IRDAI’s New Rules Won’t Save You.
What the 2026 IRDAI Guidelines on Information and Cyber Security for Regulated Entities get right, what they miss, and the one capability every regulated insurer needs to deploy now.
The Insurance Regulatory and Development Authority of India (IRDAI) has significantly raised the bar with its amended Cybersecurity Guidelines 2023 (Annexure A). For every insurer and insurance intermediary operating in India, these amendments are not optional fine print they are a direct signal that cybersecurity governance must now match the sophistication of today’s threat landscape.
[!WARNING] The guidelines address supply chain risk almost entirely through contracts and vendor management, leaving a technical gap that no NDA or SLA can close. This is precisely where IntelliXBOM steps in.
What the amended IRDAI guidelines actually demand
The 2023 amendments touch every layer of an insurance organization’s security posture. Key changes include:
| Area | What changed |
|---|---|
| Governance | ISRMC must now meet quarterly (up from twice a year); boards must approve cybersecurity budgets proportional to risk appetite and close identified gaps within 12 months. |
| CISO independence | The CISO can no longer report to the Head of IT and must be adequately staffed with technical expertise, with a seat as a permanent invitee to the IT Steering Committee. |
| Pen testing | External grey/white-box testing by CERT-In empanelled auditors is now mandatory at least every six months for all internet-facing assets. |
| Control 110 | Organizations must maintain an up-to-date inventory of cryptographic assets to prepare for post-quantum migration. |
| Controls 148–151 | Cloud Service Providers must be MeitY-empanelled, STQC-audited, and bound by NDAs; vendors cannot further outsource without prior written permission. |
The compliance gap nobody is talking about
The IRDAI guidelines treat supply chain risk as a vendor management and contractual compliance problem. Controls 148–151 are entirely governance-oriented: signed NDAs, empanelled CSPs, and contract clauses for data deletion. These are necessary but they are not sufficient.
The guidelines make no mention of Software Bill of Materials (SBOM), software supply chain attacks, dependency vulnerabilities, or runtime threat detection. Yet some of the most devastating cyberattacks of recent years SolarWinds, Log4Shell, XZ Utils exploited exactly this layer: compromised or vulnerable software components embedded deep within products your vendors ship to you.
[!CAUTION] An NDA cannot tell you that a library inside your core insurance platform contains a known critical vulnerability. That requires technical visibility and that is where SBOM driven security becomes essential.
What is IntelliXBOM and how does it help?
IntelliXBOM is an intelligent SBOM management and software supply chain security platform designed to give security teams deep, continuous visibility into the components that make up every application in their environment. Rather than relying solely on contractual assurances from vendors, IntelliXBOM lets you verify.
Bridging the IRDAI technical gap
Here is how IntelliXBOM maps directly to the controls and expectations in the amended IRDAI guidelines:
Control 110 — Cryptographic asset inventory
The guidelines require an up-to-date inventory of cryptographic assets for post-quantum readiness. IntelliXBOM automatically catalogs every cryptographic library, algorithm, and certificate embedded within your software components giving you the audit-ready inventory required by Control 110 and a foundation for post-quantum migration planning.
Controls 148–151 — Supply chain risk management
While these controls focus on contractual obligations with cloud and outsourced service providers, IntelliXBOM adds the technical layer these contracts cannot provide. When a vendor delivers software, IntelliXBOM ingests its SBOM to reveal every open-source and third-party component inside it, continuously monitors those components for newly disclosed vulnerabilities (CVEs), and alerts your CISO and CTO teams before a vulnerability becomes an incident.
[!TIP] This turns your vendor’s SLAs from paper promises into verifiable, evidence backed assurances.
Controls 96–97 — Penetration testing and continuous monitoring
Grey/white-box pen testing every six months gives you a point-in-time snapshot. IntelliXBOM provides the continuous view between those snapshots detecting when a component used in a production application becomes newly vulnerable, even on the day the CVE is published. This directly strengthens the continuous monitoring posture the guidelines (Control 32) expect your CISO to maintain.
Strengthening your CISO’s position under the new rules
The amended guidelines significantly expand the CISO’s mandate. The CISO must now brief both the ISRMC and the Board, develop scenario based incident response plans, comply with CERT-In directives, and review every exception request. IntelliXBOM supports each of these responsibilities with data.
Board and ISRMC briefings become sharper when your CISO can present a live view of software risk across the organization’s application estate showing which vendor components carry known vulnerabilities, what remediation is underway, and how exposure has changed quarter-on-quarter. IntelliXBOM generates the reporting artefacts that make these conversations evidence-based rather than anecdotal.
For incident response, knowing the exact components in every application means that when a zero-day hits like Log4Shell did in 2021 Your team can answer within minutes, not days: “Which of our systems are affected?” IntelliXBOM makes that answer immediate.
Compliance is the floor, not the ceiling
The IRDAI amendments are a meaningful step forward, but they were written to be a governance baseline, not a technical security framework. The guidelines themselves acknowledge this, noting that regulated entities “may adopt enhanced controls commensurate with their risk profile, size, and complexity.”
For any insurer handling policyholder data at scale, SBOM-based software supply chain security is increasingly expected by global frameworks — the US Executive Order on Cybersecurity, the EU Cyber Resilience Act, and NIST guidelines all reference SBOM as a foundational practice. IntelliXBOM positions your organization ahead of the regulatory curve, not just in step with it.
Closing the gap: from contractual compliance to real security
The new IRDAI Cybersecurity Guidelines raise expectations across governance, roles, testing, and supply chain management. But compliance on paper is not the same as security in practice. The technical gap between contractual supply chain controls and real-world software risk is where breaches happen.
IntelliXBOM delivers the visibility, evidence, and continuous intelligence your CISO, CTO, and Board need to ensure confident compliance and reduced risk.
Get in touch
- 🌐 Website: intellixbom.com
- 📧 Email: contact@intellixbom.com
- 📋 Contact form: intellixbom.com/contact
About IntelliXBOM
IntelliXBOM is a Software Bill of Materials intelligence platform built for engineering, security, and compliance teams who need more than a list. It generates accurate, standards-compliant SBOMs at every stage of the software development lifecycle and enriches them with license context, vulnerability data, and policy intelligence so your teams can make confident, informed decisions before software reaches production.
This post is intended for informational purposes for regulated entities under IRDAI. All regulatory references are based on publicly available IRDAI circulars and guidelines.
References
- IRDAI Information and Cyber Security Guidelines, 2026 — Ref No: IRDAI/GA&HR/CIR/MISC/51/4/2026 · 06 April 2026
- IRDAI Guidelines on Information and Cyber Security for Regulated Entities, 2023 — Circular Ref: IRDAI/GA&HR/GDL/MISC/88/04/2023 · 24 April 2023