Insurers and insurance intermediaries, such as brokers and third-party administrators, are now expected to meet more stringent cybersecurity standards, such as implementing security controls, developing incident response plans, and performing regular audits.
The Insurance Regulatory and Development Authority of India announced the Information and Cybersecurity Guidelines, 2023 ("2023 Guidelines") on April 24, 2023, requiring insurers and insurance intermediaries to comply with cybersecurity standards. Organisational measures such as assigning particular C-suite executives devoted to information and cybersecurity, as well as other measures such as performing security audits, implementing internal information technology policies, and exerting control over third-party contractors, are examples of these. The IRDAI has exempted certain institutions from the scope of the 2023 Guidelines, such as insurance and micro-insurance agents.
The IRDAI had previously prescribed certain risk mitigation measures for insurers (later extended to intermediaries) under earlier norms issued in 2017, but the 2023 Guidelines are more extensive and targeted, as they envisage graded compliance for insurance intermediaries based on the level of access to an insurer's systems/databases and the entity's gross insurance revenue. The updated regulations are thus an improvement over the previous requirements from 2017, both in terms of greater readiness for cyber events and flexibility to accommodate insurance intermediaries of diverse sizes and capacities.
Regulated entities are expected to comply with the new guidelines by April, 2024.