Software Escrow
|
October 9, 2025
-
6 MINS READ

Insurance relies on trust. Each policy issued, claim settled, and premium collected relies on systems that process, store, and protect large amounts of sensitive data. Understanding this, the Insurance Regulatory and Development Authority of India (IRDAI) has broadened its focus from just financial stability to include IT governance, cybersecurity, and operational resilience.
In recent years, IRDAI has released several circulars and guidelines, including the Information and Cyber Security Guidelines (2017) and the Corporate Governance Framework (2022), requiring insurers to enhance their technology practices. The intent is clear: insurers must ensure business continuity, protect customer data, and uphold accountability, even if a third-party vendor fails.
This is where Software Escrow becomes crucial. It is more than just a legal safeguard; it serves as a compliance tool. Let’s look at what IRDAI expects from insurers and how escrow solutions like CastlerCode can help them meet these expectations.
IRDAI’s IT Governance Framework: What It Covers
IRDAI’s IT governance requirements revolve around three key pillars: accountability, resilience, and transparency. These pillars define how insurers need to manage technology vendors, digital platforms, and essential systems.
1. Accountability
Insurers are accountable for the security and functionality of their IT systems, regardless of whether they outsource these services. IRDAI expects insurers to take clear ownership of data, source code, and system access. This ownership ensures they can continue operations without relying on a vendor if it fails or stops providing support.
2. Resilience
Business continuity is essential. Insurers must be prepared to recover vital systems quickly during disruptions. This preparation includes having updated backups, verified recovery plans, and independent access to the source code for core applications, particularly those developed by third-party vendors.
3. Transparency
Every technology decision, including vendor onboarding, software deployment, and access permissions, must be traceable. Insurers must keep audit trails and make them available for regulatory review at any time.
Together, these requirements push insurers to go beyond mere contracts and establish control over technology, which is where escrow agreements become significant.
Why IRDAI Mandates Make Software Escrow a Compliance Essential
Under IRDAI’s IT governance guidelines, insurers cannot completely depend on vendors for critical applications. They need to maintain independent control over business continuity.
What happens if a technology provider goes bankrupt, stops support, or neglects to maintain the software? This poses a direct regulatory risk, which software escrow can mitigate.
Here’s how it works:
Source Code Access: Escrow guarantees that insurers can access the source code of vital applications under agreed conditions.
Continuity of Operations: Even if the vendor fails, insurers can continue using or maintaining the application on their own.
Regulatory Assurance: Having a valid escrow arrangement shows compliance with IRDAI’s expectations for managing IT risk and governance.
In summary, escrow changes compliance from just a task to an operational guarantee.
Breaking Down IRDAI’s Vendor Risk Expectations
A significant part of IRDAI’s compliance focus is third-party vendor risk. According to the IRDAI Guidelines on Outsourcing of Activities by Insurers, every insurer must ensure that outsourcing does not jeopardize policyholder interests or data security.
Key points include:
The insurer is ultimately responsible for outsourced functions.
Critical software assets created by vendors must have escrow arrangements to ensure continuity.
Vendors must provide regular updates and certifications regarding the maintenance of source code and system integrity.
Contracts must specify exit clauses and procedures for handling data and intellectual property.
By setting up an escrow mechanism with providers like CastlerCode, insurers create a regulatory safeguard that ensures they always have verified, up-to-date source code stored safely and accessible when needed.
How Software Escrow Fits into IRDAI’s Compliance Ecosystem
Let’s examine how escrow connects with specific elements of IRDAI’s IT governance framework.
1. Business Continuity and Disaster Recovery
IRDAI requires insurers to keep tested Business Continuity Plans (BCP) and Disaster Recovery (DR) systems in place. Software Escrow supports this by ensuring access to the underlying source code, allowing insurers to rebuild or move systems if the vendor fails.
2. Vendor Management and Exit Strategy
The authority mandates insurers to have exit plans for critical technology partnerships. Escrow ensures these exit strategies work providing insurers with the codebase and documentation necessary for a smooth transition.
3. Data Localisation and Access Control
IRDAI expects all critical data, including software repositories, to meet localisation and security standards. Escrow solutions like CastlerCode store materials across multiple secured cloud locations, ensuring both compliance with local data laws and redundancy.
4. Regulatory Audit Readiness
With thorough audit logs and document management, escrow providers allow insurers to demonstrate compliance during regulatory checks. Every source code deposit, update, and access event is recorded and can be verified.
5. Legal and Contractual Assurance
Escrow agreements are legally binding documents that specify the conditions under which source code can be released to the insurer. This clarity aligns with IRDAI’s demand for transparent, contract-supported control measures.
CastlerCode’s Role in IRDAI-Aligned Compliance
Most escrow services simply store source code, but CastlerCode goes much further by aligning its infrastructure and operations with Indian regulatory requirements, particularly those relevant to the insurance sector.
Cloud-Native and Data Localised Storage
CastlerCode stores escrow materials on major cloud providers located in India, ensuring compliance with data localisation rules. Multi-location redundancy adds extra resilience for business continuity.
Integration with Development Platforms
It supports GitHub, GitLab, and Bitbucket, enabling automatic escrow deposits with every software update. This removes the need for manual submissions and keeps escrow materials up to date.
In-House Technical Verification
Each escrow deposit undergoes technical verification to ensure completeness and usability. This guarantees that the escrowed material is not just stored, but also usable when needed.
Audit Trails and Access Control
Every access, deposit, and verification event is recorded in the CastlerCode portal. Only authorized users from the insurer and CastlerCode’s legal custodians can view or change records, ensuring complete transparency.
Legal Documentation and IRDAI Alignment
CastlerCode offers dedicated legal support for creating and maintaining escrow agreements, ensuring that clauses align with IRDAI guidelines on vendor governance and IT control.
Why Insurers Are Moving Toward Escrow-Backed Governance
For many insurers, switching to software escrow is now a necessity it’s strategic. Here’s why.
First, compliance pressure has grown. Regulators now examine not only financial statements but also the state of IT governance. A heavy reliance on a single vendor can be seen as a systemic risk.
Second, cyber incidents and vendor bankruptcies are increasing worldwide. In the insurance sector, a malfunctioning system can directly impact claim settlements, policy renewals, and customer trust.
Third, the push for digital transformation has sped up. Insurers rely heavily on SaaS platforms, third-party APIs, and cloud-hosted systems. Without escrow, they struggle to recover or migrate critical systems independently.
By incorporating escrow into their IT governance framework, insurers can ensure compliance, resilience, and operational independence all in line with IRDAI’s goals.
The Broader Impact: From Compliance to Confidence
The real value of escrow extends beyond just meeting IRDAI guidelines. It builds confidence within management, with regulators, and with vendors.
When an insurer puts escrow in place, it signifies maturity in governance. It indicates that the organization prioritizes technology continuity, respects regulatory oversight, and has a solid plan for managing vendor risk.
In essence, escrow transforms compliance from a reactive measure into a proactive assurance a clear sign of resilience.
Conclusion
IRDAI’s IT governance requirements have changed how insurers view technology partnerships. Today, compliance isn’t merely about legal checkboxes; it’s about demonstrating the ability to withstand disruptions, protect data, and maintain service continuity.
Software Escrow, particularly via platforms like CastlerCode, is essential for meeting these expectations. With secure cloud storage, automated integrations, legal documentation, and in-house verification, it helps insurers put compliance into action instead of just keeping records.
If you’re an insurer, TPA, or tech vendor operating within IRDAI’s regulatory framework, now is the time to take action. Strengthen your IT governance and protect your intellectual property and customer trust. Discover how CastlerCode’s escrow solutions can help you establish a compliant, resilient, and trusted digital foundation.
Written By

Chhalak Pathak
Marketing Manager