India's Insurance Regulator Orders AI Cybersecurity Review For Insurers

The Insurance Regulatory and Development Authority of India (IRDAI) has directed insurers to submit an action taken report on their artificial intelligence (AI) cyber readiness by May 22. The regulator has asked insurance companies to immediately review their cybersecurity posture and assess their exposure to frontier AI-driven threats, which are becoming more complex and harder to detect using conventional security frameworks, sources told NDTV Profit. What IRDAI has asked insurers to do: The regulator has instructed all insurance companies to detail their preventive, detection, and response mechanisms in the action taken report, outlining measures to strengthen cybersecurity resilience against evolving AI-enabled threats. Additionally, the regulator has asked insurers to evaluate their exposure to advanced AI systems and ensure safeguards are in place to protect sensitive and critical data assets. Sources said IRDAI also flagged vulnerabilities linked to legacy IT infrastructure, warning that older systems may not be adequately equipped to manage emerging cyber risks arising from rapid technological advancements. Similar warnings by CERT-in and SEBI: The Indian Computer Emergency Response Team (CERT-In) and Securities and Exchange Board of India (SEBI) have both issued warnings over emerging AI-driven cyber threats linked to Anthropic's Claude Mythos. In its April 26 advisory, CERT-In directed organisations to treat critical vulnerabilities as exploitable within hours, apply patches within 24 hours, monitor employee use of external AI tools, and track software and AI components across systems. Subsequently, SEBI's May 5 circular ordered all regulated securities market entities to immediately strengthen their cybersecurity infrastructure. SEBI warned that AI-enabled systems could exploit vulnerabilities at "speed and scale", while also mandating continuous AI-based vulnerability assessments, stricter vendor oversight, and enhanced API and change management controls.