IRDAI Information and Cyber Security Guidelines 2026: Broker and Intermediary Compliance Playbook

The IRDAI Information and Cyber Security Guidelines, 2026 set minimum standards and governance mechanisms for information and cyber security across all Regulated Entities, and crucially they apply not only to insurers but to the entire intermediary chain: brokers, corporate agents, web aggregators, third party administrators, insurance repositories and other stakeholders. They revise and replace the earlier 2023 guidelines in response to evolving cyber threats and industry feedback, and compliance is required from the current financial year. For commercial brokers, this is one of the most operationally demanding pieces of regulation to land in years, because it imposes on intermediaries a structured information security regime previously associated with much larger, more heavily resourced institutions.

The reason intermediaries are squarely in scope is that they sit on exactly the data attackers want. A commercial broking firm holds detailed information about corporate clients: insured asset registers, valuations, loss histories, financial details, and the personal data embedded in group health, workers compensation and directors and officers programmes. A broker's systems are a concentrated repository of sensitive commercial and personal information, often less defended than an insurer's. Regulators have recognised that the security of the insurance ecosystem is only as strong as its weakest link, and intermediaries have frequently been that link. The 2026 guidelines close the gap by holding intermediaries to a defined standard rather than leaving their security to discretion.

The scale of the obligation should not be underestimated. The framework formalises governance around recognised standards, with the audit framework structured around the NIST Cybersecurity Framework and a substantial body of specific audit controls, reported in industry analysis as 347 controls in the strengthened version. It layers Digital Personal Data Protection Act compliance into the same instrument, so information security and data protection are addressed together rather than as separate exercises. And it creates board-level accountability, including for the closure of non-conformities within defined timelines. This is not a checklist a junior IT person can tick; it is an enterprise governance obligation that reaches the top of the firm.

For brokers, the practical reality is that the 2026 guidelines convert information security from an optional good practice into a regulated compliance posture with board accountability, defined controls, mandatory reporting and audit. The firms that already run mature security functions will need to formalise and document what they do. The many firms that have treated security informally will need to build a function more or less from scratch, against timelines that are immediate for most provisions and 12 to 18 months for infrastructure-heavy requirements such as full encryption. This playbook sets out what intermediaries need to put in place.

The foundation of the 2026 framework is governance, and the central message is that information and cyber security is a board-owned responsibility, not an IT function delegated and forgotten. For intermediaries, this is the most significant cultural shift the guidelines demand, because many broking firms have historically treated security as a technical matter rather than a governance one.

The board must own the Information and Cyber Security Policy. The framework expects the board to approve the policy, oversee its implementation, allocate budget proportionate to the threat landscape the firm faces, and hold accountability for the closure of non-conformities, with board-level responsibility for closing audit findings within defined timelines (reported as within 12 months for non-conformities). This means the firm's directors cannot treat cyber risk as someone else's problem; it is an enterprise risk they are accountable for, alongside financial and operational risks. For a broking firm, that requires the board or its governing body to engage with security at a level many have not before: reviewing the policy, understanding the risk assessment, and tracking remediation.

The framework establishes a security committee structure. A committee responsible for information and cyber security, reported in coverage as the Information Security Risk Management Committee, must oversee security policy, risk assessment, incident response and compliance status, and must meet at least quarterly, increased from the previous expectation of twice a year, reporting to the board. The quarterly cadence matters: it signals that security oversight must be continuous and current rather than an occasional review. For intermediaries, standing up such a committee, with the right membership and a genuine review function rather than a paper one, is an early priority.

The Chief Information Security Officer role and its independence are a defining feature of the 2026 governance model. The framework requires that the CISO does not have a direct reporting relationship with the Head of IT and is not given business targets. The logic is to preserve the CISO's independence: a security officer who reports to the head of IT cannot objectively challenge IT decisions, and one with business targets faces a conflict between security and revenue. For large brokers this means a properly positioned, independent CISO function. For smaller intermediaries, who may not have the scale for a full-time CISO, the obligation still stands in substance: the firm must have a security leadership function that is independent of IT operations and free of commercial pressure, however it is resourced. Smaller firms will need to think carefully about how to achieve this independence proportionately, whether through a dedicated role, a shared resource or an appropriately structured external arrangement, and should confirm the regulator's expectations for their entity category.

The overarching governance lesson for intermediaries is that the 2026 guidelines expect security to be designed, owned and reviewed at the top of the firm, with clear accountability, an independent security function, a structured committee and board-level ownership. This is a meaningful step up from the informal arrangements common in the broking sector, and building this governance scaffolding is the first task in any compliance programme.

On top of governance, the 2026 guidelines establish a technical and control baseline that intermediaries must implement. The framework formalises its controls around the NIST Cybersecurity Framework, organising security into the recognised functions of identify, protect, detect, respond and recover, and translating these into a detailed set of specific audit controls (reported as 347 in the strengthened version). For intermediaries, the practical task is to map their current state against this control set and to close the gaps, prioritising by risk and by the timelines the guidelines impose.

Risk assessment is the starting point. The framework expects a structured, periodic information security risk assessment that identifies the firm's information assets, the threats to them, the vulnerabilities present and the resulting risk, feeding a remediation plan. For a broking firm, this means cataloguing where sensitive data lives, client records, policy and claims data, the personal data in group programmes, identifying how it could be compromised, and prioritising controls accordingly. Many intermediaries have never conducted a formal risk assessment; doing so is both a compliance requirement and the rational basis for spending limited security budget where it matters most.

The protective controls span the familiar domains: access management and the principle of least privilege so that staff can reach only the data their role requires; network security and segmentation; secure configuration of systems; endpoint protection; and encryption of sensitive data. Encryption is one of the infrastructure-heavy requirements with a longer implementation window, reported as 12 to 18 months for full implementation depending on the specific requirement, recognising that comprehensive encryption takes time to deploy. Intermediaries should treat the longer-window items as a programme to plan and execute deliberately, while implementing the immediately applicable controls now.

Detective and responsive controls require monitoring and the capability to identify and react to incidents. The framework expects logging, monitoring and the ability to detect anomalous activity, supported by an incident response plan that defines roles, escalation and the steps to contain and remediate an incident. For intermediaries, building even a proportionate detection and response capability is often the hardest part, because it requires either internal expertise or a managed security arrangement. The guidelines' expectation is not that every broker runs a full security operations centre, but that the firm has a defined, tested ability to detect and respond appropriate to its risk.

The data protection layer is integral. Because the framework folds Digital Personal Data Protection Act compliance into the same instrument, the controls intermediaries implement must serve both information security and data protection. The personal data brokers hold, employee details in group health and workers compensation, named individuals in directors and officers cover, claimant information in liability claims, attracts DPDP obligations, and the security controls protecting it are part of meeting those obligations. Treating information security and data protection as a single, integrated programme, as the guidelines do, is more efficient and more defensible than running them separately.

The practical sequencing for an intermediary is: assess risk, map against the control framework, implement the immediately applicable controls, plan the longer-window infrastructure items such as encryption, and build a proportionate detection and response capability. The aim is a defensible baseline appropriate to the firm's scale and risk, not a copy of an insurer's enterprise security stack.

Among the most operationally exacting requirements of the 2026 framework is incident reporting, and intermediaries must build the capability to meet it before an incident occurs, because the timelines leave no room to improvise.

The headline obligation is the reporting timeline. All cyber incidents must be reported to CERT-In within six hours of detection, with copies to IRDAI and other relevant regulators. This aligns the insurance sector with the broader CERT-In incident reporting directions that apply across Indian organisations, and it is a demanding standard. Six hours from detection is a short window in which to recognise that an incident has occurred, assess it sufficiently to report, and route the report to CERT-In and IRDAI. For an intermediary without a defined process, six hours can elapse simply in working out who is responsible and what to do.

Meeting the six-hour timeline in practice requires several things to be in place beforehand. The firm needs the ability to detect incidents, which loops back to the monitoring and detection controls discussed above; an incident cannot be reported within six hours of detection if it is never detected. It needs a defined incident response plan with named responsible individuals and a clear escalation path, so that detection triggers action immediately. It needs pre-prepared reporting channels and templates for CERT-In and IRDAI, so that reporting is a matter of completing a known process rather than working out the process under pressure. And it needs to test this capability, because an untested incident response plan tends to fail at the moment it is needed.

CERT-In alignment goes beyond the reporting timeline. The framework expects intermediaries to align with CERT-In guidelines more broadly, including the security practices, logging and information-sharing expectations that CERT-In sets for Indian organisations. For intermediaries, this means treating CERT-In's directions not as a separate regime but as part of the same compliance posture the IRDAI guidelines establish. The CISO or equivalent security leadership is responsible for compliance with CERT-In guidelines, which reinforces why an independent, competent security function is essential.

For commercial brokers specifically, the incident reporting obligation carries a client dimension. A broker holds client data, so an incident affecting the broker may affect corporate clients whose information is compromised. Brokers should consider how incident response and reporting intersect with their obligations to clients and with the clients' own incident response, particularly where the compromised data includes the personal data of the client's employees, which engages DPDP breach considerations. A well-prepared broker integrates client notification into the incident response plan alongside the regulatory reporting, so that an incident is handled coherently rather than as separate regulatory and commercial scrambles.

Two further pillars of the 2026 framework deserve dedicated attention because they are where intermediaries are most often unprepared: third-party and vendor risk, and the audit and assurance framework.

Third-party and vendor risk is increasingly the dominant cyber exposure for any organisation, and intermediaries are no exception. Brokers rely on a web of third parties: cloud and software providers, IT support, data processors, and the insurers and TPAs they exchange data with. The framework expects a comprehensive vendor risk management programme: cybersecurity due diligence before engaging a vendor, contractual security clauses requiring vendors to comply with data protection laws, notify incidents and submit to audit rights, and ongoing oversight of vendor security. For intermediaries, this is a significant change, because many broking firms engage technology vendors without any security assessment and on standard contracts that say nothing about security. Under the 2026 framework, the firm remains accountable for the security of data it entrusts to vendors, so vendor due diligence and contractual controls become a compliance necessity. The practical steps are to inventory the vendors that touch sensitive data, assess their security, update contracts to include the required clauses, and monitor compliance over time. This is also where the framework intersects with the broker's own position in the chain: just as the broker must manage its vendors, the insurers the broker works with must manage the broker as their vendor, which means brokers should expect insurers to subject them to the same due diligence the broker must apply downstream. Being a well-secured, demonstrably compliant intermediary is therefore both a regulatory obligation and a commercial advantage in retaining insurer relationships.

The audit and assurance framework is the mechanism that gives the guidelines teeth. The framework formalises audit around the NIST Cybersecurity Framework, narrows the pool of eligible auditors to ensure competent independent assessment, and requires structured audit against the detailed control set. It creates board-level accountability for the closure of non-conformities within defined timelines, reported as within 12 months. For intermediaries, this means security is not self-assessed and forgotten; it is independently audited against a recognised standard, with findings tracked to closure under board oversight. The implication is that intermediaries must not only implement controls but be able to evidence them to an auditor, which raises the importance of documentation. A control that exists but is not documented is hard to evidence in audit; intermediaries should document policies, risk assessments, controls, incident response and vendor management as they build them, so that the audit is a demonstration of an existing posture rather than a scramble to assemble evidence.

The narrowing of the eligible auditor pool is worth noting for planning. Intermediaries should identify a qualified auditor early, because demand for competent insurance-sector security auditors will be high as the whole industry comes into compliance. Leaving the audit to the last moment risks both unavailability of auditors and insufficient time to remediate findings before the closure timeline bites.

Taken together, vendor risk and audit make clear that the 2026 framework is about demonstrable, governed, independently assured security across the firm and its supply chain, not a one-time technical fix. For intermediaries, the work is substantial but the structure is clear, and firms that approach it as a programme rather than a panic will build a security posture that is both compliant and genuinely protective.

Pulling the framework together, here is a practical, sequenced playbook for a commercial broking firm or other intermediary coming into compliance with the 2026 guidelines, recognising that most provisions are immediately applicable while infrastructure-heavy items have a 12 to 18 month window.

First, stand up governance. Establish or designate the security committee, ensure it has the right membership and meets at least quarterly, get the board to approve the Information and Cyber Security Policy, and put in place an independent security leadership function (a CISO or proportionate equivalent) that does not report to IT and carries no business targets. Governance is the scaffolding on which everything else hangs, and it can be built quickly relative to technical controls.

Second, assess risk. Conduct a structured information security risk assessment that catalogues where sensitive client and personal data lives, the threats and vulnerabilities, and the resulting priorities. This assessment drives every subsequent decision about where to spend limited budget.

Third, implement the immediately applicable controls. Map the firm against the NIST-aligned control framework and close the gaps that are achievable now: access management and least privilege, secure configuration, endpoint protection, logging and basic monitoring, and the policies and procedures the framework requires. Treat the longer-window items, notably full encryption, as a planned programme to deliver within the 12 to 18 month window rather than deferring them indefinitely.

Fourth, build incident response and CERT-In reporting capability. Create and test an incident response plan with named owners and escalation paths, prepare CERT-In and IRDAI reporting templates and channels, and ensure the firm can meet the six-hour reporting clock from detection. Integrate client notification into the plan where client data is involved.

Fifth, address vendor risk. Inventory vendors that touch sensitive data, conduct due diligence, update contracts with the required security, notification and audit clauses, and establish ongoing oversight. Expect insurers to apply the same scrutiny to you.

Sixth, prepare for audit. Document everything as you build it, identify a qualified auditor early given the narrowed pool, and treat audit findings as board-tracked items to close within the timelines. Fold DPDP compliance into the same programme, since the framework integrates data protection with information security.

The strategic message for intermediaries is that the 2026 guidelines, demanding as they are, formalise a security posture that the data brokers hold has always warranted. Brokers who build this posture deliberately gain more than compliance: they gain the trust of insurers who must vet them as vendors, the confidence of corporate clients whose sensitive data they hold, and resilience against the cyber threats that are a genuine and growing risk to the broking sector. Compliance done well is a competitive asset, not just a regulatory cost.

Sarvada supports commercial brokers operating within this tightened information security and data protection environment through a platform built on disciplined data handling, including tenant isolation, no sharing of client data with rivals and no sale of data, so that brokers can access the structured insurer policy wording intelligence they need without expanding their data risk surface. As intermediaries implement the 2026 guidelines, working with platforms whose data governance aligns with the firm's own compliance posture matters. Request Access to evaluate how Sarvada fits a broking firm's information security and DPDP compliance roadmap.