In an important regulatory update, the Insurance Regulatory and Development Authority of India (IRDAI) has revised Clause 15(a) of its Revised Guidelines on Insurance Repositories and Electronic Issuance of Insurance Policies, originally issued on 29th May 2015. This move, effective immediately, aims to bolster the security, transparency, and operational resilience of India’s growing electronic insurance ecosystem.
Background
Clause 15(a) of the 2015 guidelines had mandated that insurance repositories undergo an annual audit of their systems, controls, procedures, and safeguards by an external system audit firm approved by IRDAI. This process played a key role in ensuring the safety and reliability of digital infrastructure handling millions of insurance policies. However, with the digital landscape rapidly evolving and the increasing importance of cybersecurity, IRDAI has now opted to update and broaden the scope of the audit framework.
What’s Changed?
The revised Clause 15(a) introduces greater flexibility and expands the criteria for selecting external auditors. Under the new rule, the annual system audit must still be conducted at least once a year, but repositories must now bear the cost themselves, reinforcing their responsibility for system integrity. Additionally, IRDAI has widened the pool of eligible auditors. Instead of requiring audits solely from IRDAI-approved firms, insurance repositories can now appoint professionals who meet any of the following criteria:
A Certified Information System Auditor (CISA)
A Chartered Accountant with a DISA (ICAI) qualification
A CERT-IN certified expert, recognized by the Indian Computer Emergency Response Team