CERT-In Empanelled — Since 2008, one of the earliest in India

IRDAI Cybersecurity Compliance for Insurance Companies, Brokers &TPAs

India's insurance sector handles millions of sensitive claims records, policyholder data, and financial transactions daily. Security Brigade helps insurers, TPAs, and brokers meet IRDAI cybersecurity mandates through structured, platform-driven audits backed by nearly two decades of BFSI compliance expertise.

Request a Scoping Call Our Methodology
6,700+Assessments
700+Clients
150+Team
2006Founded

Trusted by India's leading enterprises

ICICI Bank
HDFC
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Pharmeasy
BillDesk
Jubilant Foods
ICICI Bank
HDFC
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Pharmeasy
BillDesk
Jubilant Foods
STEP 01

Assess

We conduct a comprehensive gap assessment against IRDAI cybersecurity requirements, mapping your current security posture to each control area including information security governance, access controls, data protection, network security, and incident response readiness.

STEP 02

Remediate

Based on the gap assessment, we provide a prioritized remediation roadmap with specific, actionable guidance for each control gap. Our team works with your IT and compliance teams to address findings, implement policies, and strengthen technical controls before the formal audit.

STEP 03

Certify

We perform the formal IRDAI cybersecurity audit using our Lemon platform for structured evidence collection and multi-layer quality review. Upon successful completion and remediation validation, we deliver the audit report and compliance certificate required for IRDAI submission.

What Are the IRDAI Cybersecurity Guidelines?

The IRDAI cybersecurity guidelines are a regulatory mandate issued by the Insurance Regulatory and Development Authority of India requiring all insurance companies, third-party administrators, and insurance intermediaries to implement comprehensive cybersecurity controls. These guidelines cover information security governance, data protection, access management, network security, incident response, and periodic security audits to safeguard policyholder data and claims information.

Who Needs to Comply with IRDAI CybersecurityGuidelines?

The IRDAI cybersecurity mandate applies to every regulated entity in the Indian insurance ecosystem, not just large insurers.

Life Insurance Companies

All life insurers registered with IRDAI must comply with cybersecurity guidelines and conduct periodic audits.

General Insurance Companies

General insurers handling motor, health, property, and liability insurance must implement mandatory cybersecurity controls.

Health Insurance Companies

Standalone health insurers processing sensitive medical claims data face stringent data protection requirements.

Reinsurance Companies

Reinsurers operating in India must demonstrate compliance with IRDAI cybersecurity requirements.

Insurance Brokers

Licensed insurance brokers handling policyholder data and facilitating transactions must meet cybersecurity mandates.

Third-Party Administrators (TPAs)

TPAs processing health insurance claims and managing policyholder medical records must comply with data protection controls.

Insurance Web Aggregators

Digital platforms comparing and selling insurance policies must secure customer data per IRDAI guidelines.

Insurance Repositories

Entities maintaining electronic records of insurance policies must implement comprehensive cybersecurity measures.

Methodology

6 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Scoping and Readiness Assessment

We begin by understanding your organizational structure, IT landscape, existing security controls, and previous audit findings. A detailed scoping document maps every IRDAI requirement to your specific environment, identifying in-scope systems, applications, data flows, and third-party integrations. This phase typically takes 3 to 5 business days.

02

Gap Analysis Against IRDAI Controls

Our team evaluates your current security posture against each IRDAI cybersecurity control area: information security governance, access management, network security, data protection, application security, endpoint security, incident response, business continuity, and vendor risk management. Every gap is documented with severity, business impact, and remediation priority.

Testing
03

Technical Security Assessment

We conduct vulnerability assessments and penetration testing of in-scope applications, networks, and infrastructure as required by IRDAI guidelines. This includes web application testing, API security testing, network VAPT, and configuration reviews. All testing follows our standard methodology with AI-validated coverage and multi-layer review.

04

Policy and Governance Review

We review your information security policies, procedures, and governance documentation against IRDAI requirements. This covers board-level cybersecurity oversight, CISO role and reporting structure, risk management framework, incident response plans, data classification policies, and employee awareness programs.

Delivery
05

Remediation Support and Guidance

Based on findings from the gap analysis and technical assessment, we provide a prioritized remediation roadmap. Our team conducts walkthrough sessions with your IT and development teams to clarify findings and guide implementation. We support policy drafting and process design where gaps exist.

06

Formal Audit, Reporting, and Certification

After remediation, we conduct the formal compliance audit and validate that all gaps have been addressed. Deliverables include the comprehensive IRDAI audit report, executive summary for the board, gap closure evidence, and the compliance certificate for IRDAI submission. Retesting of technical findings is included.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Top 5 Private Sector Bank · Engaged since 2019

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Structured Evidence Collection

Every IRDAI control requirement is mapped to specific evidence tasks. Auditors upload artifacts directly to Lemon, ensuring complete traceability from requirement to evidence.

Real-Time Client Dashboard

Your compliance team gets live visibility into audit progress, findings as they are identified, and task status across all workstreams.

Automated Methodology Selection

Lemon fingerprints your technology stack and selects the optimal testing methodology based on insights from thousands of previous BFSI assessments.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

Information Security Governance
Policy review, board-level governance as
Access Control and Identity Management
Assessment of authentication mechanisms,
Network Security
Network architecture review, firewall co
Application Security
Web application, mobile application, and
Data Protection and Privacy
Assessment of data classification, encry
Endpoint and Device Security
Review of endpoint protection, mobile de
Incident Response and Business Continuity
Assessment of incident response plans, e
Third-Party and Vendor Risk Management
Evaluation of vendor security assessment
Security Awareness and Training
Assessment of employee cybersecurity awa
Continuous Monitoring and Threat Detection
Evaluation of SIEM implementation, log m

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

IRDAI Compliance Audit Report

Comprehensive audit report covering all IRDAI cybersecurity control areas with findings, evidence, risk ratings, and compliance status per requirement.

Executive Summary for Board

High-level summary of compliance posture, critical risk areas, and strategic recommendations designed for board of directors presentation.

Gap Analysis Report

Detailed mapping of each IRDAI requirement to your current security posture, clearly identifying compliant, partially compliant, and non-compliant areas.

Prioritized Remediation Roadmap

Actionable remediation plan with prioritization based on risk severity, regulatory impact, and implementation complexity. Includes timelines and responsibility assignments.

Technical VAPT Report

Detailed vulnerability assessment and penetration testing report with step-by-step proof-of-concepts, CVSS ratings, and technology-specific remediation guidance.

Compliance Certificate

Formal security assessment certificate issued upon successful completion and remediation validation, suitable for IRDAI submission and regulatory documentation.

Remediation Validation Report

Post-remediation retesting report confirming that identified gaps and vulnerabilities have been adequately addressed, with evidence of closure.

Real-Time Dashboard Access

Live access to the Lemon dashboard throughout the engagement, showing findings, remediation progress, and task status across all workstreams.

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What are the IRDAI cybersecurity guidelines?+
The IRDAI cybersecurity guidelines are a regulatory framework issued by the Insurance Regulatory and Development Authority of India that mandates insurance companies, TPAs, brokers, and intermediaries to implement comprehensive cybersecurity controls. The guidelines cover information security governance, access management, data protection, network security, application security, incident response, and vendor risk management. Compliance requires periodic security audits by qualified auditors.
Who is required to comply with IRDAI cybersecurity guidelines?+
All entities regulated by IRDAI must comply, including life insurance companies, general insurance companies, health insurance companies, reinsurers, insurance brokers, third-party administrators, web aggregators, and insurance repositories. This covers over 100 registered insurance companies in India plus hundreds of intermediaries and service providers operating under IRDAI regulation.
Is a CERT-In empanelled auditor mandatory for IRDAI cybersecurity audits?+
Yes, IRDAI requires that cybersecurity audits be conducted by CERT-In empanelled auditors. Security Brigade has been CERT-In empanelled since 2008, making us one of the longest-standing empanelled cybersecurity auditing firms in India. This empanelment ensures the auditor meets national standards for cybersecurity assessment capability and methodology.
How long does an IRDAI cybersecurity compliance audit take?+
A typical IRDAI compliance audit takes 4 to 8 weeks depending on organizational size, number of in-scope applications and systems, and current compliance maturity. This includes scoping, gap analysis, technical assessments, policy review, remediation support, and final certification. Organizations with previous audit experience and mature security programs may complete the process faster.
What are the penalties for non-compliance with IRDAI cybersecurity guidelines?+
Non-compliance can result in monetary penalties imposed by IRDAI, directions for corrective action with mandated timelines, and in severe cases, suspension or revocation of the operating license. Additionally, data breaches resulting from inadequate cybersecurity controls can trigger liability under the DPDP Act, customer litigation, and significant reputational damage in a trust-dependent industry.
How often must IRDAI cybersecurity audits be conducted?+
IRDAI requires periodic cybersecurity audits, typically on an annual basis. Insurance companies must also conduct audits when there are significant changes to their IT infrastructure, after major cybersecurity incidents, or when IRDAI issues new or revised cybersecurity directives. Annual audits ensure continuous compliance and help identify emerging risks.
What is the difference between IRDAI cybersecurity audit and a regular VAPT?+
An IRDAI cybersecurity audit is a comprehensive compliance assessment covering governance, policies, technical controls, processes, and incident response mechanisms against specific IRDAI requirements. A VAPT is a technical security testing engagement focused on identifying vulnerabilities in applications and infrastructure. The IRDAI audit includes VAPT as one component but is significantly broader in scope, covering organizational, process, and governance controls.
Does IRDAI compliance also cover data protection under the DPDP Act?+
IRDAI cybersecurity guidelines include data protection controls that overlap significantly with the Digital Personal Data Protection Act requirements. However, they are distinct regulatory frameworks. Security Brigade helps insurance organizations address both requirements in an integrated manner, ensuring that IRDAI compliance efforts also contribute to DPDP Act readiness and vice versa.
Can Security Brigade help with remediation, not just the audit?+
Yes. Security Brigade provides end-to-end support including gap analysis, remediation guidance, policy drafting assistance, walkthrough sessions with your IT and development teams, and post-remediation validation. Our approach is collaborative, ensuring your organization does not just pass the audit but genuinely strengthens its cybersecurity posture. Multiple rounds of retesting are included in standard engagements.
How does Security Brigade handle multi-entity insurance groups?+
Security Brigade has extensive experience working with large BFSI groups. We currently serve multiple entities within the ICICI group, Aditya Birla Group, and other conglomerates. For insurance groups with multiple subsidiaries requiring IRDAI compliance, we offer coordinated audit programs with consistent methodology, centralized project management, and group-level reporting while maintaining separate compliance documentation per entity.

Ready to Achieve IRDAI Cybersecurity Compliance?

Talk to our compliance team about your IRDAI audit requirements. We will scope the engagement, share a timeline, and get you on the path to compliance.

Request a Free Scoping Call

Typically responds within 1 business day · No commitment required

Get a Quote