Abstract
Insurance companies in India are at the crossroads of two fast-moving regulatory trajectories: sectoral cyber-security obligations that have been issued by the Insurance Regulatory and Development Authority of India (IRDAI), and national privacy/data-protection regime brought in by the Digital Personal Data Protection Act, 2023 (DPDP Act). This article examines the practical and legal obligations upon Indian insurers (and their intermediaries) to comply with the recent cybersecurity obligations from IRDAI; the 2023 Guidelines, and the stricter incident-reporting and forensic retainership obligations coming in 2025. This article also looks at the overlaps and divergences between these obligations and the DPDP Act obligations specifically in terms of incident reporting, lawful processing, accountability, and contractual obligations. Finally, it situates the compliance landscape within constitutional jurisprudence, particularly with respect to the right to privacy recognized in Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 and identifies enforcement and litigation risks to insurers.
Keywords
IRDAI; Information & Cyber Security Guidelines; DPDP Act 2023; data protection; cyber incidents; insurer obligations; privacy jurisprudence.
Introduction
Indian insurers handle substantial volumes of sensitive personal data which comprise medical records, biometric identifiers, financial information and communications metadata. While this data is imperative to insurer operations for underwriting, claims management, fraud detection and digital distribution, it also presents increased cyber-security and privacy risk.
To address these risks, two sprawling regulatory frameworks apply together. First, the Insurance Regulatory Development Authority of India has published its Information & Cyber Security Guidelines, 2023, which outlines cyber governance, risk management and incident response standards for the insurance sector. Second, the Digital Personal Data Protection Act, 2023 has established a statutory minimum level of personal data protection across all sectors that prescribe lawful processing activities, security safeguards, accountability, and recognition of data principals. Consequently, the compliance regime for insurers is not siloed, it is fully interdependent: a failure in one arena may expose a failing in the other.
IRDAI’s Cybersecurity Framework
The IRDAI Guidelines issued in 2023 marked a significant moment for the insurance industry, mandating that every regulated entity including insurers, reinsurers, intermediaries, and third-party administrators formulate a board-approved Information and Cyber Security Policy and appoint a Chief Information Security Officer. Furthermore, they were required to create an Information Security Risk Management Committee. All of these requirements firmly placed the responsibility at the highest levels of governance. Insurers were also required to undertake regular technology risk assessments, along with somewhat primitive vulnerability assessments and penetration tests (VAPT), creating a dynamic of continual improvement and accountability.
By 2025, IRDAI took another leap. New circulars required insurers to keep their ICT system logs for a minimum of 180 days in a secure and tamper-proof environment, with time synchronization across all critical systems. The biggest change tightened the incident reporting time-frame: insurers now have to report both IRDAI and CERT-In within six hours of the insurer being aware or notified of a reportable cyber incident.
This revised timeframe is consistent with CERT-In’s directions of April 2022 but raises the hurdle for the insurance space’s preparedness. In addition, forensic readiness is now mandatory with insurers required to have independent cyber-forensic firms empanelled beforehand, and a documented chain-of-custody protocols maintained. These steps road map a distinct regulatory ethos: operational resiliency is no longer a choice. Insurers may no longer claim they are compliant with sophisticated documents on policy, they need to show testing of playbooks, timely reporting, and forensic readiness. Failing to do this can generate IRDAI supervisory action, reputational damage, and civil liability as a result from the policyholder suffering an incident.
The DPDP Act and its Impact on Insurers
The Digital Personal Data Protection Act, 2023 creates the legislative framework for the processing of the personal data in India. The Act applies to all “data fiduciaries,” that is the significant framing term. This clearly includes insurers as they are also framing the purposes and means of processing sensitive policyholder data. The obligations it creates extend beyond just technical security. Insurers must process personal data lawfully on the basis of one of consent or another recognised grounds, they must work with purpose limitation and data minimisation; and must institute “reasonable security safeguards” relative to the risk of harm. Insurers must also have mechanisms in place to support rights of data principals, in addition to ensuring rights to access, correction, and erasure where applicable.
The Act also touches on outsourcing and cross-border data transfers. Many insurers utilize cloud service companies and third party administrators. With the DPDP Act, outsourcing must then be governed by contractual provisions that ensure compliance with the Act, especially the obligation to manage data security and timely breach notification. The IRDAI’s own outsourcing guidelines, and the ongoing development of IRDAI’s cybersecurity framework run parallel here, indicating the insurers must incorporate the compliance responsibilities in existing vendor contracts.
The Duties of Compliance and the Legal Context
India’s constitutional law does sharpen the burden of compliance. In Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, a nine-judge Supreme Court bench held that privacy is constitutionally guaranteed under Article 21. This judgment establishes the context for the DPDP Act and IRDAI sectoral regulation mandates, including all laws and regulations of insurers as the lens through which rights are protected. So, if an insurer fails to protect data, or fails to take action in the event of a breach, arguably the insurer has violated the constitutional protection, even if the insurer is otherwise complying with their regulatory obligations.
In addition, Shreya Singhal v. Union of India, (2015) 5 SCC 1 is a relevant and significant case. In the said case, the Supreme Court struck down Section 66A of the IT Act, but also engaged in due-process limits of intermediary liability. While the case dealt with speech and takedown orders, the Court’s reasoning on regulatory duties and due-process muster is relevant to obligations to policyholders when insurers act as intermediaries for the hospital and reinsurer.
Conclusion
Insurance companies in India are now operating within two sets of compliance standards. On one side, the IRDAI has made clear that businesses need more than just cyber-security policies in place. The business must show operational resilience, proper incident reporting practices and forensic readiness. On the other side, the DPDP Act establishes legal obligations to process personal data in compliance with legal requirements (including security measures) and to respect data principals’ rights. These frameworks require insurers to embed cyber-security and privacy governance into operations.
Governance for oversight to comply with each must develop at the board level with appropriate officers and committees to comply with IRDAI and DPDP obligations. Insurer incident response plans must combine the requirement of IRDAI for reporting incidents within six hours and forensic requirements with the notification and rights obligations in the DPDP Act. Technical hygiene, litigation preservation activities and thirty day log retention must be standard. Vendors and outsourcing contracts must account for and ensure flow down of both the IGDAI and DPDP obligations.
With privacy characterized as a fundamental right in the Puttaswamy judgment and due process as a material regulatory feature emphasized in the Shreya Singhal judgment, insurers can expect courts to take a strict view of compliance gaps. The regulator, the judiciary, and compliance officers will be clear that protecting personal data of policyholders is not good governance, it is required under the Constitution and under statute.
“PRIME LEGAL is a full-service law firm that has won a National Award and has more
than 20 years of experience in an array of sectors and practice areas. Prime legal falls into the category of best law firm, best lawyer, best family lawyer, best divorce lawyer, best divorce law firm, best criminal lawyer, best criminal law firm, best consumer lawyer, best civil lawyer.”
Written by- Anwesha Anant
