IRDAI has directed every insurer to submit an Action Taken Report (ATR) on their AI cyber readiness. Have you submitted yours? And more importantly, do the controls it describes actually exist?
The threat data makes the question urgent. According to the Indusface State of Application Security 2026 Report, insurance vulnerability attacks grew 220%, the highest spike of any sector tracked. DDoS attacks per insurance site rose 143%. API vulnerability exploitation across industries jumped 181%, accelerated by LLM-assisted tooling that allows novice attackers to generate working exploits within hours of a CVE disclosure.
IRDAI responded on two fronts. The revised Information and Cyber Security Guidelines 2026 (Circular IRDAI/GA&HR/CIR/MISC/51/4/2026, April 2026) replaced the 2023 framework with substantially higher requirements, mandatory from the current financial year. The AI readiness directive then asked every insurer to specifically assess their exposure to frontier AI threats.
This guide covers what both frameworks require, where most insurers are falling short, and how AppTrana addresses each obligation in one platform.
IRDAI 2026 Compliance at a Glance
| Requirement | IRDAI 2026 Source | AppTrana Coverage |
| WAF deployment, encrypted traffic inspection | Section 2.11, Point 7 | AI-powered, active block mode, SSL/TLS inspection |
| DDoS mitigation | Section 2.11 Section 3.4.4 | Behavioural DDoS detection, unmetered protection |
| Vulnerability Analysis and Pentesting(VAPT) every 6 months by a CERT-In empaneled auditor | Section 3.5.1, Point 3 | Continuous DAST, AI pen testing, CERT-In empaneled PT |
| High risk gaps closed within 30 days with re-validation | Section 3.5.1, Point 9 | SwyftComply clean vulnerability report with autonomous remediation and re-validation |
| All gaps closed within 2 months with re-validation | Section 3.5.1, Point 10 | SwyftComply zero-vulnerability compliance report |
| Pre-production security testing for every change | Section 3.5.1, Point 5 | On-demand DAST before every deployment |
| APIs and web services VAPT before go-live | Section 3.5.1, Point 6 | Dedicated API VAPT, authenticated scanning |
| 24×7 SOC, SIEM-based continuous monitoring | Section 2.16 | 24×7 expert support, real-time anomaly detection, SIEM integration |
| Log retention 180 days, Indian jurisdiction | Section 2.16, Point 14 | 365-day log retention, Indian jurisdiction |
| Incident reporting within 6 hours to CERT-In and IRDAI | Incident reporting section | Real-time incident characterisation, 24×7 expert support |
| Encryption and TLS controls | Section 2.12 | TLS 1.3 enforcement across all traffic |
| AI cyber readiness controls | IRDAI AI readiness directive, May 2026 | AppTrana AI Shield, behavioural ML detection, continuous AI pen testing |
What IRDAI’s AI Readiness Directive Means for Insurers
The insurance sector’s attack surface is expanding on two sides simultaneously. AI deployed across underwriting, claims, fraud detection, and customer chatbots creates entry points that traditional VAPT does not cover. Meanwhile, AI-driven attacker tooling can scan an entire application surface, find exploitable vulnerabilities, and generate working payloads in hours.
Three things make this urgent for insurance specifically:
The AI layer itself is untested – Prompt injection, adversarial inputs, and model bypass attacks require testing the AI system directly. Most security programs have not yet added this to their scope.
The exploitation window has collapsed – Insurance vulnerability attacks grew 220%. Vulnerabilities are being found and weaponized faster than development teams can patch them.
Static rate limiting cannot keep up – 60% of DDoS attacks required AI behavioural models to detect and block. Static rate-limiting stopped only 40%. AI-driven attacks are specifically engineered to evade rule-based systems.
The Action Taken Report (ATR) is the start of IRDAI’s review. The practical question for every insurer: if an AI tool like Mythos scanned your applications today, how many vulnerabilities would it find, and how quickly can you remediate them?
What the IRDAI 2026 Guidelines Actually Require
Here is what each requirement actually means for your team and where most insurers discover they have a gap:
Requirement 1: WAF and DDoS Protection (Section 2.11)
Section 2.11 Point 7 requires organisations to deploy web application firewalls that inspect all traffic for common attacks. If traffic is encrypted, the WAF must decrypt and inspect it before analysis. DDoS mitigation, traffic filtering, and intrusion detection are mandatory network security controls under the same section.
Where most insurers fall short: A WAF generating alerts in monitoring mode is not a compliant WAF. The guideline requires inspection and active protection, not observation.
Requirement 2: API and Web Services Security (Section 3.5.1 Point 6)
APIs and web services must undergo security audit and VAPT including secure code review before go-live and periodically as part of mandatory VAPT cycles. The WAF requirement under Section 2.11 extends to API traffic. Encrypted API traffic must be inspectable at the WAF layer.
Where most insurers fall short: APIs are frequently included in web application assessments without dedicated coverage. Shadow APIs, internal endpoints inadvertently exposed to production, and deprecated services still receiving traffic represent unprotected data flows that standard assessments miss.
Requirement 3: VAPT Every Six Months by CERT-In Empaneled Auditors (Section 3.5.1)
Both vulnerability analysis (VA) and external Grey/White box Penetration Testing for all internet-facing assets are required every six months, conducted by a CERT-In empaneled auditor. Business applications including APIs must undergo VAPT before go-live and periodically thereafter. Mandatory security testing is required for every change to internet-facing assets before production deployment.
Where most insurers fall short: The 2023 guidelines required six-monthly VA. Most insurers treated this as the complete obligation. The 2026 guidelines add six-monthly external PT on the same cadence and require CERT-In empaneled auditors for external testing. A vendor who is not empaneled cannot satisfy the external PT obligation regardless of technical capability. The pre-production testing requirement for every change is equally significant. Every code change, configuration update, and new deployment to internet-facing systems is now a testing trigger under Section 3.5.1 Point 5.
Requirement 4: High Risk Gaps Closed Within 30 Days (Section 3.5.1 Points 9 and 10)
High risk gaps must be closed within 30 days with mandatory re-validation testing. All audit gaps must be closed within two months, also with re-validation. Results from prior assessments must be compared against current findings to confirm no recurrence.
Where most insurers fall short: Sprint cycles do not align with 30-day remediation windows for every High risk finding. The Indusface AppSec 2026 Report found 32% of critical vulnerabilities stayed open beyond 180 days due to development backlogs. Without a virtual patching capability at the WAF edge, the 30-day window is structurally impossible to meet for findings that require code-level fixes. Re-validation is also the step most missed. Closing a finding in the tracker is not compliance. The next assessment must confirm the vulnerability is resolved and has not recurred.
Requirement 5: 24×7 SOC and Continuous Monitoring (Section 2.16)
Enterprise-wide monitoring of information security incidents by a SOC team on a 24×7 basis is required. Continuous monitoring of IT logs through SIEM is mandatory. Log retention is set at 180 days within Indian jurisdiction per CERT-In directions.
Where most insurers fall short: Having someone on call after hours is not 24×7 expert coverage with SIEM integration. The State of Application Security 2026 Report found attacks lasting 2 to 3 minutes complete before human response begins. During claims season, short-burst attacks are specifically timed to exploit high-activity windows when security teams are most stretched.
Requirement 6: Cyber Incident Reporting Within 6 Hours
Cyber incidents must be reported to CERT-In within 6 hours of detection, with a copy to IRDAI. Both regulators must be notified within the same six-hour window.
Where most insurers fall short: The clock starts at detection, not when the incident is fully characterised. If detection and triage together consume more than six hours, the notification is already late. A single notification to CERT-In is not sufficient.
The pressure does not stop at reporting. CERT-In’s indicative risk-based remediation timelines set hard windows: internet-facing Known Exploited Vulnerabilities within 12 hours, critical vulnerabilities within 1 day, and high severity findings within 5 days. Read CERT-In Remediation Guidelines
How AppTrana Meets Every IRDAI 2026 and AI Readiness Requirement
Most insurers piece together compliance from multiple vendors, multiple dashboards, and multiple contracts. Every integration point is a potential gap. AppTrana consolidates every requirement from the 2026 guidelines and the AI readiness directive into a single platform, deployed inline, active from day one.
AI Readiness — AppTrana AI Shield provides runtime inspection of AI applications in production, detecting prompt injection, policy violations, and data exposure through AI endpoints. Behavioural ML identifies anomalous patterns including AI-generated payloads and systematic API probing.
WAF and DDoS — Deployed inline in active block mode from day one with a zero false positive guarantee. SSL/TLS termination at the WAAP layer satisfies the encrypted traffic inspection requirement. Behavioural DDoS protection handles short-burst and AI-driven campaigns with unmetered protection and no surge charges.
API Security — Continuous API discovery surfaces shadow APIs and undiscovered endpoints. A positive security model covers the full OWASP API Top 10 with rate limiting and behavioural abuse detection for business logic gaps that API gateways cannot cover.
Vulnerability Remediation — SwyftComply deploys a custom virtual patch at the WAF edge within SLA when a High risk finding surfaces, closing the exposure window before the code-level fix reaches a sprint. Re-validation is tracked automatically. Output is a zero-vulnerability compliance report usable directly with auditors.
Monitoring and SOC — AppTrana’s 24×7 managed security team provides continuous enterprise-wide monitoring with real-time anomaly detection. 365-day log retention exceeds the 180-day requirement, within Indian jurisdiction. SIEM integration feeds full payload logs into the insurer’s security operations workflow.
Incident Response — AppTrana characterises incidents in real time, preserving working space within the 6-hour notification window for submissions to both CERT-In and IRDAI.
VAPT — Indusface security experts are CERT-In empaneled, directly satisfying the external PT requirement. AppTrana is the only WAF vendor with CERT-In empaneled DAST and manual penetration testing included as a standard service. On-demand DAST can be triggered before any production deployment.
What IRDAI Does After You Submit
IRDAI will review submissions and follow up on identified gaps. The insurers best positioned in the next regulatory review cycle are those treating the AI readiness directive as a genuine signal that the threat environment has changed.
Your next IRDAI review starts today. Start a free trial with AppTrana and fix compliance gaps before your next IRDAI security audit.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.