IRDAI vide circular dated 13th June, 2023 has issued clarification regarding prior circular on Reporting of Cyber Security Incidents by Regulated Entities. The circular stated that “Organization shall mandatorily report cyber incidents to Cert-In within 6 hours of noticing or being brought to notice about such incidents with a copy to IRDAI and other concerned regulators / authorities”.

All Regulated Entities are directed to scrupulously follow the provisions regarding reporting of incident to IRDAI and Cert-In. Further, Regulated Entities are required to submit available details of Cyber Security Incident to the Authority in an enclosed format within 24 hrs of intimation of the incident.

Further, the details in the reporting format needs to be updated with flow of information from
the forensic analysis as and when obtained and submitted to the Authority as subsequent
version(s) within 24 hrs of such information being made available.