Protect the policyholder.
Satisfy the regulator.

The IRDAI Information and Cybersecurity Guidelines 2023, issued on 24 April 2023, supersede the 2017 guidelines and apply to all insurers, reinsurers, intermediaries (brokers, corporate agents, web aggregators, IMFs) and ancillary service providers in India. The document mandates an annual VAPT for all critical information assets, additional VAPT after any major change, a separate annual application security assessment for every internet-exposed application, quarterly vulnerability assessments, a board-approved Information & Cybersecurity Policy reviewed annually, a Chief Information Security Officer reporting to the board, and incident reporting to the IRDAI and CERT-In within the stipulated windows. The engagement maps every test case to the relevant clause and produces the artefact bundle the IRDAI inspection team asks for: VAPT report, remediation tracker, retest evidence, CISO sign-off and the board-minute confirmation of review.

The NAIC Insurance Data Security Model Law (Model #668), originally adopted in 2017, has been enacted in 23+ US states as of 2026 — including New York (under 23 NYCRR Part 500 which preceded the Model Law and remains operative), Ohio, South Carolina, Michigan, Mississippi, Alabama, Connecticut, Delaware, Indiana, Louisiana, Maine, Minnesota, New Hampshire, North Dakota, Tennessee, Virginia, Wisconsin and others. The law requires licensees to develop, implement and maintain a comprehensive written information security programme based on a risk assessment, designate a qualified individual responsible for the programme, conduct periodic risk assessments, encrypt nonpublic information in transit and at rest, implement multi-factor authentication for any individual accessing nonpublic information, conduct annual penetration testing and biannual vulnerability assessments, oversee third-party service providers, report cybersecurity events to the commissioner within 72 hours, and provide an annual certification of compliance. The engagement provides the penetration test, vulnerability assessment, third-party assessment template and the evidence pack the state insurance department examiner requests.

Broker portals and agent extranets are the single most-targeted insurance attack surface in the public record. Credential stuffing using credentials leaked from unrelated breaches, MFA bypass through SMS interception or push-notification fatigue, OAuth misconfiguration on federated logins, session-fixation against legacy SAML stacks, and IDOR / BOLA breaks that let one broker enumerate another broker's book of business or a customer's policy data. The engagement runs authenticated testing against every broker and agent role, exercises the OWASP API Top 10 (2023) across the portal API, validates account-lockout and rate-limit thresholds against realistic credential-stuffing volume, tests the MFA enrolment and recovery flows for bypass, and runs targeted scenarios mirroring real third-party-agent account-takeover incidents — including post-ATO actions like quote manipulation, payout-bank-account change, and policy-level data exfiltration. Findings map to OWASP ASVS L2, OWASP API Top 10 (2023) and the relevant IRDAI / NAIC / IDD clauses.

Claims platforms combine high-value workflow logic with PII, banking instruments, medical records (for health and motor injury claims) and third-party-agent access — making them the highest-impact target in any insurer's environment. The engagement exercises the OWASP ASVS L2 business-logic chapter (V11) and applies adversary-style testing against the claims lifecycle: First Notice of Loss (FNOL) intake manipulation, claim-status enumeration across customer accounts, claim-amount and reserve manipulation, payout-bank-account change without re-authentication, document-upload bypasses (PDF / image polyglots, MIME confusion, antivirus evasion), assessor and surveyor app abuse, and downstream impact on the core policy administration system (PAS) and the reinsurance ceding ledger. Where the insurer runs Guidewire ClaimCenter, Duck Creek Claims, Insurity, Sapiens, Majesco or a bespoke claims platform, we use the integration map to test the trust boundaries between modules — claims, billing, policy, reinsurance — because authorisation breaks at the integration layer drive the highest-impact fraud findings.

Reinsurers run a treaty and facultative book on systems like SICS, Tia, Sapiens ReinsuranceMaster or a bespoke ledger, integrated with the cedent insurers' bordereaux feeds and the retrocession outwards programme — the engagement targets the bordereaux ingest, the treaty-allocation logic and the retro accounting, where authorisation breaks create cross-cedent data exposure or premium-flow manipulation. Brokers and MGAs run placement platforms (PPL, Whitespace, ePlace), management systems (Acturis, Applied Epic, Vertafore AMS360) and customer portals integrated with the insurer panels — the engagement targets the placement-platform integrations, the panel-quote APIs and the customer-facing broker portal, with explicit testing of cross-broker data isolation. Insurtech firms typically run a thin policy-administration layer over a cloud-native stack and integrate with credit-bureau, KYC, payment and external-data APIs — the engagement covers the cloud control plane against the CIS Benchmarks, the API surface, and the third-party-integration trust boundary. The same evidence pack — VAPT report, OWASP / ASVS / API Top 10 mapping appendix, regulator-clause mapping appendix, retest report, Letter of Attestation — covers every entity type.