On April 6, 2026, the Insurance Regulatory and Development Authority of India (IRDAI) issued the revised "Information and Cyber Security Guidelines, 2026". Driven by an evolving threat landscape and industry feedback, these updated guidelines are designed to help the insurance sector further strengthen its defenses and governance mechanisms against emerging cyber threats.

For professionals in risk, compliance, and IT within the insurance ecosystem, this is a pivotal regulatory update. The mandate shifts the focus from baseline compliance to robust, continuous cyber resilience. Here is a professional breakdown of what these new guidelines entail and how they will impact regulated entities.

Key Structural and Governance Changes

The 2026 guidelines introduce significant process-level interventions and redefine operational accountability at the highest levels of management.

3) Committee Restructuring: The Information Security Risk Management Committee (ISRMC) is now mandated to meet at least on a quarterly basis. The erstwhile Control Management Committee (CMC) has been dissolved, with its responsibilities absorbed by the Risk Management Committee (RMC).

4) Independent External Expert (IEE): Recognizing the rapid changes in technology, the RMC must now include one or more Independent External Experts possessing substantial IT or cybersecurity expertise.

5) Role Consolidations: The specific designation of Chief IT Security Officer (CITSO) has been removed, with organizations expected to roll those responsibilities into the existing CISO or Chief Technology Officer (CTO) job definitions.

Heightened Operational and Technical Controls

The update introduces stringent, time-bound expectations for securing infrastructure, especially concerning third-party dependencies and cloud environments.

1) Cloud Service Provider (CSP) Mandates: Organizations utilizing cloud services must ensure their CSP is empanelled by the Ministry of Electronics and Information Technology (MeitY) and holds a valid STQC audit status. Contracts must explicitly require the CSP to completely eliminate any trace of data from disks and backups upon termination of the agreement.

2) Stringent Penetration Testing: External Grey or White box Penetration Testing (PT) must be conducted for all internet-facing information assets or systems at least once every six months. This testing must be performed by a CERT-In empanelled auditor.

3) Post-Quantum Preparedness: Organizations are now required to maintain an up-to-date inventory of their cryptographic assets to ensure they are prepared for the transition to post-quantum cryptographic environments.

4) Supply Chain and Outsourcing: Regulated entities must use Service Level Agreements (SLAs) to ensure that outsourced entities obtain prior written permission before engaging in any further sub-outsourcing.

Tiered Applicability Based on Risk

The IRDAI has adopted a pragmatic, risk-based approach to the applicability of the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover).

1) Core Entities: Insurers (Life, Non-Life, Health, Re-insurers, and Foreign Re-Insurance Branches) must comply with all sub-chapters of the framework, including specific controls for Work from Remote Location (WFRL).

2) Intermediaries: For entities like Brokers, Corporate Agents, Web Aggregators, and Third-Party Administrators, applicability is tiered based on their gross insurance revenue and how they access the insurer's systems.

3) Limited Access Exemption: Entities that connect to an insurer's systems solely to view data, proposals, or reports without the ability to upload or edit data are primarily bound by the "Protect" sub-chapter. Entities that only handle physical data and maintain no electronic databases are exempt from these specific sub-chapters.

Audit and Compliance Protocols

The regulatory expectation for assurance has been significantly tightened to eliminate interpretational ambiguity.

1) Strict Auditor Qualifications: The annual independent assurance audit must be conducted by a CERT-In empaneled auditor or an ICAI-registered Chartered Accountant firm with at least five years of continuous practice. The firm must have a CISA/DISA certified partner and a Fellow Member of ICAI.

2) No Reliance on Management Representations: The certification process no longer recognizes Management Representations (MRs) or reliance on other auditors' work. The appointed auditor must conduct independent interviews, document verification, compliance checks, and substantive checks of controls.

3) Exception Management Discipline: Any security exception requested for a period exceeding 12 months must undergo a mandatory reassessment and re-approval process.

The Bigger Signal

The IRDAI Information and Cyber Security Guidelines, 2026, represent a clear paradigm shift. Process flexibility is being replaced by time-bound discipline, and manual assurance is making way for system-driven, verifiable controls. For insurance institutions and intermediaries, the immediate next steps involve reassessing current accounting and security positions, upgrading cloud and third-party contracts, and preparing for a highly rigorous, evidence-based audit cycle.