Regulation & Compliance

The Broker CISO's 2026 Workplan: Running the Audit, VAPT and Board-Reporting Side of IRDAI's Cyber Security Guidelines

IRDAI's revised cyber security guidelines hand a broking firm's Chief Information Security Officer a defined annual workplan: an independent reporting line free of business targets, a vulnerability-assessment and penetration-testing cadence, an annual third-party security audit with non-conformities closed on the clock, a tested incident-response lifecycle, and a board pack that turns all of it into decisions. This piece is written for the broker CISO and the board they answer to, setting out how to operationalise audit, VAPT and reporting rather than restating the rule text.

Sarvada Editorial TeamInsurance Intelligence
9 min read

Listen to this article

Audio version • 9 min read

irdai-cyber-securityinformation-securitybroker-compliancecisoincident-notificationdpdpintermediary-obligationscyber-audit

Last reviewed: June 2026

The Job the Guidelines Hand to a Broker's Security Lead

IRDAI's revised cyber security guidelines have done something quietly transformative for a broking firm: they have created, or upgraded, a job. Where information security at many brokers was an unnamed responsibility shared between an IT manager and whoever happened to care, the guidelines now require a Chief Information Security Officer, or a proportionate senior equivalent, with a defined mandate, an independent reporting line, and a body of work they must complete and evidence every year. This article is written for the person who holds that role and the board they report to, and it treats the guidelines as a workplan rather than a legal summary.

The defining feature of the role is its independence. The guidelines require the security lead to be separated from the IT function and barred from carrying business or revenue targets. The logic is structural: a security lead who reports into the head of IT cannot objectively challenge an IT decision that trades security for speed, and one who carries a sales number faces a conflict every time caution would cost a deal. So the first deliverable is not technical at all. It is a clean reporting line, a written remit, and the standing to escalate a concern past the people whose work the CISO must scrutinise.

From that mandate flow four recurring streams of work that the rest of this piece treats in turn: a vulnerability-assessment and penetration-testing cadence that proves the firm's defences actually hold; an annual independent security audit that an external assessor signs, with any non-conformities tracked to closure on a defined clock; a tested incident-response lifecycle that turns a breach into a managed sequence of detect, contain, notify and recover rather than a scramble; and a board reporting rhythm that converts all of the above into decisions the directors own. Around these sits the firm's data-protection position, because the guidelines are designed to dovetail with the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, so a breach of personal data engages both the sectoral notification duty and the data-protection law at once.

Building the CISO Mandate and the Board Reporting Line

The first stream of the CISO's workplan is to make the role real, because an independent security lead on paper who cannot influence anything is the failure mode the guidelines are written against.

Positioning the role so independence is genuine

In a large broking firm this is a dedicated, full-time CISO sitting outside the IT reporting line and outside the revenue-carrying business. In a smaller firm that lacks the scale for a full-time appointment, the substance still has to hold: a named security leader, however resourced, who does not report to whoever runs the firm's systems and who carries no sales target. Whatever the structure, three things must be true. The security lead has a written remit that names their authority. They have a route to escalate directly to the board or its governing body without passing through the functions they oversee. And they hold a budget line, or a clear claim on one, so that a security need is not silently overruled by an operations priority.

What the board now owns

The guidelines pull the board into the picture deliberately. The board (or the governing body of a smaller intermediary) must approve the firm's information and cyber security policy, allocate budget proportionate to the threat the firm faces, review the findings of the security audit, and ensure identified gaps are closed within a defined period rather than left open indefinitely. This is the accountability hinge of the whole regime: cyber security becomes a board-owned enterprise risk sitting alongside financial and operational risk, not a technical chore delegated downwards and forgotten.

The reporting rhythm that makes oversight real

Between the CISO and the board sits a security committee that must convene at least quarterly. The quarterly cadence is the point: it forces a recurring, current review rather than an annual glance. For the CISO, the practical task is to give that committee, and through it the board, something they can actually decide on. A board pack that is a wall of technical alerts is useless; a board pack built around a short set of key risk indicators, open audit non-conformities and their closure dates, the status of the VAPT programme, incident counts and lessons, and the standing of the data-protection position, is something directors can govern with. The CISO's reporting is the mechanism that turns a regulatory obligation into board decisions about budget, risk appetite and remediation priority.

Proportionality without dilution

The guidelines recognise that a fifteen-person broking firm is not a large carrier, and proportionality is built in. But proportionality scales the resourcing, not the principle. A smaller intermediary may meet the role through a shared or appropriately structured external arrangement, but the independence, the board reporting line and the closure discipline are not optional, and the firm should confirm the regulator's specific expectations for its category rather than assume its size exempts it.

VAPT, the Annual Audit and the Incident-Response Lifecycle

With the role and reporting line in place, the CISO's recurring technical and assurance work falls into three connected streams that the board pack ultimately summarises.

A vulnerability-assessment and penetration-testing cadence

Controls that are asserted but never tested are controls the firm cannot stand behind. The CISO should run a regular vulnerability-assessment and penetration-testing programme, VAPT, that probes the firm's externally facing systems, its client portals, and its internal network for exploitable weaknesses, on a defined cadence rather than once before an audit. A sensible rhythm is periodic automated vulnerability scanning of the estate, with deeper penetration testing, and where justified a red-team exercise, at a planned interval and after any material change to systems. The output that matters is not the raw finding list but a tracked remediation register: each vulnerability rated, owned, and closed against a target date, with the high-severity items escalated to the committee. VAPT is also the evidence base that makes the annual audit defensible, because it demonstrates the firm tests itself between audits rather than waiting to be told.

The annual independent audit and closing non-conformities on the clock

The firm must undergo an annual independent audit of its information-security posture, signed by an external assessor rather than self-certified. For the CISO this is a managed event, not a surprise: maintain control documentation, access logs, the VAPT remediation register, incident records and committee minutes continuously, so the audit is a demonstration of an existing posture rather than a frantic assembly of evidence. The audit will surface non-conformities, and the defining discipline is that these are closed within a defined period under board oversight, not parked. The CISO owns the closure register; the board owns the accountability for it being worked down. Because demand for competent insurance-sector auditors rises as the whole market comes into compliance, engaging an assessor early is itself part of the workplan.

A tested incident-response lifecycle

A cyber incident triggers an obligation to notify IRDAI promptly and to mitigate against recurrence, and where personal data is involved the DPDP breach-notification duties run in parallel. The CISO's job is to convert that obligation into a rehearsed lifecycle: detect (which depends on logging and monitoring being in place), contain the incident to limit spread, assess its scope enough to report, notify the regulator and, where their data is affected, corporate clients within the expected timeframes, remediate the root cause, and review to feed lessons back into controls. The point is that this lifecycle exists and is tested before it is needed. A tabletop exercise that walks the firm through a realistic breach, who declares the incident, who decides to notify, who speaks to clients, exposes the gaps an untested plan hides, and an untested plan tends to fail at the moment it matters.

Assurance the firm can hand to its clients

These three streams also produce something the firm's corporate clients increasingly ask for. A buyer placing sensitive asset, claims and employee data through a broker is entitled to ask whether the firm is compliant, who its independent CISO is, when it was last audited and whether material non-conformities were closed, how a breach affecting client data would be notified, and how the firm's controls align with its DPDP obligations. A CISO running a real VAPT, audit and incident-response programme can answer those questions with evidence, which is fast becoming a commercial differentiator as well as a regulatory duty, particularly where a chain breach raises questions about whose cyber insurance responds.

Turning the Streams Into a Year-Round Operating Calendar

The streams above are only as good as the rhythm the CISO holds them to. The firms that come out of this well are those whose security lead runs the year as a calendar rather than a series of fire drills, so the regulator, the auditor and the firm's clients all meet a posture that already exists.

The spine of that calendar is the quarterly security committee. Each meeting should work a standing agenda: the current key-risk-indicator dashboard, movement on the VAPT remediation register, the status of open audit non-conformities against their closure dates, any incidents since the last meeting and the lessons taken, the data-protection position, and any budget or resourcing decision the CISO needs the board to take. Between meetings, the three living registers, vulnerabilities, audit non-conformities and incidents, are kept current rather than reconstructed, so the next board pack assembles itself.

Layered onto that rhythm are the dated events. The annual independent audit is scheduled with the assessor engaged well ahead, given the competition for qualified auditors. The VAPT cadence is planned across the year, with extra testing triggered by any material system change. At least one incident-response tabletop is run and its findings fed back into the plan, because a lifecycle that is never rehearsed is a lifecycle that fails on the day. And the infrastructure-heavy controls that the guidelines phase in over a longer window are run as a tracked programme with milestones, not deferred until the audit notices they are missing.

The discipline that underpins all of it is knowing exactly what client data the firm holds, where it sits and who can reach it, because a CISO cannot test, audit or defend a data estate they cannot see. The more a broking firm's sensitive work, client submissions, policy wordings, claims files, is scattered across inboxes, shared drives and personal devices, the larger and less defensible the attack surface the CISO has to secure, and the harder every VAPT, audit and incident-scoping exercise becomes.

This is where the firm's tooling either helps or hurts the CISO's job. Sarvada gives commercial-insurance brokers and corporate risk teams structured, searchable access to insurer wordings and the intelligence around them on a platform built for the secure, organised handling of insurance information, with tenant isolation, no sharing of client data with rivals and no sale of data, so the analytical core of broking lives in a controlled, access-governed place rather than expanding the data sprawl the CISO must defend. Broker CISOs and the boards they report to who want their wordings and analytics work to sit inside, not outside, their security perimeter can Request Access to evaluate the platform.

Frequently Asked Questions

What is the broker CISO's actual annual workplan under the 2026 guidelines?
It resolves into four recurring streams plus the role itself. The role first: stand up the CISO, or a proportionate senior equivalent in a smaller firm, with a written remit, an independent reporting line separated from IT and free of any business or revenue target, and the standing to escalate directly to the board. Stream one is a vulnerability-assessment and penetration-testing cadence, VAPT, that probes the firm's external systems, client portals and internal network on a planned interval rather than only before an audit, feeding a remediation register where each finding is rated, owned and closed against a date. Stream two is the annual independent security audit, signed by an external assessor, whose non-conformities the CISO tracks to closure within a defined period under board oversight, keeping documentation current so the audit demonstrates an existing posture rather than a scramble. Stream three is a tested incident-response lifecycle, detect, contain, assess, notify, remediate, review, rehearsed through tabletop exercises so the firm can meet the prompt notification to IRDAI and, where personal data is involved, the parallel DPDP duties. Stream four is the board reporting rhythm: a quarterly security committee working a standing agenda and a board pack built from key risk indicators and the live registers. Run as a year-round calendar rather than a set of fire drills, these streams convert the guidelines from a document into dated, evidenced deliverables.
How should a broker CISO report to the board so oversight is real, not a rubber stamp?
The CISO sits between the firm's security work and a board that must now own cyber risk, and the reporting line is what makes that ownership real. Between them is a security committee that must convene at least quarterly, a cadence chosen deliberately to force a recurring, current review rather than an annual glance. The CISO's task is to give that committee, and through it the board, something they can decide on, which means resisting the temptation to present a wall of technical alerts. A useful board pack is built around a short set of key risk indicators, the open audit non-conformities and their closure dates, the status of the VAPT remediation programme, incident counts and the lessons taken from them, and the standing of the firm's data-protection position. Presented that way, the board can govern with it: allocate budget proportionate to the threat, set risk appetite, and direct remediation priority. The board's own duties reinforce this; it approves the information and cyber security policy, allocates the budget, reviews the audit findings, and ensures identified gaps are closed within a defined period rather than left open. The practical discipline is to maintain three living registers, open vulnerabilities, audit non-conformities and incidents, current between meetings, so each board pack assembles itself from evidence the CISO already holds rather than being reconstructed under deadline. That is the difference between governed oversight and a paper committee.
As a corporate client, what should I ask my broker or TPA about cyber security?
You should treat your broker and TPA as you would any critical vendor that holds your sensitive data, because a breach at the intermediary exposes your business information and your people and the consequences flow back to you. Useful questions include: are you compliant with the IRDAI Information and Cyber Security Guidelines 2026, and who is your independent CISO; how is my data stored, encrypted and access-controlled, and where does it physically sit; what is your incident-response and breach-notification process, and how and when would you tell me if my data were affected; when was your last independent security audit and were any material non-conformities found and closed; and how do your controls align with your DPDP obligations as a fiduciary or processor of my data. The guidelines give you a clear reference standard for this conversation, since a regulated intermediary is now obliged to meet defined security standards, undergo annual independent audits and notify breaches. The answers tell you how seriously the firm takes the data you entrust to it. It is also worth considering how a breach originating at your broker or TPA, rather than in your own systems, would interact with your own cyber insurance, so that a chain breach does not fall into a gap between policies.
What does a tested incident-response lifecycle look like for a broker CISO?
It is a defined, rehearsed sequence the CISO can run under pressure, not a document produced after the fact. The lifecycle runs: detect, which depends on logging and monitoring actually being in place, since an incident that is never seen can never be handled; contain, to stop the incident spreading across systems and client data; assess, scoping the incident enough to report responsibly; notify, which for a broker means prompt notification to IRDAI and, where the affected data is personal, the parallel breach-notification duties under the DPDP Act and Rules to the Data Protection Board and affected principals, plus notification to corporate clients whose data is involved; remediate the root cause so the same gap does not reopen; and review, feeding the lessons back into controls and the board pack. The defining feature is that this lifecycle is tested before it is needed. A tabletop exercise that walks the firm through a realistic breach, who declares the incident, who decides to notify, who speaks to clients and within what timeframe, exposes the gaps an untested plan hides, and an untested plan tends to fail at the moment it matters most. For a broker specifically, the client dimension is acute: a breach at the firm may compromise a corporate client's employee data, so client notification should be built into the same plan alongside the regulatory reporting rather than handled as a separate scramble. The incident log this produces is one of the three living registers the board pack draws on.

Related Glossary Terms

Related Insurance Types

Related Industries

Related Articles

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform