Cyber Security

Insurers collect, store, and share data with multiple third-parties (e.g., service providers, reinsurers etc.), and aggregate substantial amounts of personal and confidential policyholder information. The repositories like call centers etc have access to policyholders’ data and sensitive health information. The information needs to be shared only on a need to know basis, ensuring that there is no leakage of the information. Exposure of the personal data can cause severe harm for all the policyholders and well as reputational damages.

Hence the Insurance Regulatory and Development Authority of India (IRDAI) formulated a unique framework for information and cyber security for insurers and an in-built governance mechanism for regulated entities to address all the security issues from time to time.

Key Objectives of the IRDA Cybersecurity framework

  • To ensure that a Board approved Information and Cyber Security policy is in place with all insurers.

  • To ensure that necessary implementation procedures are laid down by insurers for Information and Cyber Security related issues.

  • To ensure that insurers are adequately prepared to mitigate Information and cyber security related risks.

  • To ensure that an in-built governance mechanism is in place for effective implementation of the Information and cyber security framework (Cyber Crisis Management Plan).

The guidelines are applicable to all insurers regulated by IRDA and to all data created, received or maintained by insurers wherever these data records are and whatever form they are in, in the course of carrying out their designated duties and functions.

For more details, read the following document : And Tenders/IRDAI-GUIDELINES.pdf

The guidelines mandate that the Insurers’ Risk Management Committee should be responsible for an annual comprehensive assurance audit, including conducting of Vulnerability Assessment & Penetration Test (VAPT) and should report the findings to IRDA.

As a CERT-IN empanelled body, QRC will help you understand, manage, and comply with IRDA’s Cyber Security requirements as published in the IRDA’s guidelines on information and cyber security for insurers.

Audit Approach

The IRDA Cybersecurity Audit is conducted as an in-depth technical assessment, including the audit of the information security process and applicability of cyber security controls in the following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber security :

Our approach for assessment is as follows:

  • Group-1: All four layers of security (Data, Applications, Operating systems and Network layers)

  • Group-2: Security Audit

  • Group-3: Legal aspects on Cyber Security

The assessment should include checking all norms of technical requirements as per IRDA guidelines and through evidence gathering. Our approach for assessment is as follows:

  • Information Gathering & Documentation Review

    QRC will share a detailed questionnaire, along with other documentation, to aid in the scope definition, planning and preparation of the audit and objectives. Evidence is collected on the architecture, implementation and controls to understand data flow in your organization.

  • Audit Process

    Post scope definition as per the IRDA cybersecurity guidelines, and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help our clients in identifying evidence for all the audit points. The assessment aims at measuring, managing and controlling the IT related risks to enhance the reliability of processes and the critical system platforms, networks and physical components related to business processes.

  • Remediation

    As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the IRDA cybersecurity guidelines for each domain.

  • Report & Confirmation Letter

    Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the certificate and exclusive report stating successful checking of all norms of requirements as per IRDA cybersecurity guideline.


QRC significantly reduces efforts for organization in complying with the IRDA Guidelines by helping them with a well-documented approach. The methodology helps in:

  • Improving IT governance by reducing risks, improving security, complying with IRDA regulations and facilitating communication between technology and business management

  • Standardizing the information systems of the business and strengthening business efficiency and system and process controls.

  • Establishing strong security governance and help improve their cybersecurity posture, showcasing their security competence

  • Improve customer trust and management of the information & developing systems of the business.

  • Audits conducted by a CERT-IN empaneled auditor, allows insurers to be proactive in identifying vulnerabilities in their IT infrastructure, and validate the effectiveness of their current security safeguards.

  • Security of the organization can be improved by getting valuable suggestions and feedback from the experienced QRC team.

Related Updates

LinkedIn Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. To know more; visit our Privacy Policy & Cookies Policy.