IRDAI Tightens Cyber Rules: Insurers Must Now Align with DPDP Act, CISO Independence Mandated

India's insurance sector faces a new, binding compliance deadline. The Insurance Regulatory and Development Authority of India (IRDAI) has issued updated Information and Cyber Security Guidelines, mandating that all regulated entities—including insurers, reinsurance branches, and intermediaries—must comply with the Digital Personal Data Protection (DPDP) Act. This alignment is not optional; compliance is required starting from the current financial year, effectively replacing the 2023 framework and imposing a direct legal obligation on the entire industry.

The revised guidelines introduce stricter operational controls designed to fortify institutional oversight. A key change mandates that the Chief Information Security Officer (CISO) must operate with clear independence: the CISO cannot have a direct reporting line to the Head of IT and must be shielded from business performance targets. Furthermore, the Information Security Risk Management Committee (ISRMC) is now required to meet at least quarterly, doubling its previous minimum frequency. The process for approving security exceptions has also been formalized into a tiered system, with deviations lasting up to three months requiring CISO sign-off, and those extending to a year needing ISRMC approval.

This regulatory shift places immediate pressure on insurers, brokers, and third-party administrators to audit and upgrade their data governance and cybersecurity frameworks. The explicit integration of the DPDP Act's requirements signals a move toward harmonized data protection standards across financial regulations. For entities lagging in data compliance, the mandate creates a concrete operational and legal risk, compelling rapid internal restructuring to ensure CISO autonomy and more frequent, documented security oversight.