Listen to this post
Amended Cyber Security Guidelines for Insurance Sector: Key Amendments and What They Mean for Regulated Entities

Summary: On April 6, 2026, IRDAI issued certain amendments to its 2023 Information and Cyber Security Guidelines for insurance sector, while retaining the core structure of the guidelines. This article covers the key changes to the guidelines and their implications for regulated entities such as expanded Board accountability, introduction of IT Steering Committee, enhanced independence of CISO, and targeted relaxations for Foreign Reinsurance Branches etc

The Insurance Regulatory and Development Authority of India (“IRDAI”) amended the “Guidelines on Information and Cyber Security for Regulated Entities (“2023 Guidelines”)” on April 06, 2026 (“Amended Guidelines” or “2026 Guidelines”). While the core structure of the “2023 Guidelines” remains unchanged, the 2026 Guidelines have introduced certain amendments pertaining to governance processes, role definitions, compliance timelines, and specific security controls. Regulated entities in the insurance sector would be well advised to review committee charters, reporting structures, internal policies, and audit processes to ensure alignment with the Amended Guidelines.

This article outlines the key changes in the 2026 Guidelines over the 2023 Guidelines. For a detailed understanding of the 2023 Guidelines, refer to our Primer on IRDAI Information and Cyber Security Guidelines 2023

Quarterly Oversight: Enhanced Role of the Information Security Risk Management Committee (ISRM Committee)

    While the 2023 Guidelines mandated the ISRM Committee to meet at least twice a year, the Amended Guidelines require quarterly meetings. The ISRMC is now also required to provide relevant periodic assurances to the risk management committee on a quarterly basis. This change reflects a shift from periodic oversight to continuous monitoring of cyber risk, recognising that cyber threats evolve rapidly and demand more frequent review. 

    The Amended Guidelines also require the ISRM Committee to report non‑conformities from the annual cybersecurity assurance audits, including remediation timelines, to the risk management committee, which may escalate critical matters to the Board, as needed. 

    Introduction of the IT Steering Committee (ITSC) 

    The 2026 Guidelines have introduced a new senior‑level governance body — the “IT Steering Committee” (“ITS Committee”). The ITS Committee is intended to bridge the gap between business strategy, IT architecture, and cybersecurity. Among other functions, it is also required to: 

    • assist the Board in formulating IT strategy aligned with business objectives; 
    • oversee statutory and regulatory compliance of IT architecture; 
    • ensure governance of business continuity and disaster recovery frameworks; and 
    • review IT procurement decisions that have cybersecurity implications, in consultation with the Chief Information Security Officer (“CISO”). 

    The ITS Committee must atleast meet quarterly, with the CTO acting as its convener, signaling IRDAI’s intent of embedding cybersecurity considerations into enterprise‑wide technology decision‑making. 

    Structural Independence and Expanded Responsibilities of the CISO and Removal of CITSO Requirement

    The Amended Guidelines clarify aspects of the CISO’s role and positioning within the organisation. In particular, the CISO must not have any direct reporting relationship with the Head of IT and should also not be assigned business targets. The intent is to safeguard independent judgment. Further, the CISO must be a technically qualified personnel. The CISO is also entrusted with additional responsibilities, including development of scenario‑based incident response plans, review of all security exception requests, compliance with directives issued by CERT‑In, and regular briefings to both the ISRMC and the Board. 

    Further, the requirement of having a Chief IT Security Officer (“CITSO”) designation has been removed. However, organisations must ensure that all functions previously assigned to the CITSO are appropriately covered within the job descriptions of the CISO and/ or Chief Technology Officer (“CTO), as applicable. This reflects a move towards role consolidation, reducing complexity while retaining functional accountability.

    Greater Board Accountability for Cybersecurity Governance

    The Amended Guidelines treat cybersecurity as a core enterprise risk, rather than a technical or operational concern. This brings supervision squarely within the Board’s supervisory duty. Accordingly, the 2026 Guidelines prescribe expanded responsibilities of the Board of Directors including, inter alia the requirement to allocate sufficient budget for information and cyber security, proportionate to the organisation’s risk profile. The Board is also required to receive and review reports on non‑conformities identified in cyber security assurance audits and ensure that identified gaps are fully remediated within 12 months of reporting. Further, to reduce duplication at the board‑committee level while ensuring that control and risk oversight continues under a streamlined governance structure, the requirement of Control Management Committee (“CMC”) is done away with. Instead, organisations are now required to incorporate the functions previously discharged by the CMC into the terms of reference of the Risk Management Committee (RMC). This is also in line with the IRDAI’s principle-based approach. The Amended Guidelines also prescribe that one or more Independent External Experts with relevant experience in information technology or cybersecurity form a part of the Risk Management Committee.

    Relaxations and Clarification for Foreign Reinsurance Branches (FRBs)


    The Amended Guidelines include certain clarifications for Foreign Reinsurance Branches (“FRBs”), recognising their branch‑based operating structures. The Amended Guidelines clarify that FRBs are not required to constitute separate governance committees at the branch level, provided that the prescribed responsibilities are discharged at the regional, controlling or head office level. Further, in respect of the controls set out under the checklist of the audit report, FRBs may adopt a “comply or explain” approach, subject to the supervisory process and a reasonably justifiable explanation. These provisions are intended to align the guidelines with the organisational models of FRBs, without diluting the underlying cybersecurity and governance obligations.

    Conclusion 

    With rapidly evolving cyber threats, the Amended Guidelines are a step towards prescribing additional minimum standards for information and cyber security governance applicable to insurers, insurance intermediaries, foreign reinsurance branches, and other regulated entities. Regulated entities in the insurance sector are required to review committee charters, reporting structures, internal policies, and audit processes to ensure alignment with the Amended Guidelines. In doing so, the Amended Guidelines treat cybersecurity as a core enterprise risk, rather than a technical or operational concern, a shift evidenced by the mandating of quarterly ISRM Committee oversight, the introduction of the IT Steering Committee to align business strategy with cybersecurity, the reinforcement of the CISO’s structural independence, and the expansion of the Board’s direct accountability for cyber governance. Regulated entities in the insurance sector must, therefore, ensure that their boards and senior management possess, or have access to, sufficient cyber literacy to provide meaningful oversight, rather than delegating responsibility solely to IT or information security functions. Taken together, the selective amendments introduced by the Amended Guidelines reflect a broader regulatory convergence towards treating cyber resilience not merely as a compliance exercise, but as a fundamental pillar of sound institutional governance and long-term business continuity.

    Tags: Cyber Security, Cyber Security Guidelines, Cybersecurity Governance, Foreign Reinsurance Branches, Insurance Sector, IRDAI, ISRM Committee, risk management committee
    Print:
    Email this postTweet this postLike this postShare this post on LinkedIn
    Photo of Indranath Bishnu Indranath Bishnu

    Partner (Head – Insurance) with Cyril Amarchand Mangaldas. His work is focussed on the Insurance industry where he specializes in mergers and acquisitions and joint ventures and regulatory matters. He is currently leading the team from Cyril Amarchand Mangaldas engaged to advise the…

    Partner (Head – Insurance) with Cyril Amarchand Mangaldas. His work is focussed on the Insurance industry where he specializes in mergers and acquisitions and joint ventures and regulatory matters. He is currently leading the team from Cyril Amarchand Mangaldas engaged to advise the Regulation Review Committee constituted by the General Insurance Council and the Life Insurance Council in relation to overhauling and consolidating the regulatory framework issued by the IRDAI. He has advised various government bodies including Department of Financial Services (Ministry of Finance) and the IRDAI on reforms in the insurance sector. He currently serves as a member on the committee constituted by the IRDAI to study and recommend capital requirements for Insurance entities. On the transactional side, Indranath advises multiple corporations, both Indian and foreign, in relation to investments in the insurance sector as well as establishment, operation, management and control of insurance companies and intermediaries in India. He can be reached at indranath.bishnu@cyrilshroff.com

    Show more Show less
    Photo of Ila Vyas Ila Vyas

    Principal Associate in the General Corporate practice at the Mumbai office of Cyril Amarchand Mangaldas. Ila has over 10 years of experience working in the financial regulatory sector including insurance, reinsurance, fintech regulatory space on both contentious and non-contentious matters.

    She has advised…

    Principal Associate in the General Corporate practice at the Mumbai office of Cyril Amarchand Mangaldas. Ila has over 10 years of experience working in the financial regulatory sector including insurance, reinsurance, fintech regulatory space on both contentious and non-contentious matters.

    She has advised on various matters in relation to end to end solutions regarding doing insurance and reinsurance business in India, setting up presence in India, corporate governance, compliance and regulatory matters, insurance and securities regulatory matters before Securities Appellate Tribunal. She can be reached at ila.vyas@cyrilshroff.com.

    Show more Show less
    Related Posts
    API Integration in Insurance: Unlocking Digital Policy Distribution
    March 12, 2026
    Directors and Officers Liability Insurance Policy in India: Key Practical Considerations
    February 4, 2026
    Insurance Distribution in India: Emerging Channels, Compliance, and Data Governance
    January 9, 2026