Regulator IRDAI on Wednesday cautioned insurance companies for not adhering to the 6-hour timeline for reporting cyber-incidents.

“It is observed that the regulatory entities are not adhering to the above-mentioned timelines and also not keeping the authority on the loop in their communications to CERT-In. In view of the above, all regulated entities are directed to scrupulously follow the provisions regarding reporting incidents to IRDAI and CERT-In,” it said in a circular.

CERT-In is the nodal agency of the government to deal with cyber security threats.

The IRDAI also said the reporting format needs to be updated with the flow of information from forensic analysis within 24 hours of such information being made available.

On April 24, 2023, Irdai had come up with Information and Cyber Security Guidelines, 2023, where the regulator stated that insurance companies must report cyber-incidents to CERT-In within six hours of noticing such incidents along with a copy to Irdai and other concerned authorities.

Over 1.6 million cyber-attacks were reportedly blocked on Indian insurance firms every day in January.