Anticipated IRDAI Cyber Security Framework v2 in 2026: Scope Expansion, Third-Party Risk, and Board Attestation for Indian Insurers and Intermediaries

The IRDAI (Information and Cyber Security) Guidelines, 2023 consolidated the regulator's expectations for cyber risk management across Indian insurers, replacing the earlier 2017 framework that had become technically dated. Since the 2023 issuance, two material developments have shifted the supervisory posture. First, the operationalisation of the Digital Personal Data Protection Act, 2023 through Rules notified in 2024-2025 introduced parallel obligations on data fiduciaries that overlap heavily with cyber security operations, particularly on breach notification timelines and consent infrastructure. Second, the rapid build-out of Bima Sugam, account-aggregator pipes, and DigiLocker-linked policy issuance has expanded the attack surface of the Indian insurance ecosystem well beyond the insurer perimeter that the 2023 Guidelines primarily addressed.

IRDAI working groups and supervisory communications through 2025 and into 2026 have signalled that a refreshed cyber security framework, informally referenced inside the regulator as the v2 framework, is in advanced drafting. The expectation among compliance leads at Indian insurers and at the larger brokerage firms is that a draft circular will be released for industry consultation in the second half of 2026, with notified guidelines following 6 to 9 months thereafter. Risk committees should not wait for notification to begin readiness work.

The purpose of this article is to set out the design directions that the v2 framework is anticipated to take, based on the regulator's stated supervisory priorities, the gaps identified in post-2023 thematic reviews, and the cross-pollination with the DPDPA Rules and IRDAI's operational resilience expectations. Several of these directions are now well telegraphed; others remain less certain and are flagged as such. Across both categories, the implementation actions are similar enough that early preparation produces little wasted effort regardless of the exact final wording.

The most consequential design direction of the v2 framework is the formal extension of cyber security obligations beyond IRDAI-registered insurers to the wider intermediary ecosystem. The 2023 Guidelines primarily applied to insurers, with intermediaries referenced through contractual flow-down rather than direct regulatory obligation. The anticipated v2 framework brings IRDAI-licensed brokers, corporate agents, web aggregators, third-party administrators, insurance repositories, and surveyor and loss assessor firms into direct scope.

This matters because the breach pattern of recent years has demonstrated that the weakest links are typically not the insurer's core systems but the connected intermediary and service-provider environments. Several reported incidents at Indian insurance intermediaries during 2024-2025 involved compromise of broker CRM systems holding policyholder data, exploitation of poorly secured TPA portals exposing claims data, and credential theft at smaller surveyor firms whose systems were never within the insurer's direct security perimeter. By extending direct obligations to these participants, IRDAI closes a recognised gap and reduces the dependence on the indirect reach that the supervisory framework currently provides only through contractual chains.

1. Brokers and corporate agents will likely be required to maintain a board-approved information security policy proportionate to their size and risk profile, conduct annual independent security testing, designate a senior officer responsible for information security, and report material cyber incidents to IRDAI within a defined window. The proportionality principle is essential: a broker with 10 staff and 200 commercial accounts should not face the same control burden as a large brokerage running multi-state operations on bespoke technology.
2. Third-party administrators are likely to face the most prescriptive set of obligations among intermediaries, reflecting the volume and sensitivity of health claims data they process. Expectations include hardened authentication for healthcare provider portals, encryption of claims data at rest and in transit, segregated processing environments by client insurer, and incident response coordination protocols with the principal insurer.
3. Surveyor and loss assessor firms present a particularly complex scope question. Most are small partnerships or proprietorships without dedicated technology functions, yet they handle highly sensitive claims documentation including financial records, medical reports, and confidential business information of commercial policyholders. A proportionate baseline is likely to focus on endpoint hygiene, secure document handling, multi-factor authentication on cloud accounts holding insurer data, and prohibition of personal device use for insurer work without endpoint controls.

Brokers should advise their downstream service providers, including outsourced compliance support and outsourced IT, to begin self-assessment against the anticipated baselines now. The cost of remediation rises sharply when undertaken under regulatory pressure with shortened timelines.

The 2023 Guidelines included third-party risk language but did not establish it as a separately structured obligation with named outputs. The anticipated v2 framework is expected to formalise third-party risk management as a distinct programme that every regulated entity must maintain. The model the regulator is likely to draw on combines elements of the RBI Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks with the DPDPA obligations on data processors and the operational resilience principles in IRDAI's 2024 thematic communication on intermediary resilience.

The core obligation is expected to require regulated entities to maintain a register of all third parties that access regulated entity data, process regulated entity transactions, or provide critical services. For each third party, the register should record the nature of the engagement, the data categories accessed, the criticality classification, the contractual security obligations, the residual risk assessment, and the date and outcome of the last assurance activity (audit, certification review, or attestation). For larger insurers, this register can easily run into hundreds of entries; for mid-sized intermediaries, into dozens.

Assurance activities are likely to be calibrated to criticality. For critical third parties such as core policy administration providers, cloud infrastructure providers hosting regulated systems, and major TPAs, the expectation is annual independent audit or recognised certification (ISO/IEC 27001 with appropriate scope, SOC 2 Type II, or equivalent) supplemented by entity-specific assurance such as right-to-audit clauses and periodic control testing. For non-critical third parties, attestation-based assurance with periodic spot checks is likely to be acceptable.

Four areas of third-party control are likely to receive specific attention:

1. Identity and access management for third-party users accessing regulated entity systems, including federated authentication, just-in-time access provisioning, and quarterly access review with named accountable signoff.
2. Data segregation and minimisation, ensuring that third parties access only the data needed for the contracted purpose and that data is logically segregated from other clients' data within multi-tenant systems.
3. Sub-contracting controls, requiring transparent disclosure of any further sub-contracting by the third party, with the same security obligations flowing down through the chain.
4. Exit and portability planning, ensuring that the regulated entity can transition away from a third party within a defined timeline without loss of data, continuity, or supervisory traceability.

Indian insurers and large brokers should begin tooling their third-party registers in 2026, even if the final v2 framework alters the specific control set. Compliance and procurement teams should also align contracting templates so that new and renewed third-party agreements already include the security obligations that the v2 framework is likely to require, avoiding a wave of contract renegotiation under deadline pressure once notified.

The 2023 Guidelines required board approval of the information security policy and the appointment of a Chief Information Security Officer or equivalent. The anticipated v2 framework is expected to elevate accountability with a structured board attestation regime that aligns Indian practice more closely with international supervisory patterns and with the SEBI LODR disclosure obligations for listed insurers.

1. Annual board attestation. The board will likely be required to certify, on an annual basis, that the regulated entity has maintained an information security programme proportionate to its risk profile, that material cyber risks have been identified and assessed, that controls operate effectively, and that incidents and near-misses have been reported through internal escalation procedures. The attestation language is expected to draw from the SOC 2 management assertion pattern, adapted to Indian disclosure norms.
2. Named accountable senior executive. The Chief Information Security Officer role under the 2023 Guidelines is expected to be reinforced with a clearer specification of seniority, reporting line, and tenure expectations. The regulator's working group communications have flagged concerns that in some entities the CISO role is held by mid-management staff without independent escalation authority. The v2 framework is likely to require the CISO to report on a defined cadence to the board risk committee, with the right of direct access to the chair of the board in case of unresolved escalation.
3. Cyber risk in the board risk register. The board risk register is likely to be required to include a specific cyber risk line item, with quantitative and qualitative risk indicators tracked at defined intervals. The indicators that have featured in IRDAI thematic reviews include the count and severity classification of cyber incidents, the percentage of staff completing periodic security training, the percentage of third parties with current assurance review, the count of overdue identified vulnerabilities by severity, and the operational status of key controls such as multi-factor authentication coverage.
4. Disclosure to policyholders and the market. The interaction with the DPDPA breach notification regime and with SEBI LODR for listed insurers means that material cyber incidents will trigger multiple disclosure obligations that need to be coordinated. The v2 framework is expected to require regulated entities to maintain disclosure protocols that define who decides whether an incident is materially disclosable, by what timeline, through which channels, and with what coordination across the Data Protection Board, the stock exchange (for listed entities), the IRDAI, and the affected policyholders.

Risk committees of insurers and intermediaries should begin to walk through tabletop exercises simulating the disclosure flow under realistic incident scenarios. Several incidents during 2024-2025 demonstrated that the coordination between security operations, legal, communications, and the disclosure officers under different regulatory regimes is the weakest link, with the technical containment often outpacing the disclosure process and exposing the entity to inconsistent communications across regulators and the public.

The 2023 Guidelines established an incident reporting obligation to IRDAI, but the timelines and thresholds were generally broad and the interaction with other regulatory regimes was not directly addressed. With the DPDPA breach notification regime now operative and the CERT-In Directions of 28 April 2022 continuing to require reporting of specified incidents within 6 hours, the v2 framework needs to reconcile multiple parallel obligations into a coherent operational protocol.

The anticipated direction is a tiered reporting structure within IRDAI that aligns with the severity of the incident.

1. Significant incidents, defined by indicators such as material impact on operations, exposure of policyholder personal data, exfiltration of underwriting or claims data, ransomware involvement, or supervisory interest, should be reported to IRDAI within a short window (likely 6 to 24 hours of detection), aligned with CERT-In timelines where applicable.
2. Material but contained incidents, such as successful phishing leading to limited credential compromise without further lateral movement, should be reported within a longer window (likely 72 hours) with a fuller forensic summary.
3. Aggregated reporting of low-severity events should occur through periodic returns at the supervisory cadence already established for other operational risk reporting.

The practical challenge is that an incident often does not arrive with its severity label attached. Initial detection may suggest a contained event that subsequent investigation reveals to be significant. Reporting protocols therefore need to handle escalation gracefully: the regulated entity should be able to file an initial report at the highest plausible severity, then update or de-escalate based on developing forensic information, without facing supervisory penalty for the initial conservative call. The v2 framework is likely to include explicit provisions on this graceful escalation pattern, drawing from the experience of the RBI with banking sector incident reporting where similar issues arose.

The interaction with the DPDPA breach notification regime requires careful operational alignment. The Data Protection Board notification under the DPDPA is triggered by a personal data breach, which is a defined concept under that statute. Not every cyber incident is a personal data breach (for instance, a denial-of-service incident without data exposure may not be), and not every personal data breach is a cyber incident (for instance, accidental disclosure through a misdirected email may not involve a cyber security failure). The v2 framework should clarify how the two reporting tracks interact, but in the interim, regulated entities should design their incident response procedures to assess both regimes in parallel and to file appropriate notifications under each.

Brokers should advise commercial clients holding cyber insurance policies that the broader regulatory reporting obligations under the anticipated v2 framework will interact with their cyber policy notification clauses. Several commercial cyber policies in the Indian market require notification to the insurer within strict timelines, and a notification process that aligns with IRDAI and DPDPA reporting should be built into the client's incident response playbook to avoid double-handling under pressure.

Cyber security is increasingly understood by supervisors as one component of broader operational resilience, alongside business continuity, technology resilience, and outsourcing risk. The anticipated v2 framework is expected to deepen the operational resilience dimension of the 2023 Guidelines, drawing from IRDAI's 2024-2025 communications on intermediary resilience and from the broader operational resilience principles in IFSCA and RBI publications.

Four resilience expectations are likely to be reinforced.

1. Identification of critical business services and tolerable outage windows. Regulated entities should identify the business services whose disruption would materially affect policyholders, market integrity, or the entity's safety and soundness, and should define the tolerable outage window for each. For an insurer, this typically includes policy issuance, claims processing, premium collection, regulatory reporting, and customer servicing. For a broker, it includes policy placement workflows, claims advocacy support, and renewal handling.
2. Scenario-based testing, including realistic cyber scenarios such as ransomware on the policy administration system, prolonged outage of a critical third party, data integrity compromise requiring restore from backup, and combined cyber and physical incidents affecting both primary and recovery sites. The 2023 Guidelines mention disaster recovery testing, but the v2 framework is likely to require more challenging scenario tests with named senior executive participation rather than pure technical drill exercises.
3. Recovery time and recovery point objectives for each critical service, with documented evidence that the technical and operational recovery capability achieves the stated objectives. Many Indian insurers have RTO and RPO numbers in technical documentation, but the v2 framework is likely to require board-level signoff that these objectives are appropriate to the criticality of the service and that recovery capability has been demonstrated through realistic testing.
4. Backup integrity and immutability, addressing the increasingly common pattern in ransomware incidents where backup systems are also encrypted or corrupted, leaving the regulated entity without a clean recovery point. Immutable backups, air-gapped recovery copies, and tested recovery procedures are now baseline expectations and are likely to be explicitly named in the v2 framework.

For mid-sized insurers and intermediaries that have historically treated backup and recovery as a technology operations matter without board engagement, the v2 framework will require a re-positioning of these capabilities as enterprise risk matters with named senior executive accountability. Risk committees should ensure that the resilience programme covers the same scope as the cyber security programme, with shared governance and integrated testing rather than two separate workstreams running on parallel tracks.

The budget implications are not trivial. Mid-sized insurers preparing for the anticipated v2 framework should plan for incremental annual spend in the order of INR 5 crore to INR 25 crore depending on starting maturity, covering technology investments in identity, monitoring, backup immutability, and third-party assurance tooling, professional services for assurance and testing, and ongoing operational headcount in the security function. Brokers should plan for proportionate spend scaled to their size, but should not assume that the v2 framework will permit the same minimal investment that the 2023 contractual flow-down arrangements allowed.

The window between now and the anticipated notification of the v2 framework is best used for substantive readiness work rather than for waiting on the final wording. Several actions produce value regardless of the exact framework text, and readiness teams should sequence them in priority order over the next 12 to 18 months.

1. Gap assessment against the anticipated framework. Engage independent assurance to map the current information security and operational resilience programme against the expected v2 expectations, using the 2023 Guidelines plus the anticipated extensions as the reference. The output should be a prioritised remediation plan with owners, timelines, and budget estimates, taken to the board risk committee for endorsement.
2. Third-party register and assurance refresh. Build or refresh the third-party register with the categories the v2 framework is expected to require. Initiate or refresh assurance activities for critical third parties, prioritising the ones whose contracts are due for renewal in the next 12 months so that contract clauses can be tightened at renewal rather than through mid-term amendment.
3. Board attestation rehearsal. The board attestation regime, if introduced, will be a new discipline for many Indian insurers and intermediaries. Risk committees should rehearse the attestation process using the current state, identifying the evidence the CISO and CRO will produce, the testing they will rely on, the assurance the internal audit function will provide, and the questions the board will need answers to.
4. Incident response and disclosure playbook update. Refresh incident response playbooks to handle the multi-regulator notification environment that combines IRDAI, the Data Protection Board, CERT-In, the stock exchange (for listed entities), and policyholder notifications. Run tabletop exercises with senior executives, legal, communications, and the CISO, focusing on the coordination of disclosure timing and content.
5. Operational resilience uplift. Identify critical business services, define tolerable outage windows, and test recovery against realistic scenarios including those scenarios the v2 framework is expected to require. Pay particular attention to backup immutability and tested restore procedures, which have emerged as common gaps in the post-2023 thematic review findings.
6. Intermediary partner engagement. Insurers should engage with their broker, agent, TPA, and surveyor partners on their own readiness, both to support partners who may be coming into direct scope for the first time and to ensure that contractual flow-downs remain aligned with the new direct obligations. Brokers should engage similarly with their downstream service providers.

Risk committees should ensure that the readiness programme has named senior executive ownership, clear board reporting on progress, and budget approval that reflects the multi-year nature of the effort. Insurers, brokers, and intermediaries that treat the v2 framework as a project to be addressed when notified rather than as a directional shift to be prepared for now will find themselves in the difficult position of building under deadline while running the existing business.