also added to the functions of the chief technology officer and chief information security officer of an organisation, pushing for enhanced cooperation between the two.

 

The chief information security officer will not be given any business targets, as per the revised guidelines. The officer is responsible for approving and reviewing exceptions to policies and procedures pertaining to information security. The Information Security Risk Management Committee of an organisation is responsible for reporting "non-conformities" in cybersecurity to the Risk Management Committee, which in turn should report serious discrepancies to the board.

 

The revised guidelines have mandated additional responsibilities for an insurer's board of directors. The board is expected to provide a sufficient budget for information and cybersecurity, which should be proportional to the company's risk appetite. The board should ensure discrepancies observed in annual risk and cybersecurity reports are closed within 12 months of reporting. The revised guidelines also imposed new controls on technologies in the audit report.  End

 

Reported by Cassandra Carvalho

Edited by Akul Nishant Akhoury

 

For users of real-time market data terminals, Informist news is available exclusively on the NSE Cogencis WorkStation.

 

Cogencis news is now Informist news. This follows the acquisition of Cogencis Information Services Ltd. by NSE Data & Analytics Ltd., a 100% subsidiary of the National Stock Exchange of India Ltd. As a part of the transaction, the news department of Cogencis has been sold to Informist Media Pvt. Ltd.

 

Informist Media Tel +91 (22) 6985-4000

Send comments to feedback@informistmedia.com

 

© Informist Media Pvt. Ltd. 2026. All rights reserved.