Book A Demo

IRDAI's updated IT and cybersecurity guidelines aren't optional reading, they're the basis of your next licence renewal audit. Most brokers know the circular exists. Very few have actually mapped their current operations against the specific requirements it mandates. That gap is where licence suspensions begin.

Who Does This Apply To?

The circular covers all IRDAI-registered insurance intermediaries, not just large insurers. This means direct brokers, composite brokers, web aggregators, corporate agents, and insurance marketing firms are all within scope. The most common misconception we hear from brokers is that cybersecurity compliance is something insurers worry about, not intermediaries. The 2025 guidelines are unambiguous on this point: they apply to you.

If your firm holds an IRDAI Direct Broker licence, this circular applies to your operations regardless of headcount, revenue, or the number of policies you issue annually. Size is not a mitigating factor in the eyes of the regulator. An eight-person brokerage using a third-party SaaS platform is held to the same cybersecurity standards as a 200-person composite broker with its own IT department.

The 2025 circular is explicit: all IRDAI-registered intermediaries are in scope. An eight-person brokerage is held to the same cybersecurity framework as a large composite broker.

What Changed in the 2025 Update?

The previous cybersecurity circular (2019) was principles-based. It set broad direction, have a policy, protect customer data, have a plan for incidents, but left significant latitude in how firms interpreted and implemented those requirements. Auditors worked with reasonable judgement. Brokers could demonstrate intent and get through.

The 2025 update is prescriptive. Specific timelines. Specific technical controls. Specific reporting obligations with defined windows. The shift matters because it changes how auditors approach assessments: they now work from a checklist of mandatory controls, and the standard for compliance is documentary evidence, not a verbal explanation of what you do.

The key additions in the 2025 update:

  • Mandatory cloud policy: if you use any cloud-hosted platform, you must have a documented cloud governance policy covering data classification, vendor assessment, and access controls.
  • Vendor risk assessment framework: every third party that handles policyholder data must be formally assessed. You own that assessment, it cannot be delegated to the vendor.
  • Defined incident response timelines: first report to IRDAI must be made within 6 hours of detecting a cybersecurity incident. This is not a best-effort guideline.
  • Data residency requirements: all policyholder data must be stored within India. Cloud platforms with data centres outside India are non-compliant for this purpose.

The 7 Mandatory Controls, and What IRDAI Auditors Check

These are the controls auditors work through systematically. For each one, the question isn't whether you have something in place, it's whether you can produce documentation that proves it.

01

Board-Approved IT & Cybersecurity Policy

Your cybersecurity policy must be formally approved by the Board, reviewed at least annually, and signed by a Board member. This is not something a senior employee can sign off on. Auditors specifically ask: "Can you show me the board resolution?" If you have a policy document that's been approved at management level but not formally ratified by the Board, it fails this control. The fix is straightforward, it's a governance process, not a technical one, but many brokers haven't done it.

02

Annual VAPT by a CERT-In Empanelled Vendor

Vulnerability Assessment and Penetration Testing must be conducted annually, and it must be done by a firm on the CERT-In empanelled vendor list, your internal IT team, an unapproved freelancer, or an overseas security firm does not satisfy this requirement. The VAPT report must include identified vulnerabilities with severity ratings, and you must be able to show a remediation plan with timelines for any medium or high-severity findings. A clean VAPT report is good; an addressed VAPT report with documented remediation is what auditors actually want to see.

03

Data Classification & Localisation

All policyholder data must be stored within India. If any part of your technology stack, your CRM, policy management system, email platform, cloud storage, uses servers outside India, you have a data residency problem. This catches many brokers who adopted SaaS tools in a hurry without checking where the data actually sits. The fix: verify the data centre location for every platform you use, and get written confirmation from your vendors. US-hosted or EU-hosted platforms that store Indian policyholder data are non-compliant, full stop.

04

Incident Reporting Within 6 Hours

Any cybersecurity incident, a data breach, ransomware attack, unauthorised access to customer records, or system compromise, must be reported to IRDAI within 6 hours of detection. This is one of the tightest incident reporting windows in any Indian financial services regulation. Meeting it requires a documented incident response plan that exists before anything goes wrong: named contacts, escalation paths, pre-drafted notification templates, and a clear definition of what qualifies as a reportable incident. If you're figuring out your incident response process after something has already happened, you will miss the 6-hour window.

05

Business Continuity Plan + Disaster Recovery

A documented BCP with defined Recovery Point Objective (RPO) and Recovery Time Objective (RTO) is mandatory. IRDAI's expectation for critical systems is broadly RPO ≤ 4 hours (you can lose no more than 4 hours of data) and RTO ≤ 8 hours (systems must be restored within 8 hours). The plan must be tested, a BCP that exists on paper but has never been exercised doesn't demonstrate actual preparedness. Auditors look for evidence of DR testing: test logs, test dates, and what was found and fixed.

06

Staff Cybersecurity Awareness Training

Mandatory cybersecurity training for all staff, not just the IT team, with attendance records and dates. Auditors ask to see training logs. An annual session with a sign-in sheet satisfies the basic requirement. What doesn't work: an email about cybersecurity best practices sent to the team, or a one-time induction session from three years ago. The training must be documented, dated, and repeatable on a regular cycle.

07

Third-Party Vendor Risk Assessment

Every SaaS platform, cloud service, or outsourced function that touches policyholder data must be formally assessed for security. You are accountable for your vendors' security posture under the circular, the regulator's position is that outsourcing a function does not outsource the compliance obligation. A vendor risk assessment includes reviewing their security certifications, data handling practices, incident response procedures, and contractual security commitments. This needs to be documented and updated when you add new vendors.

The Audit Risk Is Real

IRDAI has significantly increased scrutiny on intermediaries following several data incidents in the insurance industry over the past two years. The consequences of non-compliance aren't theoretical: show-cause notices, financial penalties, and in serious cases, suspension of your broker licence. The pattern the regulator is applying is consistent, they want documentary evidence of each control, not a verbal walk-through of what your team does.

The most common gap we see is brokers using technology platforms, for policy management, CRM, client portals, that have never been VAPT-tested and where the broker doesn't know where the data sits. The broker assumes the platform is compliant. The platform hasn't been asked. An IRDAI auditor asking "show me the VAPT report for your policy management platform" will surface this gap immediately.

The most common gap: brokers using technology platforms that have never been VAPT-tested, with no confirmation of where policyholder data is hosted. An IRDAI auditor will surface this in the first ten minutes.

What to Ask Your Technology Platform Provider

If you use any third-party platform for policy management, CRM, client portal, or document management, you need written answers to these questions before your next audit. These are not nice-to-have clarifications, they're required for your vendor risk assessment documentation.

  • VAPT status: Is the platform VAPT-tested by a CERT-In empanelled vendor? Can you share the most recent VAPT report, or a summary of findings and remediation status?
  • Data residency: Where is the platform's data hosted? Are all servers and data centres located within India? Can you provide written confirmation of this?
  • Incident response: What is your incident response SLA? How and when do you notify customers in the event of a breach or security incident?
  • Audit documentation: Can you provide a security compliance letter that we can include in our IRDAI audit documentation? This letter should confirm VAPT status, data residency, and your security controls.

A vendor that can't answer these questions, or takes weeks to respond, is itself a compliance risk. Your audit documentation needs a completed vendor risk assessment for each platform; if the vendor won't engage, that's material information for your risk register.

Where to Start

The good news is that most of these controls, once implemented, run in the background with relatively low ongoing overhead. The work is front-loaded: drafting the policies, getting Board approval, commissioning the VAPT, confirming data residency, and putting the incident response plan in place. After that initial setup, it's mostly maintenance, annual VAPT cycles, annual staff training, annual policy review.

Start with controls 1 (Board-Approved Policy), 2 (VAPT), and 3 (Data Localisation). These are where most brokers have the largest gaps, and they're what auditors look at first. If you can produce a board-approved cybersecurity policy, a recent CERT-In VAPT report with addressed findings, and written confirmation from your technology vendors that data is stored within India, you're ahead of most of your peers walking into a renewal audit.

The 6-hour incident response requirement (control 4) is the one that tends to catch people off guard even when the other controls are in place. Build the incident response plan now, not when you need it.

Related Articles

Product April 2026 · 7 min
White-Label Insurance Platform vs. Building In-House: A CTO's Guide

A practical breakdown of the build-vs-buy decision for insurance technology, costs, timelines, compliance implications, and what most CTOs get wrong.

Read Article
Distribution Strategy May 2026 · 6 min
How NBFCs Can Offer Insurance Without an IRDAI Licence, Legally

The licensed broker partnership model lets NBFCs distribute insurance across 45+ insurers without obtaining a Corporate Agent licence. Here's exactly how it works.

Read Article

Want this applied to your business?

Book a demo and we'll walk through your specific situation, distribution strategy, compliance requirements, and the technology that fits your business model.

Book A Demo