IRDA INFORMATION AND

CYBER SECURITY
GUIDELINES AND PENALTIES
2023-2024
www.securze.com

info@securze.com

+91 84510 73938

 IRDA INFORMATION AND CYBER SECURITY
GUIDELINES AND PENALTIES 2023-2024
02

The Insurance Regulatory and Development Authority of India (IRDA) had issued
guidelines on cybersecurity for insurance companies in India.

AS PER THE GUIDELINES ISSUED:

Importance of Securing Technology: It's crucial to keep the technology
systems and computers used by insurance companies safe and protected.

Why Security Matters: If there are weaknesses or vulnerabilities in this

technology, it could lead to problems like unauthorized access to policyholder
information and exposure of sensitive data in the insurance and financial
sectors.

Digital Growth and Cyber Threats: As more and more digital technology is
being used in the insurance industry, the risk of cyberattacks is increasing.
These guidelines are being issued to help insurance companies defend
themselves better against these new cyber threats.

Vulnerability Assessment and Penetration Testing (VAPT): Insurance

companies should conduct VAPT at least once in a year. This involves
identifying weaknesses in their systems (like finding unlocked doors) and
trying to break in (simulating cyberattacks) to ensure they are well-protected.
Also, VAPT has to be conducted on the software applications whenever there
are changes in the configurations / applications.

Who Should Follow the Guidelines: These guidelines apply to all types of
insurance companies, including various intermediaries like Brokers, Agents,
Insurance Repositories, Corporate Surveyors, Information Bureau, Web
Aggregators, Insurance Self Networking Platform.

Compliance Timing: If an organization has already conducted a security

audit for the fiscal year 2022-23, they should make sure to follow these
guidelines in the next financial year.

www.securze.com
 IRDA INFORMATION AND CYBER SECURITY
GUIDELINES AND PENALTIES 2023-2024
03

PROCEDURE OF CONDUCTING
VAPT DIRECTED BY IRDA
VA&PT of the entire ICT infrastructure components should be conducted
annually in every financial year.

Every VA&PT shall have two test cycles, one at the beginning of VA&PT for
identification of gaps and to check for known vulnerabilities, and a retesting
post closure of vulnerabilities identified.

VA&PT of critical applications should be conducted annually in every financial

year. The remaining applications should be conducted once in a two-year
cycle.

VA&PT of all internet facing applications and Infrastructure components

should be conducted at least once in a six months.

An assessment of the need for security testing should be conducted

whenever any change is made to any internet facing applications or to any
infrastructure component irrespective of the magnitude of change.

Mandatory security testing should be conducted in case of all applications

and related infrastructure components so as to check for known
vulnerabilities once initially and again whenever major changes in internet
facing applications and related infrastructure components take place.
However, all Internet facing applications should be tested for all major and
minor changes either through internal or external VA, and any gap found
must be closed.

The Cycle of the above security testing should be aligned with Annual
assurance audit.

Finally, you need to send the Security Certificate provided by your VAPT
Vendor to IRDA before the year end.

www.securze.com
 IRDA INFORMATION AND CYBER SECURITY
GUIDELINES AND PENALTIES 2023-2024
04

PENALTIES BY IRDA IF FAILED TO

PROTECT DATA UNDER IT ACT 2000

Subject Penalty Section

Damages by way of compensation to the

person so affected.
Failure to Protect Data 43A
Fine Up to Rs. 5 crore (adjudicating officer)
Fine Above Rs. 5 crore (civil court)

Imprisonment up to 3 years
If you are Hacked Fine up to 2 Lakh Rupees 65
Or Both

Imprisonment up to 3 years
Offences related to
Fine up to 5 Lakh Rupees 66
Computer
Or Both

If you Dishonestly
Imprisonment up to 3 years
Receiving Stolen
Fine up to 1 Lakh Rupees 66B
Computer
Or Both
Resources

Imprisonment up to 3 years
Identity Theft Fine up to 1 Lakh Rupees 66C
Or Both

Cyber Terrorism Imprisonment for Life 66F

Preservation and
Retention of Imprisonment up to 3 years
67C
information Variable Monetary Fine
by intermediaries

www.securze.com
 IRDA INFORMATION AND CYBER SECURITY
GUIDELINES AND PENALTIES 2023-2024
05

Representing wrong
Imprisonment up to 2 years
material fact with
Fine up to 1 Lakh Rupees 71
Controller or the
Or Both
Certifying Authority

Imprisonment up to 2 years
Privacy Breach Fine up to 1 Lakh Rupees 72
Or Both

Disclosure of Imprisonment up to 3 years

information in breach Fine up to 5 Lakh Rupees 72A
of lawful contract Or Both

Publishing false Imprisonment up to 2 years

electronic Signature Fine up to 1 Lakh Rupees 73
Certificate Or Both

Imprisonment up to 2 years
Publication for
Fine up to 1 Lakh Rupees 74
fraudulent purpose
Or Both

Imprisonment up to 3 years
Punishment for
Fine up to 2 Lakh Rupees 66E
violation of privacy
Or Both

WHO IS RESPONSIBLE INCASE OF

A CYBER ATTACK?
Every person who, at the time the contravention was committed, was in charge
of, shall be guilty of the contravention. Where a contravention has been
committed by a company and it is proved that the contravention has taken place
with the consent or connivance of, any director, manager, secretary or other
officer of the company, such director, manager, secretary or other officer shall
also be deemed to be guilty of the contravention

www.securze.com
 IRDA INFORMATION AND CYBER SECURITY
GUIDELINES AND PENALTIES 2023-2024
06

DO YOU NEED TO CONDUCT A

VAPT?
In the insurance sector, applications face an average of 430,000
attacks.

Shockingly, 51 percent of Indian insurance websites have experienced

Distributed Denial of Service (DDoS) attacks.

As insurance companies embrace digital transformation to serve tech-

savvy consumers, the number of applications and the potential attack
surface have grown.

Hackers often employ bot attacks to compromise financial accounts and

engage in credit card fraud through cracking and scraping techniques.

Beyond the abundance of sensitive data like credit card details, banking
information, and personal customer data, the surge in vulnerabilities is a
key driver of attacks on Indian insurance firms.

HOW SECURZE CAN HELP?

With our experts and team having years of experience
and being acknowledged by top MNCs and organizations
worldwide for securing their environments, we can help
you mitigate any security vulnerability in your
applications. Our security consultants are among the
highest qualified in the industry, so you can be assured
that the Securze VAPT team will provide you with the
complete cybersecurity needed to improve your
organization’s security. Reach out to us at
info@securze.com today to book your free consultation
call.

www.securze.com
For business inquiries,
contact us.

www.securze.com

info@securze.com

+91 84510 73938