The Job the Guidelines Hand to a Broker's Security Lead
IRDAI's revised cyber security guidelines have done something quietly transformative for a broking firm: they have created, or upgraded, a job. Where information security at many brokers was an unnamed responsibility shared between an IT manager and whoever happened to care, the guidelines now require a Chief Information Security Officer, or a proportionate senior equivalent, with a defined mandate, an independent reporting line, and a body of work they must complete and evidence every year. This article is written for the person who holds that role and the board they report to, and it treats the guidelines as a workplan rather than a legal summary.
The defining feature of the role is its independence. The guidelines require the security lead to be separated from the IT function and barred from carrying business or revenue targets. The logic is structural: a security lead who reports into the head of IT cannot objectively challenge an IT decision that trades security for speed, and one who carries a sales number faces a conflict every time caution would cost a deal. So the first deliverable is not technical at all. It is a clean reporting line, a written remit, and the standing to escalate a concern past the people whose work the CISO must scrutinise.
From that mandate flow four recurring streams of work that the rest of this piece treats in turn: a vulnerability-assessment and penetration-testing cadence that proves the firm's defences actually hold; an annual independent security audit that an external assessor signs, with any non-conformities tracked to closure on a defined clock; a tested incident-response lifecycle that turns a breach into a managed sequence of detect, contain, notify and recover rather than a scramble; and a board reporting rhythm that converts all of the above into decisions the directors own. Around these sits the firm's data-protection position, because the guidelines are designed to dovetail with the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, so a breach of personal data engages both the sectoral notification duty and the data-protection law at once.
Building the CISO Mandate and the Board Reporting Line
The first stream of the CISO's workplan is to make the role real, because an independent security lead on paper who cannot influence anything is the failure mode the guidelines are written against.
Positioning the role so independence is genuine
In a large broking firm this is a dedicated, full-time CISO sitting outside the IT reporting line and outside the revenue-carrying business. In a smaller firm that lacks the scale for a full-time appointment, the substance still has to hold: a named security leader, however resourced, who does not report to whoever runs the firm's systems and who carries no sales target. Whatever the structure, three things must be true. The security lead has a written remit that names their authority. They have a route to escalate directly to the board or its governing body without passing through the functions they oversee. And they hold a budget line, or a clear claim on one, so that a security need is not silently overruled by an operations priority.
What the board now owns
The guidelines pull the board into the picture deliberately. The board (or the governing body of a smaller intermediary) must approve the firm's information and cyber security policy, allocate budget proportionate to the threat the firm faces, review the findings of the security audit, and ensure identified gaps are closed within a defined period rather than left open indefinitely. This is the accountability hinge of the whole regime: cyber security becomes a board-owned enterprise risk sitting alongside financial and operational risk, not a technical chore delegated downwards and forgotten.
The reporting rhythm that makes oversight real
Between the CISO and the board sits a security committee that must convene at least quarterly. The quarterly cadence is the point: it forces a recurring, current review rather than an annual glance. For the CISO, the practical task is to give that committee, and through it the board, something they can actually decide on. A board pack that is a wall of technical alerts is useless; a board pack built around a short set of key risk indicators, open audit non-conformities and their closure dates, the status of the VAPT programme, incident counts and lessons, and the standing of the data-protection position, is something directors can govern with. The CISO's reporting is the mechanism that turns a regulatory obligation into board decisions about budget, risk appetite and remediation priority.
Proportionality without dilution
The guidelines recognise that a fifteen-person broking firm is not a large carrier, and proportionality is built in. But proportionality scales the resourcing, not the principle. A smaller intermediary may meet the role through a shared or appropriately structured external arrangement, but the independence, the board reporting line and the closure discipline are not optional, and the firm should confirm the regulator's specific expectations for its category rather than assume its size exempts it.
VAPT, the Annual Audit and the Incident-Response Lifecycle
With the role and reporting line in place, the CISO's recurring technical and assurance work falls into three connected streams that the board pack ultimately summarises.
A vulnerability-assessment and penetration-testing cadence
Controls that are asserted but never tested are controls the firm cannot stand behind. The CISO should run a regular vulnerability-assessment and penetration-testing programme, VAPT, that probes the firm's externally facing systems, its client portals, and its internal network for exploitable weaknesses, on a defined cadence rather than once before an audit. A sensible rhythm is periodic automated vulnerability scanning of the estate, with deeper penetration testing, and where justified a red-team exercise, at a planned interval and after any material change to systems. The output that matters is not the raw finding list but a tracked remediation register: each vulnerability rated, owned, and closed against a target date, with the high-severity items escalated to the committee. VAPT is also the evidence base that makes the annual audit defensible, because it demonstrates the firm tests itself between audits rather than waiting to be told.
The annual independent audit and closing non-conformities on the clock
The firm must undergo an annual independent audit of its information-security posture, signed by an external assessor rather than self-certified. For the CISO this is a managed event, not a surprise: maintain control documentation, access logs, the VAPT remediation register, incident records and committee minutes continuously, so the audit is a demonstration of an existing posture rather than a frantic assembly of evidence. The audit will surface non-conformities, and the defining discipline is that these are closed within a defined period under board oversight, not parked. The CISO owns the closure register; the board owns the accountability for it being worked down. Because demand for competent insurance-sector auditors rises as the whole market comes into compliance, engaging an assessor early is itself part of the workplan.
A tested incident-response lifecycle
A cyber incident triggers an obligation to notify IRDAI promptly and to mitigate against recurrence, and where personal data is involved the DPDP breach-notification duties run in parallel. The CISO's job is to convert that obligation into a rehearsed lifecycle: detect (which depends on logging and monitoring being in place), contain the incident to limit spread, assess its scope enough to report, notify the regulator and, where their data is affected, corporate clients within the expected timeframes, remediate the root cause, and review to feed lessons back into controls. The point is that this lifecycle exists and is tested before it is needed. A tabletop exercise that walks the firm through a realistic breach, who declares the incident, who decides to notify, who speaks to clients, exposes the gaps an untested plan hides, and an untested plan tends to fail at the moment it matters.
Assurance the firm can hand to its clients
These three streams also produce something the firm's corporate clients increasingly ask for. A buyer placing sensitive asset, claims and employee data through a broker is entitled to ask whether the firm is compliant, who its independent CISO is, when it was last audited and whether material non-conformities were closed, how a breach affecting client data would be notified, and how the firm's controls align with its DPDP obligations. A CISO running a real VAPT, audit and incident-response programme can answer those questions with evidence, which is fast becoming a commercial differentiator as well as a regulatory duty, particularly where a chain breach raises questions about whose cyber insurance responds.
Turning the Streams Into a Year-Round Operating Calendar
The streams above are only as good as the rhythm the CISO holds them to. The firms that come out of this well are those whose security lead runs the year as a calendar rather than a series of fire drills, so the regulator, the auditor and the firm's clients all meet a posture that already exists.
The spine of that calendar is the quarterly security committee. Each meeting should work a standing agenda: the current key-risk-indicator dashboard, movement on the VAPT remediation register, the status of open audit non-conformities against their closure dates, any incidents since the last meeting and the lessons taken, the data-protection position, and any budget or resourcing decision the CISO needs the board to take. Between meetings, the three living registers, vulnerabilities, audit non-conformities and incidents, are kept current rather than reconstructed, so the next board pack assembles itself.
Layered onto that rhythm are the dated events. The annual independent audit is scheduled with the assessor engaged well ahead, given the competition for qualified auditors. The VAPT cadence is planned across the year, with extra testing triggered by any material system change. At least one incident-response tabletop is run and its findings fed back into the plan, because a lifecycle that is never rehearsed is a lifecycle that fails on the day. And the infrastructure-heavy controls that the guidelines phase in over a longer window are run as a tracked programme with milestones, not deferred until the audit notices they are missing.
The discipline that underpins all of it is knowing exactly what client data the firm holds, where it sits and who can reach it, because a CISO cannot test, audit or defend a data estate they cannot see. The more a broking firm's sensitive work, client submissions, policy wordings, claims files, is scattered across inboxes, shared drives and personal devices, the larger and less defensible the attack surface the CISO has to secure, and the harder every VAPT, audit and incident-scoping exercise becomes.
This is where the firm's tooling either helps or hurts the CISO's job. Sarvada gives commercial-insurance brokers and corporate risk teams structured, searchable access to insurer wordings and the intelligence around them on a platform built for the secure, organised handling of insurance information, with tenant isolation, no sharing of client data with rivals and no sale of data, so the analytical core of broking lives in a controlled, access-governed place rather than expanding the data sprawl the CISO must defend. Broker CISOs and the boards they report to who want their wordings and analytics work to sit inside, not outside, their security perimeter can Request Access to evaluate the platform.