Years of investment in defences against phishing, ransomware and data leaks may not hold against frontier AI threats, exposing gaps in insurers' security frameworks and infrastructure, experts warn.
In an advisory email reviewed by NDTV Profit, the Insurance Regulatory and Development Authority of India asked insurers to submit a detailed status report on preparedness for AI-driven cyber risks, including vulnerability and response capability. Companies have been asked to reassess their cybersecurity posture and report by May 22.
The exercise signals a shift in regulatory focus. "This is essentially an attempt to evaluate how companies are looking at this threat," said Aravind Venugopal, partner at Khaitan & Co. Parts of the directive point to a forward-looking approach: "This is proactive supervision of an emerging threat before the industry has been tested by it."
Industry feedback suggests AI risks are still not treated as core. Many insurers assume existing systems are adequate, with compliance often treated as a check-box exercise. But advances in tools such as Mythos and other frontier AI systems threaten to outpace these safeguards, particularly in detecting false claims, risks already evident in global markets.
This comes at a time when the sector's exposure has grown sharply. Total premium income reached Rs 11.93 lakh crore in FY25, according to the Economic Survey 2026 and provisional General Insurance Council data. Non-life insurance expanded to Rs 3.36 lakh crore in gross direct premiums by FY26. Insurers' assets under management have crossed Rs 74.44 lakh crore, alongside vast datasets covering hundreds of millions of policyholders. Health insurance alone accounts for over Rs 1.2 lakh crore in premiums, covering 58.2 crore customers.
Large data pools, digital processes and legacy systems together create a broad attack surface as threat vectors evolve.
Two-Layer Risk: Fraud, Breaches
The regulator's concern extends beyond traditional cyberattacks to a broader shift in risk. "There are two distinct exposures here. One is AI-driven fraudulent claims, and the other is data security risks arising from more sophisticated cyberattacks," Venugopal said.
The first is already emerging. Globally, insurers are reporting a rise in AI-generated claims, synthetic identities and manipulated evidence, including fabricated medical records and doctored vehicle damage images. Some markets have seen a sharp increase in claims containing AI-altered visuals, especially in motor insurance.
For Indian insurers, the vulnerability is acute in general insurance, where claims processing is less tightly regulated than in life or health segments.
The second risk is structural. The Star Health Insurance breach exposed personal data of about 3.1 crore customers along with millions of claims, later circulating in public domains. The incident triggered regulatory action and penalties for cybersecurity lapses.
Other incidents, including those involving Tata AIG and earlier attacks at Aviva Life, have underscored system weaknesses, prompting IRDAI to push insurers to audit IT infrastructure.
Globally, cyber incidents remain frequent and costly. Around 28% of insurers have reported breaches, many linked to third-party systems, pointing to vulnerabilities across interconnected ecosystems.
AI Gap in Current Framework
IRDAI's updated Information and Cyber Security Guidelines for 2026 set out a control-heavy framework, but remain largely technology-agnostic and do not explicitly address AI risks.
"AI is changing the game as vulnerabilities can now be identified and exploited faster than ever before, in hours, not weeks," said Anirud Sudarsan, partner at Cyril Amarchand Mangaldas. "Insurers need to stay alive to these evolving risks, which is exactly what the IRDAI is pushing them to do."
The guidelines mandate board-approved cybersecurity frameworks, CISO-led oversight, and controls across the lifecycle of information assets, from classification and access to monitoring, incident response and vendor risk. They align with global standards such as the NIST framework and include requirements on cloud security, data privacy under the DPDP law, supply-chain risks and continuous vulnerability testing.
However, they stop short of defining AI-specific controls such as model risk, bias, explainability, adversarial attacks or risks from automated decision-making. AI systems are effectively treated as generic IT assets within existing controls.
As a result, while baseline cyber and data protections are strong, there is no dedicated regulatory perimeter for AI-led risks in underwriting, claims processing or fraud detection.
"Insurers need updated capabilities, better trained and equipped teams, and tighter controls around how AI is used inside their organisations," Sudarsan said. "The foundation of the cyber security architecture may no longer be enough on its own."
Regulatory and industry responses remain in early stages. Insurers continue to rely on frameworks designed for known threats even as AI adoption accelerates across underwriting, claims and customer servicing.
Venugopal said the directive's design is deliberate. "The sophistication of the exercise lies precisely in that the threat category is deliberately left open-ended, requiring each institution to genuinely interrogate its own exposure rather than check boxes." The resulting disclosures "become the benchmark against which future readiness is judged."
Industry participants say the exercise may resemble a compliance requirement, but it reflects a deeper concern that threat perception itself has not kept pace with technological change.
Insurers still assume that data-sharing practices and risk controls can remain unchanged even as the technology landscape evolves. That gap between perception and reality may ultimately define the sector's exposure.
For now, the regulator has taken the first step. Whether it leads to a formal AI risk framework in line with emerging global trends will depend on what the current round of disclosures reveals.
ALSO READ: 100% Restoration Health Cover Isn't Unlimited: Key Clauses To Check
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.