Incident Reporting: From 24 Hours Down to 6

The most consequential change in IRDAI's March 2025 cybersecurity revision is the compression of the incident reporting window from 24 hours to 6 hours, aligning the insurance sector with CERT-In's existing mandate. For insurers that had built their incident response workflows around the previous 24-hour window, this is not a minor adjustment — it fundamentally changes who needs to be on call, what must be pre-templated, and how quickly internal escalation must happen.

The 6-hour clock starts from the moment of detection, not from the moment of confirmation. This distinction matters enormously in practice: an anomalous alert flagged by a SIEM at 11:00 PM triggers the deadline even if the SOC team hasn't confirmed whether it's a true positive. Insurers must now treat every credible alert as a potential reportable event and begin the notification process in parallel with investigation, rather than sequentially.

Board Attestation: Personal Accountability at the Top

IRDAI now requires board-level attestation of cybersecurity compliance, and critically, this attestation must be submitted directly to IRDAI. This is not a checkbox exercise — the board must attest that the organisation's cybersecurity framework, incident response capabilities, and audit findings have been reviewed and are adequate. The attestation creates personal accountability: board members can no longer claim ignorance of cybersecurity posture.

In practice, this means the CISO's board presentation is no longer an internal formality. Every assertion in that presentation — "we are compliant with VAPT requirements," "our incident response is within the 6-hour window," "all critical findings have been remediated" — becomes a statement that the board must attest to IRDAI. Inaccuracies in the attestation carry regulatory consequences not just for the organisation, but for the board itself.

Regulatory Risk Board attestation submitted to IRDAI creates a documented record. If an incident later reveals that the attested cybersecurity posture was inaccurate — for example, if critical VAPT findings were not actually remediated within the stated timelines — the gap between attestation and reality becomes a regulatory finding with consequences for individual board members.

Annual VAPT: CERT-In Empanelled Firms and Severity Deadlines

The revised guidelines mandate that annual Vulnerability Assessment and Penetration Testing (VAPT) must be conducted exclusively by CERT-In empanelled audit firms. This is a significant constraint — internal security teams or non-empanelled vendors cannot satisfy this requirement, regardless of their technical capability. The empanelment requirement ensures a baseline of assessor credibility and standardisation in reporting format.

More importantly, IRDAI has introduced severity-based remediation deadlines that are now enforceable: CRITICAL findings must be fixed within 7 days, HIGH within 30 days, and MEDIUM within 90 days. These are not suggestions — they are deadlines against which the IS Audit and board attestation will be measured. Organisations that have historically allowed VAPT findings to linger in a remediation backlog will find themselves non-compliant.

SeverityRemediation DeadlineEnforcement
CRITICAL7 daysBoard attestation + IS Audit verification
HIGH30 daysBoard attestation + IS Audit verification
MEDIUM90 daysIS Audit verification

Expanded Scope: Beyond Life and General Insurers

Perhaps the most overlooked change in the March 2025 revision is the expansion of scope. The cybersecurity requirements no longer apply only to life and general insurance companies. The revised guidelines now explicitly cover Third Party Administrators (TPAs), insurance brokers, web aggregators, Insurance Self-Network Platforms (ISNPs), and Insurance Marketing Firms (IMFs). Each of these entity types must now comply with the same incident reporting, VAPT, and board attestation requirements.

For the insurance ecosystem, this changes the compliance conversation entirely. A TPA that processes health insurance claims now has the same 6-hour incident reporting obligation as the insurer itself. A web aggregator comparing insurance quotes must conduct annual VAPT through a CERT-In empanelled firm. Brokers must submit board attestation to IRDAI. The compliance burden has shifted from being concentrated at the insurer level to being distributed across the entire insurance value chain.

IS Audit Report: The 90-Day and 30-Day Deadlines

The IS Audit report must now reach IRDAI within 90 days of the financial year end or 30 days of audit completion, whichever is earlier. This dual deadline creates a hard constraint on audit planning: organisations cannot simply delay commissioning their IS Audit and use a late start as justification for a late submission. The 90-day outer boundary means the audit must be planned, executed, and reported within the first quarter of the new financial year.

For organisations that previously treated the IS Audit as a back-of-the-queue compliance exercise completed sometime in Q3 or Q4, this is a material change in planning. The audit firm must be engaged before the financial year ends, the scope must be agreed, and the fieldwork must begin in April. Any VAPT findings that remain open at the time of audit become documented non-compliances in the report submitted to IRDAI — which then conflicts with the board attestation.

RiskSage Capability RiskSage by CreativeCyber automates the complete IRDAI compliance workflow — 6-hour incident reporting with pre-built templates, board attestation document generation, VAPT finding tracking with severity-based deadline enforcement (7/30/90 days), and IS Audit timeline management with automated IRDAI submission reminders.

Request access to RiskSage →