Four regulators sent the same warning to four very different parts of the Indian economy this year, and most organisations are reading it as one more compliance memo to file away. That is a mistake. CERT-In, IRDAI, the RBI, and SEBI did not coordinate this messaging deliberately, but the convergence is real: frontier AI tools have compressed the time between a vulnerability appearing and an attacker exploiting it from weeks to hours, and every one of these regulators has rewritten its expectations around that fact within a single quarter. What an MSME owes its regulator looks nothing like what an asset management company owes SEBI, but the underlying discipline, patch faster, know your vendors, and have one incident plan that actually works, is the same across all four. This piece sets out the working checklist for each.
The Regulatory Backdrop
CERT-In moved first, publishing a blueprint in May 2026 that treats AI assisted exploitation as the default threat model, telling organisations to patch critical flaws within hours and build a dedicated inventory of AI components running across their systems. SEBI followed on May 5 with a circular reaching every category of regulated market participant, mutual funds included, and unlike a typical advisory, it carries statutory weight under the SEBI Act. IRDAI took a narrower but sharper approach, demanding insurers report on their AI exposure within roughly a week of being asked. The RBI's posture sits on an existing framework: NBFCs already had a Master Direction to comply with, and the new deadline for a board approved gap assessment forces the AI question into that structure rather than creating a parallel one.
Regulators have stopped accepting “we will look into it” as an adequate response. They want a dated assessment, a board signature, and evidence the gap is closing, not a policy statement that it exists.

MSME Checklist: The Lean Floor
Small and medium enterprises are not going to build a SOC, and pushing them toward one waste money they do not have. What moves the needle at this size is a short, cheap list of controls that close the gaps attackers exploit most often in this segment.
- Enable multi factor authentication on every account, starting with email and admin consoles, since this blocks the largest share of account takeover attempts at close to zero cost.
- Move critical patching from a thirty-day cycle to seven days, tracked with discipline rather than relying on automated tooling alone.
- Deploy endpoint detection that goes beyond signature-based antivirus on every device, since behavioural visibility catches what signature matching misses entirely.
- Maintain an offline backup and test it monthly. An untested backup fails precisely when it is needed most.
- Run a phishing simulation every quarter, since credential theft through email remains the entry point for most MSME breaches.
- Commission an annual penetration test on any customer facing application handling payments or personal data, treating this as non-negotiable rather than discretionary.
- Build and maintain an inventory of internet facing assets, on the basic principle that an organisation cannot defend what it does not know exists.
- Keep a short, printed incident response plan with CERT-In contact details, reviewed annually and stored somewhere other than the network it would be needed to recover.
What an MSME should resist buying matters just as much. A full SIEM platform, standalone advanced threat detection products, and a ground up Zero Trust consultancy engagement all carry costs that exceed what a typical MSME's threat surface justifies. A part time security advisor on retainer usually closes the gap more effectively, and the eight controls above, documented properly, line up well with what India's data protection law expects in reasonable security safeguards.
Insurer Checklist: Four Areas to Cover
Insurance carriers hold a combination of data that almost no other sector touches in one place: medical history, financial records, identity documents, and beneficiary relationships. That combination makes an insurer worth attacking even when the payout from any single record is small, because the aggregate profile is what an attacker is actually after.
- Core systems. Move policy administration, claims, and finance off periodic audits and onto continuous testing, since this data carries the highest concentration of sensitivity in the business.
- Customer facing platforms. Schedule regular external scanning of mobile apps and broker portals, where fraud detection sophistication often lags behind full core banking platforms.
- Vendor and partner ecosystem. Run a fresh, multi-tier audit of Third-Party Administrators and broker portals specifically, since many of these relationships predate modern threat modelling and this is consistently where the most serious findings turn up.
- Data and analytics layer. Validate underwriting and fraud detection models on an ongoing basis, since these models are increasingly targeting in their own right, not tools safely behind the perimeter.
Within the vendor and partner area, two checks matter most. First, confirm exactly who holds administrative access to claims data through each TPA or broker portal, since shared or unreviewed admin credentials are where the worst exposures live. Second, confirm those access arrangements have actually been reviewed in the past year rather than carried forward from an old contract nobody revisited.
Insurers should also add one item outside the four areas above: build real detection capability for AI generated content, covering synthetic identities, fabricated medical documentation, and AI generated claim materials. This is a board level conversation now.
NBFC Checklist: Five Controls for This Quarter
NBFCs occupy an uncomfortable position. Their customer growth has outpaced security investment for years, their interactions with customers are almost entirely digital, and their integrations into the broader banking system sometimes run through connections weaker than the bank side of the relationship. The RBI's existing Master Direction already sets a meaningful bar for NBFCs in the Top, Upper, and Middle layers. The five controls below close the highest priority gap fastest, and all five are achievable inside a single quarter.
- Refresh the asset and exposure register through an external scan of internet facing systems, since configuration drift reliably hides assets nobody remembers owning.
- Tighten the patch and retest cycle to twenty-four hours for critical issues and seven days for high severity, with every patch confirmed by independent retesting rather than assumed complete.
- Update fraud detection to recognise AI generated content, specifically synthetic identity onboarding and deepfake KYC submissions, both now active rather than theoretical risks.
- Review every vendor portal used for loan origination, collections, or analytics, prioritising any portal not reassessed recently and watching internet exposed admin consoles closely.
- Build one incident response runbook that satisfies the RBI, CERT-In, and the Data Protection Board simultaneously, and test it through a table top exercise rather than leaving it unopened.
These five controls map directly onto what RBI examiners look for during an IT governance review, and most of the work is procedural rather than capital intensive.
AMC and Mutual Fund Checklist: A Four Week Sprint
Asset Management Companies sit at an unusual intersection of risk. They hold investor identity and financial data directly, depend heavily on Registrar and Transfer Agents and a distributor network they do not fully control, and following SEBI's May 2026 circular, now operate under a statutory obligation rather than a voluntary best practice. The work below is a sprint because SEBI's tone leaves little room to treat this as a longer-term roadmap item.
- Week one. Complete a gap assessment against SEBI's Cyber Security and Cyber Resilience Framework, including AMFI aligned operational controls.
- Week two. Run an external attack surface scan covering transfer agent interfaces and investor portals, since these sit outside the AMC's direct control but remain squarely inside its risk surface.
- Week three. Draft a Zero Trust roadmap, piloted first in the portfolio management or fund accounting layer, where unauthorised access carries the highest financial consequence.
- Week four. Finalise an incident response plan, run a table top exercise against it, and secure a board attestation confirming the work is actually done, not merely acknowledged.
One additional item belongs alongside this sprint: refresh distributor and RTA contracts with updated security clauses, since outdated access controls on a partner administered portal can expose investor identifiers and transaction histories for a large pool of unitholders. Pair that with a focused red team exercise on the investor facing portal, since this is the surface most likely to draw direct attacker attention.
What Connects All Four
Strip away the regulator names, and the same three disciplines show up everywhere, just at different depth depending on sector risk. Patch speed is compressing across the board, moving from a thirty-day default toward windows measured in single digit days or hours. Vendor and third-party exposure is consistently where the worst findings concentrate, whether the vendor is a TPA, a loan origination platform, or a transfer agent. And every sector here is converging on the same structural fix: one incident response process built to satisfy every regulator at once, rather than separate documents never tested under pressure.

Looking Ahead
Continuous monitoring is likely to stop being the advanced option and become baseline across all four sectors, particularly around vendor relationships, where most of the real risk now sits. Detection capability for AI generated content, in phishing, fraud, or KYC submissions, will probably follow the same path from differentiator to standard requirement, since the regulators driving this shift show no sign of treating AI driven threats as temporary.
Conclusion
None of these four sectors are working from the same playbook, and they should not be. An MSME's eight controls would be wildly insufficient for an insurer sitting on policyholder medical records, and an AMC's four-week sprint would be overkill for a small manufacturer with no customer facing application. What holds across all four is the underlying logic: patch faster than your attackers can exploit, treat vendor and partner access as a first-class risk, and build one incident response plan that works across every regulator who might come asking. Pick the checklist that matches your organisation, work through it this quarter, and the next audit conversation should be considerably shorter than the last one.
Frequently Asked Questions
1. Is the basic MSME checklist enough to satisfy data protection requirements?
For most small and medium enterprises, yes, provided the controls are documented and staff trained on them.
2. Does IRDAI require continuous security testing from insurers?
The current guidelines allow a risk-based interpretation rather than mandating it outright, but recent amendments make the regulator's preference clear.
3. How do NBFCs reconcile RBI requirements with CERT-In advisories?
The two reinforce each other. RBI's Master Direction sets the governance framework, while CERT-In's advisories set the operational tempo on patching speed.
4. Is a four-week sprint enough for an AMC to be considered compliant?
It establishes the immediate response SEBI's circular calls for. Sustained compliance depends on continuing through regular monitoring and periodic refreshes of distributor relationships.
5. What single control matters most across all four sectors?
A tightened patch cycle paired with a current vendor and third-party audit. Outdated vendor access and slow patching consistently account for the largest share of serious findings.