Express Computer

Home  »  Exclusives  »  Building Trust at Scale: Inside Policybazaar’s cybersecurity strategy for a digital-first insurance economy

Building Trust at Scale: Inside Policybazaar’s cybersecurity strategy for a digital-first insurance economy

ExclusivesNews
By Bidhi Rajput
0 77

As India’s insurance ecosystem rapidly shifts to digital platforms, trust has emerged as the single most critical currency. For insurtech leaders like Policybazaar, cybersecurity is no longer a backend IT function—it is a core business capability that underpins customer confidence, regulatory compliance, and sustainable growth. Handling vast volumes of sensitive personal data, financial transactions, and insurer integrations, the company operates in a high-stakes digital environment where resilience and trust go hand in hand.

In this exclusive interview, Devinder Singh, Head IT Infra and SecOps, Policybazaar, shares how the company has built a cybersecurity strategy anchored in trust, resilience, and scalability—designed not just to protect systems, but to safeguard the digital insurance journey itself.


How do you define Policybazaar’s overall cybersecurity strategy in the context of a large insurtech platform handling sensitive customer data and financial transactions?

At Policybazaar, cybersecurity is not viewed as a defensive IT function or a technical constraint—it is a strategic business enabler. As a large-scale insurtech platform, we operate at the intersection of customer trust, sensitive personal data, financial transactions, insurer integrations, and a constantly evolving regulatory environment. Our responsibility goes beyond safeguarding systems; it is about protecting confidence in the digital insurance journey.

Our cybersecurity strategy is anchored in three core principles: trust, resilience, and scalability.

Trust begins at the design stage. We follow a privacy-by-design and security-by-default philosophy across our platforms. Every customer interaction—whether policy discovery, onboarding, payment processing, or claims support—is architected with data protection as a foundational requirement. Operating in a cloud-first, API-driven ecosystem, we place strong emphasis on identity controls, encryption, secure partner integrations, and continuous, intelligence-driven monitoring.

Resilience is equally critical. In today’s threat landscape, the question is not if an attack will happen, but when. Our security posture assumes eventual breach scenarios, which is why we prioritise early detection, rapid containment, and swift recovery. Even under adverse conditions, business continuity, customer experience, and regulatory compliance must remain intact. For a high-growth insurtech platform, cybersecurity must scale seamlessly with the business—strengthening protection without slowing innovation—and striking that balance defines our approach.

How do you ensure that cybersecurity isn’t just an IT issue but a business priority integrated into enterprise risk management?

Cyber risk at Policybazaar is treated on par with financial, operational, and reputational risk. It is fundamentally a board-level business concern, not an isolated IT issue.

This integration starts with leadership engagement. Cyber risk discussions are directly aligned with business priorities such as customer growth, ecosystem expansion, uptime commitments, fraud prevention, and regulatory compliance. We consciously translate security metrics into business outcomes—impact on customer trust, service availability, financial exposure, and compliance—so decisions are driven by risk and value rather than tools or technologies.

Security is also embedded into everyday business processes. New product launches, partner onboarding, and technology changes undergo structured security and risk assessments. Our governance frameworks are aligned with evolving regulatory requirements, including the Digital Personal Data Protection (DPDP) Act and IRDAI guidelines. Accountability for cybersecurity is shared across technology, product, operations, and compliance teams. When security becomes part of how decisions are made—rather than something reviewed after the fact—it naturally becomes a business priority.

How do you manage identity and access management (IAM) at scale, particularly for privileged accounts and third-party integrations?

In an insurance aggregator ecosystem, traditional network perimeters no longer exist. Identity has become the primary security control plane, and our IAM strategy reflects this shift.

We manage identity and access at scale by enforcing least privilege, continuous verification, and automation. Internal users, privileged administrators, insurer partners, and third-party integrations are all governed under a zero-trust framework, where no identity is trusted by default—irrespective of role or location.

Privileged access receives the highest level of scrutiny. We implement role-based access controls, just-in-time access provisioning, multi-factor authentication, and continuous session monitoring. Privileged identities are treated as high-risk assets, supported by enhanced logging, periodic access reviews, and strict lifecycle management to prevent privilege creep.

For third-party and partner integrations, security is enforced through secure API frameworks, strong authentication mechanisms, and clearly defined contractual security obligations. Automation plays a crucial role in ensuring timely and accurate access provisioning and de-provisioning—an essential requirement in a fast-growing, dynamic digital environment like ours.

Finally, what advice would you share with other IT and security leaders in high-growth digital businesses about building resilient, scalable, and adaptive security programs?

If there is one key lesson for CIOs and CISOs, it is this: don’t chase tools—build strong foundations.

High-growth digital businesses often outpace their security maturity, not due to negligence, but because scale arrives faster than governance. Cybersecurity must be approached as a people, process, and culture challenge, not just a technology problem. The human factor remains the most exploited attack surface—especially in an era of AI-driven phishing, social engineering, and deepfakes. Continuous awareness, behavioural reinforcement, and a strong security culture are non-negotiable.

At the same time, security architectures must be designed to scale. Automation, identity-centric controls, and cloud-native security capabilities are no longer optional—they are foundational. Security should enable speed and innovation, not become a bottleneck.

Finally, adaptability is critical. Threats evolve, regulations mature, and business models change. The most resilient security programs remain risk-led, adaptive, and closely aligned with business outcomes. In the digital insurance economy, trust is the ultimate differentiator—and cybersecurity is central to sustaining that trust.

Bidhi Rajput
You might also like More from author
Leave A Reply

Your email address will not be published.