Key Takeaways
- IRDAI Information and Cyber Security Guidelines apply to every authorised Indian insurer. Annual VAPT, dedicated CISO, board-level cyber governance, incident reporting.
- Policyholder personal data (often including health data) is regulated under DPDP plus IRDAI-specific obligations. Significant Data Fiduciary designation likely for large insurers.
- Claims fraud via cyber attack is a growing pattern: account takeover of policyholder portals, manipulated digital claim submissions, social engineering of claim assessors.
- Legacy core insurance systems (mainframe, decades-old platforms) carry significant residual risk. Compensating controls and modernisation roadmaps are the dual track.
- Third-party TPAs and bancassurance partners are major risk vectors. The insurer remains accountable for the cyber posture of the chain.
The IRDAI Regulatory Landscape for Cyber
IRDAI (Insurance Regulatory and Development Authority of India) has published the Guidelines on Information and Cyber Security for the Insurance Sector. The guidelines apply to all authorised insurers (general, life, health, reinsurers) and to insurance intermediaries. They prescribe board-level governance, a dedicated CISO with reporting line independent of the CIO, an Information Security Committee, formal cyber security policy, annual VAPT, incident reporting, board-reviewed cyber risk dashboard, and many other controls aligned with ISO/IEC 27001 and the broader RBI Cyber Security Framework pattern.
Beyond IRDAI: DPDP Act 2023 applies to all policyholder personal data, CERT-In April 2022 directions require 6-hour incident notification for specified events, the IT Act 2000 framework applies, NCIIPC may designate large insurers as critical information infrastructure operators, and large international insurers face GDPR and US-state insurance regulatory expectations on top.
Policyholder Data Protection
Policyholder data is sensitive across multiple dimensions: identity (full PII including ID numbers), financial (premium payment, settlement amounts), behavioural (claim history, lifestyle data for life and health), and (for health insurance) medical (treatment records, pre-existing conditions, claim documentation). All of this is regulated under DPDP, with health data carrying additional sensitivity in the DPDP framework's treatment of personal data.
Practical implications: consent capture at proposal stage with clear separation of distinct processing purposes (underwriting, fraud detection, marketing, third-party sharing), data principal rights operationalised (access, correction, erasure where lawful, given regulatory retention requirements), retention schedules per data class, breach notification workflow that satisfies both IRDAI incident reporting and DPDP notification, and (likely for major insurers) Significant Data Fiduciary obligations including DPO appointment and periodic independent audits.
Need a Sector-Specific Cyber Programme?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, compliance and managed security for healthcare, fintech, manufacturing, e-commerce, education, legal and insurance customers across India. Named consultants, fixed-price proposals, free retest within 90 days.
See Industry Services →Claims Fraud Enabled by Cyber
Cyber-enabled claims fraud is a growing pattern in Indian insurance. Account takeover of policyholder portals allows fraudsters to add nominees, change bank accounts for payouts, submit synthetic claims, and (for life) initiate maturity payouts to attacker-controlled accounts. Spear phishing of claim assessors targets specific high-value claims. Manipulated digital claim submissions exploit weak validation in straight-through processing workflows.
The cyber side and the fraud side need to integrate. Account takeover countermeasures include MFA on the policyholder portal, anomalous-login detection, change-of-bank-account out-of-band verification, and high-value-payout secondary review. Internal controls include role-based segregation between underwriting, claim assessment and payout authorisation, with cyber monitoring on every privileged action. Codesecure delivers insurance-specific engagements that surface findings with both cyber and fraud-prevention framing.
Legacy Core Insurance System Risks
Indian insurers operate some of the oldest production systems in the country. Mainframe-based core insurance platforms, AS/400 deployments, decades-old policy administration systems, and homegrown C / COBOL applications are still load-bearing for several established insurers. Modern fronts (web portal, mobile app, partner APIs) layer on top of these legacy cores.
Risk pattern: the legacy cores cannot be patched on modern cadence, cannot run modern EDR, often have weak access controls (shared accounts, password policies from the 1990s), and integrate with the modern stack through middleware that is itself a compromise target. Defensive approach: aggressive segmentation around legacy cores (only specific named middleware endpoints can talk to them), compensating monitoring at every gateway, strict change control, and a documented modernisation roadmap that the board reviews periodically. Modernisation is multi-year; the cyber programme has to make the legacy cores defensible for the duration.
Third-Party TPAs and Bancassurance
Third-Party Administrators (TPAs) for health insurance, bancassurance partners distributing insurance, insurance brokers and aggregators, claims adjusters, telecallers, lead-generation vendors and IT outsourcing partners all connect to the insurer's systems with varying levels of access. Each is a potential pivot. The insurer remains accountable to IRDAI and DPDP for the cyber posture of the chain.
Recommended controls: complete third-party register with classification by access level and data sensitivity, cyber clauses in service agreements (incident notification, audit rights, exit data deletion), vendor cyber attestation (ISO 27001 certification, SOC 2 reports, DPDP-aligned DPAs), annual vendor assessment with on-site review for highest-risk TPAs, and integration of vendor incidents into the insurer's IR plan. Most insurance engagements reveal a vendor register that is 30 to 60 percent incomplete at first scan.
Regulator Pressure or Customer Audit?
Whether you need RBI, IRDAI, DPDP, HIPAA, PCI DSS or NCIIPC evidence, our compliance and VAPT lead is available for a 30-minute free scoping call. Audit-ready, board-ready, no slideware.
Talk to a Specialist →VAPT and Audit Obligations Under IRDAI
IRDAI guidelines require annual VAPT at minimum, with the report retained for inspection and reviewed by the Information Security Committee. The scope covers internet-facing systems, internal critical systems, applications (policyholder portal, agent portal, admin systems), and the third-party-connected surface.
Our standard insurance VAPT covers external network, internal network, policyholder portal (web and mobile), agent and broker portals, claims platform, core insurance system integrations (subject to vendor coordination for legacy platforms), Active Directory, cloud configuration where applicable, and TPA integration boundaries. Reports map findings to IRDAI Guidelines control areas, ISO/IEC 27001:2022 Annex A, DPDP Section 8, and where applicable PCI DSS for any card data flow. Free re-test within 90 days is included.
Incident Reporting Under IRDAI
IRDAI expects material cyber incident reporting through the regulator's defined channels within the prescribed timeline (typically within hours for material incidents). The reporting includes nature of incident, scope, immediate actions taken, communication with affected policyholders, and remediation plan. Reports are followed up with detailed post-incident review.
Parallel notifications fire to CERT-In (6 hours per April 2022 directions), to the Data Protection Board if personal data is involved (DPDP timeline per rules), to affected policyholders (per DPDP plus IRDAI consumer protection obligations), to law enforcement where relevant, and to cyber insurance carriers. The IRP must handle parallel notifications without missing any clock. Codesecure delivers IRDAI-aligned incident response readiness as part of compliance engagements.
Frequently Asked Questions
Does IRDAI require a dedicated CISO?
Yes. The Information and Cyber Security Guidelines expect a board-approved CISO with reporting line independent of the CIO for authorised insurers. For very small intermediaries, a virtual CISO arrangement satisfying the same governance can be acceptable; large insurers must have a full-time CISO.
How often do we need VAPT under IRDAI?
Annual is the minimum baseline. Material changes (new product, significant architectural change, cloud migration, M&A) trigger additional VAPT. High-risk components (policyholder portal, claims platform) often justify semi-annual testing. Codesecure offers both annual and continuous-VAPT engagement models.
How does IRDAI relate to DPDP for health insurance?
Both apply. IRDAI covers insurance-specific cyber governance and VAPT. DPDP covers personal data protection including health data. Large health insurers are likely Significant Data Fiduciary candidates under DPDP with additional obligations. The programmes overlap and should be run as a single integrated effort.
Can a legacy core be made cyber-defensible?
Yes, through compensating controls (segmentation, monitoring, gateway-level enforcement) while a modernisation roadmap proceeds in parallel. The cyber programme must make the legacy core defensible for the multi-year duration of modernisation. Codesecure helps insurers design and execute this dual track.
Do you do TPA security assessments?
Yes. Engagements cover the TPA's own systems plus the integration boundary with the insurer. Reports go to both parties and support the insurer's vendor risk management as well as the TPA's own posture improvement. Where multiple insurers share a TPA, multi-party engagements are possible.
How much does insurance cybersecurity cost?
Defensible annual programme for a mid-size Indian insurer typically lands at INR 50 lakh to 2 crore including dedicated CISO function, managed SOC, annual VAPT, DPDP / IRDAI compliance documentation and IR retainer. Large insurers run higher. Codesecure offers fixed-price proposals.
Pass The IRDAI Audit. Defend The Policyholder Data.
Codesecure delivers IRDAI-aligned cybersecurity, VAPT, vCISO, TPA assurance and DPDP integration for Indian insurers across general, life and health. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price proposals, free retest within 90 days.
