In an industry where stakes are measured in personal identities, health records and billions in claims, one breach is all it takes to make headlines! As an entity engaged in the business of insuring people against risks, ironically your own organisation might be facing some of the biggest digital risks!

Insurers sit on mountains of sensitive personal data – medical records, financial details, you name it. This sector, with its troves of sensitive data and increasing dependence on technology has long stood out as low-hanging fruit for cyber attackers, therefore increasing the need for enhanced cyber resilience in the insurance sector. Recognizing this need, the Insurance Regulatory and Development Authority of India (“IRDAI”) has recently issued a compliance-focused circular pursuant to its Information and Cyber Security Guidelines, 2023[1]. The Circular mandates regulated entities (“REs”) to operationalize a comprehensive framework for cyber preparedness, incident response, and forensic investigation which reflects a shift from reactive cybersecurity postures to proactive institutional readiness.

Prompt reporting of cyber incidents

The Circular reiterates the requirement for reporting cyber incidents to IRDAI within 6 hours of noticing or being brought to notice about such incidents.[2]

Policy on Monitoring, logging and assessment

The Circular mandates REs to implement a structured monitoring, logging and assessment[3] policy which includes the following:

1. Real-time monitoring through automated means or technology systems capable of generating alerts for all critical information systems used by the organization for information processing, storage, or security;
2. ICT infrastructure logs to be maintained for a rolling period of 180 days and within the Indian jurisdiction as per directions issued by Cert-In from time to time;
3. Clocks of all relevant information processing systems within the organization or security domain is required to be synchronized with Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP Servers traceable to these NTP Servers;
4. Logging of all activities or transactions performed on information systems and conducting periodic analysis of logs;
5. In absence of automated alerts, a process is required to be set up to perform manual review of activity logs, on a frequency defined based on the criticality of the information system;
6. Any breach of policy to be treated as an incident and to be handled according to the incident management policy;
7. Classification of all information systems based on the asset management policy and establishing monitoring processes accordingly;
8. Implementing real-time automated detection facilities for systems to monitor significant deviations from normal activity and alert security administrators;
9. Regular monitoring of user accounts for unwanted privileges, orphan accounts, and dormant accounts, and suspend or terminate accounts in violation of Organization’s policies;
10. Conducting security assessments for infrastructure and applications, including vulnerability assessments, security reviews, and penetration testing, based on defined standards and frequencies;

Situational Awareness for Cyber Crisis Management Plan

Recognizing the rapidly evolving nature of cyber threats and the critical need for proactive institutional resilience, IRDAI has mandated all REs to formulate and implement a comprehensive policy on Situational Awareness for Cyber Crisis Management Plan[4] and is expected to include, at a minimum, the following components:

1. Establishing processes to identify cyber threats impacting operational performance, objectives, and critical business processes;

2. Deploy a robust threat intelligence process for gathering and analysing cyber threat information from internal and external sources;

3. Develop a plan for sharing information through trusted channels during cyber-attack incidents;

4. Actively engage with information-sharing groups to exchange indicators of cyber incidents;

5. Clearly document information sharing arrangements in the Cyber Crisis Management Plan (CCMP) following Cert-In / NCIIPC guidelines;

6. Assigning the cyber-threat intelligence process to the Information Security Team;

7. Keeping the executive management informed about the cyber-threat intelligence process and information sharing activities.

Forensic investigation for severe information security incidents

The Circular highlights the importance of performing forensic investigation for severe information security incidents.[5]

Adherence to Cert-In Guidelines

REs are further required to strictly adhere to all applicable directions issued by the Indian Computer Emergency Response Team (CERT-In), which prescribe best practices and procedures for incident prevention, detection, response, and mandatory reporting. These obligations align with the broader national agenda of ensuring a “Safe and Trusted Internet.” [6]

Forensic investigation and empanelment of auditors

To ensure investigative integrity and minimize response delays, REs are mandated to establish a well-defined procedure / practice to ensure that the forensic auditor/s are empanelled in advance and may be onboarded for conducting forensics and root cause analysis of cyber incidents without delay.[7] Importantly, the Circular prohibits the appointment of forensic auditors who have existing engagements with the organization’s Security Operations Centre (‘SOC’), red-teaming exercises, attack surface monitoring, or assurance audits; thereby mitigating conflict of interest.

Board-level oversight

In a shift towards enhanced cyber governance, the Circular directs all REs to place a compliance report detailing adherence to these requirements before their Board of Directors at the next scheduled meeting. The minutes of the discussion, including resolutions passed and corrective measures proposed, must subsequently be submitted to the IRDAI for information.[8]

Conclusion

As cybersecurity threats intensify across the insurance sector, the imperative for embedding resilient internal frameworks has never been more pressing. In this evolving landscape, legal and regulatory compliance can no longer be treated as static checklists. Instead, they demand dynamic, forward-looking systems capable of anticipating and responding to emerging risks in real time.

Komrisk, developed by Lexplosion Solutions Private Limited, exemplifies this evolution. Drawing on extensive experience of implementing Compliance management framework for leading institutions in the insurance industry, Komrisk operates not merely as a compliance tracker but as a sophisticated Legal Governance, Risk Management and Compliance (“LGRC”) engine. It disaggregates regulatory obligations into precise, categorized workflows; flags risks proactively; and facilitates timely intervention.

What distinguishes Komrisk is its architecture: a legal intelligence backbone maintained by over fifty lawyers with expertise in specific domains, augmented by AI-enabled timelines, real-time alerts, mapped penalties, and dynamic regulatory classifications. The result is actionable compliance triggering registrations, filings and alerts well in advance of potential exposure.

Critically, Komrisk is also evidentiary. It enables organizations to upload and validate compliance documentation, converting paper trails into real-time audit trails. Its escalation framework—spanning up to ten hierarchical levels helps ensure that no non-compliance lingers unaddressed, swiftly surfacing issues to the appropriate decision-makers.

Finally, with panoramic dashboards designed for executive clarity, Komrisk delivers what modern governance requires: a unified, real-time view of an organization’s compliance posture. In an era where data privacy and cybersecurity mandates are increasingly complex and fast-moving, Komrisk represents the future of agile compliance: a system not built to react, but to anticipate.

In today’s digital-first regulatory environment, compliance is no longer an afterthought. It is a strategic function and platforms like Komrisk ensure it remains one step ahead.

To know more, reach out to us at inquiries@lexplosion.in.

[1] IRDAI vide Circular ref: IRDAI/IT/GDL/MISC/082/04/2017 dated 7^th April, 2017 has issued guidelines on Information and Cyber Security for Insurers, which were later extended to all Insurance Intermediaries vide Circular ref: IRDA/GA&HR/GLD/MISC/184/09/2022 dated 2^nd September, 2022. Later these guidelines were revised to enable the insurance industry to strengthen their defences as well as related governance mechanism to deal with such emerging cyber threats and The IRDAI Information and Cyber Security Guidelines, 2023 were issued.

[2] Para 3.5 under Policy No. 2.10 of the IRDAI Information and Cyber Security Guidelines, 2023.

[3] Para 3.3 under Policy No. 2.16 of the IRDAI Information and Cyber Security Guidelines, 2023.

[4] Para 3.3 under Policy No. 2.18 of the IRDAI Information and Cyber Security Guidelines, 2023.

[5] Para 3.4 under Policy No. 2.20 of the IRDAI Information and Cyber Security Guidelines, 2023.

[6] Para 1.10 of the IRDAI Information and Cyber Security Guidelines, 2023.

[7] Para 4 and 5 of the Circular dated 24^th March 2025.

[8] Para 6 of the Circular dated 24^th March 2025.

 

Written by: Nishtha Chakroborty

Co-authored by: Abhishek Roy

Disclaimer

This content is intended for informational purposes only and does not constitute a legal opinion. Despite our efforts to maintain accuracy, we do not make representations, warranties or undertakings regarding the quality, completeness or reliability of the content. Readers are encouraged to seek legal counsel prior to acting upon any of the information provided herein. This content, including the design, text, graphics, their selection and arrangement, is Copyright 2024, Lexplosion Solutions Private Limited or its licensors. ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.

For any clarifications, please reach out to us at 91-33-40618083 or inquiries@lexplosion.in. Refer to our privacy policy by clicking here.

Share this: