IRDAI Cyber Incident Reporting in 2026: The 6-Hour Window, 180-Day Logs and CISO Independence Playbook for Intermediaries

The IRDAI Information and Cyber Security Guidelines issued on 6 April 2026 moved cyber-incident handling from a back-office IT concern to a board-level, time-bound obligation, for a far wider set of entities than before. Three features define what changed: a far tighter reporting clock, a fixed log-retention requirement, and a governance rule on who the chief information security officer answers to. A fourth, the expansion of scope to intermediaries and TPAs, makes it sector-wide, not insurer-only.

The reporting change is sharpest: a cyber incident must now be reported to CERT-In within six hours of detection, with a copy to IRDAI. Six hours is demanding and is measured from detection, which puts a premium on detection and a pre-built workflow, since there is no time during a live incident to work out who reports and how. The log requirement is concrete: 180-day rolling retention of ICT and application logs. The governance rule is structural: the CISO must not report to the Head of IT, cannot carry business targets, and reports to the board, keeping security oversight independent of the function it polices.

The guidelines are aligned with the DPDP framework, which matters because a data breach engages both regimes at once and the controls they require are the same controls a DPDP breach assessment depends on, so building to the guidelines does double duty. The six hours runs from detection, not from confirmation of full scope, which makes early detection and a standing workflow the binding constraints.

The most consequential change is the breadth of application: the guidelines apply not only to insurers and Foreign Reinsurance Branches but to intermediaries, including brokers, corporate agents, web aggregators and insurance marketing firms, and to third-party administrators. Many previously treated cyber-security as primarily the insurer's concern; the guidelines remove that assumption and place direct, time-bound obligations on the intermediary itself.

Intermediaries hold and move exactly the kind of data that makes a cyber incident reportable and a DPDP breach serious: a broker holds proposal data, KYC and client financials across many clients; a corporate agent and web aggregator collect personal and policy data at the point of sale; a TPA processes large volumes of sensitive health data. An incident at any of these is now a reportable event on the six-hour clock, and the entity, not the insurer it distributes for, carries the obligation.

The expansion bites hardest on smaller intermediaries: a six-hour CERT-In capability, 180-day log retention and an independent CISO function are real commitments, and a small broking or marketing firm with a light IT setup has to build genuine capability rather than rely on a policy document. The guidelines do not scale the obligation away.

Meeting a six-hour window is a discipline built before an incident; the runbook converts detection into a filed report inside the window, reliably under stress.

1. Detection that surfaces incidents fast, because the clock starts at detection and late detection makes the window impossible.
2. A named, reachable incident owner and deputy to own the decision and act of reporting, around the clock.
3. Pre-built reporting templates and channels, with standing facts filled and credentials tested in advance.
4. A triage rule for what is reportable; when in doubt, report and supplement later.
5. The DPDP and IRDAI overlap handled in one flow. A data breach triggers the six-hour CERT-In report, the IRDAI copy and the separate DPDP notification to the Board and affected data principals, so the runbook fires all of these from one event, the CERT-In report being the tightest.

A runbook that has never been exercised will not perform under a real incident. A tabletop exercise walking a simulated incident through detection, triage, the six-hour report, the IRDAI copy and the DPDP notification, with the actual responders, finds the gaps before they cost a missed report.

Two structural requirements deserve attention, because they are where intermediaries most often fall short.

The 180-day rolling log retention

The guidelines require 180-day rolling retention of ICT and application logs. Logs make an incident investigable and are the evidence base for both the CERT-In report and the DPDP breach assessment, and the 180-day period means an incident discovered well after the intrusion can still be reconstructed. The questions are whether the relevant logs (application as well as infrastructure) are captured, retained for the full rolling 180 days, tamper-protected, and searchable quickly when needed. A setup that captures the wrong things, retains them too briefly, or cannot be searched under pressure does not meet the requirement.

CISO independence

The guidelines require that the CISO not report to the Head of IT, not carry business targets, and report to the board. The logic is a separation of duties: the function responsible for securing IT should not sit underneath the function it polices, and the person accountable for security should not have their judgement compromised by commercial targets. For a large insurer this is an organisational-design point; for a smaller intermediary it is a genuine challenge, because IT and security may sit with one team. The guidelines push such firms to separate security oversight from IT operations and give the security function a board line, which for a small firm may mean designating an independent CISO function and a board cadence. This is a governance change that has to be real.

The guidelines change the risk an intermediary carries and the cover it should hold.

The intermediary's own cover

An intermediary now carries a direct, time-bound cyber-incident exposure: the cost of responding, the reporting obligations, and the liability where a breach harms clients whose data it holds. A cyber insurance policy funds the incident-response and forensic work, the regulatory process, notification, business interruption, and third-party liability where clients or individuals claim. Holding cyber cover sized to the data it holds is sensible; it does not pay regulatory penalties, which are generally not insurable, but it funds the response and third-party tail.

The professional indemnity dimension is distinct: where a client alleges mishandled data, the claim is a professional-liability exposure a PI policy responds to, separate from the cyber response cover, so the programme should account for both layers.

The read-through for clients

The guidelines also strengthen the case an intermediary makes to clients in IT services, healthcare and other data-intensive sectors facing the same DPDP exposure and their own reporting obligations where regulated. The intermediary that can explain where cover responds and where it does not (regulatory penalties) advises more credibly.

The value is in matching the wording to the exposure: the incident-response cover, the regulatory-defence cost, the notification and third-party-claim cover, the business-interruption trigger, and the exclusions. That is wording work, not a premium comparison.

For an intermediary newly in scope, the readiness work is a project, in priority order.

1. Confirm you are in scope and own the obligation, not the insurer's; brokers, corporate agents, web aggregators, marketing firms and TPAs are covered.
2. Stand up detection and the six-hour reporting workflow: fast monitoring, a named incident owner and deputy reachable around the clock, pre-drafted CERT-In and IRDAI templates, tested channels and credentials, and a triage rule. This is highest priority because an incident can occur at any time.
3. Build the 180-day log capability for real, with logs captured, retained, tamper-protected and searchable.
4. Fix the CISO governance: separate security oversight from IT operations, remove business targets, and give it a board line.
5. Wire DPDP and IRDAI reporting into one runbook, so a data breach fires the CERT-In report, the IRDAI copy and the DPDP notifications from one event.
6. Exercise the runbook with a tabletop using the actual responders, fixing the gaps before a real incident does.
7. Review your own cyber and professional-indemnity cover against the exposure you now carry, sized to your data.

The honest framing is that the guidelines did not ask for a document; they asked for capability, on a six-hour clock, owned by the firm. The intermediary that treats this as a real operational project will meet the obligation when an incident arrives rather than discover the gaps under pressure.

Matching what each cyber and professional-indemnity wording grants to the data a firm holds is detailed work. Sarvada gives commercial insurance brokers and corporate risk teams structured, searchable access to insurer policy wordings and the intelligence around them, so cyber and PI covers can be matched to the cyber-risk profile the 6 April 2026 IRDAI guidelines now make a time-bound obligation. Request Access to bring that precision to your cyber-readiness conversations.