Cyber Security

Insurers collect, store, and share data with multiple third-parties (e.g., service providers, reinsurers etc.), and aggregate substantial amounts of personal and confidential policyholder information. The repositories like call centers etc have access to policyholders’ data and sensitive health information. The information needs to be shared only on a need to know basis, ensuring that there is no leakage of the information. Exposure of the personal data can cause severe harm for all the policyholders and well as reputational damages.

Hence the Insurance Regulatory and Development Authority of India (IRDAI) formulated a unique framework for information and cyber security for insurers and an in-built governance mechanism for regulated entities to address all the security issues from time to time.

Key Objectives of the IRDA Cybersecurity framework

  • To ensure that a Board approved Information and Cyber Security policy is in place with all insurers.

  • To ensure that necessary implementation procedures are laid down by insurers for Information and Cyber Security related issues.

  • To ensure that insurers are adequately prepared to mitigate Information and cyber security related risks.

  • To ensure that an in-built governance mechanism is in place for effective implementation of the Information and cyber security framework (Cyber Crisis Management Plan).

The guidelines are applicable to all insurers regulated by IRDA and to all data created, received or maintained by insurers wherever these data records are and whatever form they are in, in the course of carrying out their designated duties and functions.

For more details, read the following document : And Tenders/IRDAI-GUIDELINES.pdf

The guidelines mandate that the Insurers’ Risk Management Committee should be responsible for an annual comprehensive assurance audit, including conducting of Vulnerability Assessment & Penetration Test (VAPT) and should report the findings to IRDA.

As a CERT-IN empanelled body, QRC will help you understand, manage, and comply with IRDA’s Cyber Security requirements as published in the IRDA’s guidelines on information and cyber security for insurers.

Audit Approach

The IRDA Cybersecurity Audit is conducted as an in-depth technical assessment, including the audit of the information security process and applicability of cyber security controls in the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security :

Business Understanding

Evaluating business process and environment to understand the in-scope elements

Scope Finalization

Finalize the scope elements and prepare the requirement documentation

Readiness Assessment

Identify the potential challenges that might arise during requirement implementation

Risk Assessment

Identifying and analysing the risks in the information security posture.

Data Flow Assessment

Conducting thorough systems analysis to evaluate data flow and possible leakages

Documentation Support

Assist you with list of policy and procedure to help you in validation or evidence collection

Remediation Support

Support you by recommending solutions to compliance challenges

Awareness Training

Conduct awareness sessions for your Team and personnel involved in the scope

Scans And Testing

Identify critical vulnerabilities in your system with a robust testing approach

Evidence Review

Review of the evidence collected to assess their maturity, in line with the compliance

Final Assessment and Attestation

Post successful assessment, we get you attested for compliance with our audit team

Continuous Compliance Support

Support you in maintaining compliance by providing guidelines


QRC significantly reduces efforts for organization in complying with the IRDA Guidelines by helping them with a well-documented approach. The methodology helps in:

  • Improving IT governance by reducing risks, improving security, complying with IRDA regulations and facilitating communication between technology and business management

  • Standardizing the information systems of the business and strengthening business efficiency and system and process controls.

  • Establishing strong security governance and help improve their cybersecurity posture, showcasing their security competence

  • Improve customer trust and management of the information & developing systems of the business.

  • Audits conducted by a CERT-IN empaneled auditor, allows insurers to be proactive in identifying vulnerabilities in their IT infrastructure, and validate the effectiveness of their current security safeguards.

  • Security of the organization can be improved by getting valuable suggestions and feedback from the experienced QRC team.

Related Updates

LinkedIn Facebook Twitter Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. To know more; visit our Privacy Policy & Cookies Policy.