Between 2017 and October 2023, cybersecurity incidents recorded by CERT-In rose from 53,117 to more than 1.32 million. India’s insurance sector, which is becoming increasingly data-intensive, reflects this broader trend: cyber vulnerabilities have expanded alongside digitisation.
The Insurance Regulatory and Development Authority of India’s (IRDAI) evolving cybersecurity architecture suggests that regulators increasingly view cyber resilience not merely as a technology issue, but as part of institutional governance and financial stability. The progression from the 2017 Information and Cyber Security Guidelines to the April 2026 Version 2.0 framework illustrates this shift. What began largely as a perimeter-security model has gradually evolved into a broader system of governance oversight and data-risk supervision.
This transition reflects a wider attempt to adapt insurance regulation to increasingly interconnected forms of cyber-risk. As insurance systems become more dependent on digital platforms, outsourced vendors, and third-party service providers, vulnerabilities are extending well beyond insurers’ internal systems.
From Perimeter Defence to Governance Oversight
IRDAI’s 2017 framework focused primarily on securing network infrastructure and establishing baseline cybersecurity procedures. Its limitations, however, became more visible as insurance distribution and claims processing grew increasingly interconnected. While insurers fell within the framework’s scope, intermediaries handling substantial volumes of customer data remained outside the regulatory perimeter.
That gap narrowed in 2022, when IRDAI extended cybersecurity obligations to intermediaries including brokers, Third Party Administrators (TPAs), insurance repositories, and digital insurance platforms. The move reflected growing recognition that insurance data now flows across a wider ecosystem of platforms and service providers.
The more significant institutional shift arrived in 2023, when IRDAI adopted a governance-oriented model aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Cybersecurity increasingly came to be treated as part of enterprise risk governance, with Boards and Risk Management Committees assuming more direct oversight responsibilities.
This marked an important transition. Cybersecurity was no longer viewed primarily through the lens of technical safeguards, but as part of broader organisational risk management and institutional accountability.
The 2026 Framework as a Structural Reset
The April 2026 amendments deepen this transition further.
The framework strengthens Chief Information Security Officer (CISO) independence, expands Board accountability, and introduces external cybersecurity expertise into governance supervision. Together, these changes suggest that IRDAI increasingly views cybersecurity failures as failures of oversight and institutional control rather than isolated technology incidents. The amendments also tighten cloud-governance requirements, audit supervision, forensic preparedness, and incident-reporting obligations.
The most consequential aspect of the 2026 framework is its convergence with the Digital Personal Data Protection Act, 2023 (DPDPA).
This effectively creates a dual-layered regulatory structure for the insurance sector. IRDAI governs cybersecurity architecture and operational resilience, while the Data Protection Board of India oversees obligations relating to consent, breach notification, and data-subject rights.
A cybersecurity incident may therefore trigger parallel regulatory consequences: action by IRDAI for governance failures alongside potential penalties under the DPDPA for inadequate protection of personal data.
Uneven Compliance Capacity
While the 2026 framework pushes the sector toward a more integrated compliance environment, insurers are increasingly required to align cybersecurity, privacy management, audit systems, and operational risk governance within a single institutional structure.
That burden, however, is unlikely to be distributed evenly across the sector. Large insurers are generally better positioned to absorb the costs associated with advanced governance systems and cyber-risk infrastructure. Smaller intermediaries may face greater operational strain as regulatory expectations become more sophisticated.
Over time, cybersecurity governance may also emerge as a competitive differentiator within the insurance market.
The challenge for regulators will be to strengthen cyber resilience without creating compliance structures that disproportionately disadvantage smaller intermediaries.
Governance Is Becoming Central to Cyber Resilience
IRDAI’s 2026 framework suggests that the regulator increasingly views cyber resilience as closely linked to financial stability, operational continuity, and consumer protection. That approach is likely to influence regulatory thinking beyond insurance as India’s financial sector becomes more platform-based and data-intensive.
For regulated entities, the direction of travel is becoming clearer: cyber resilience is increasingly being shaped not only by technological safeguards, but also by the quality of governance structures overseeing them.
The next phase of IRDAI regulation may therefore move toward more proportionate compliance models that account for differences in scale, technological capacity, and systemic exposure across regulated entities while balancing stronger oversight with the operational realities of a highly uneven insurance ecosystem.