Why Tabletop Exercises Have Become a Board-Level Concern in 2026 India
The cyber tabletop exercise has moved from a CISO-led technical drill to a board-level governance instrument for Indian listed companies and large unlisted corporates through FY2024-25 and FY2025-26. Three forces have driven the shift: the operational realities of the CERT-In Direction of 28 April 2022, which made six-hour incident reporting binding on every Indian body corporate; the entry into force of the Digital Personal Data Protection Act, 2023 (DPDP Act) with its operative rules notified through 2025 carrying breach notification obligations to the Data Protection Board of India (DPBI); and the hardening of the cyber insurance market in 2024-25 after a sequence of large Indian incidents that exposed the gap between policy purchase and incident readiness.
The AIIMS Delhi ransomware incident of November 2022, which disabled hospital systems for weeks and reportedly involved a ransom demand in the range of INR 200 crore, exposed how poorly prepared even flagship public institutions were for sustained ransomware events. The ICICI Lombard data exposure incident reported in 2024, where customer policy and claims documents were briefly accessible through a misconfigured endpoint, demonstrated that even insurance companies themselves face the same exposures their clients carry. The continuing wave of Indian banking phishing fraud, with RBI's FY2024-25 fraud monitoring data showing material losses through credential theft and authorised push payment fraud, has kept cyber risk at the top of the board risk register for financial services boards. Outside financial services, the FY2025-26 incidents at Indian pharmaceutical contract manufacturers and large logistics operators, several of which produced operational disruption of more than 72 hours, have generalised the concern beyond the financial sector.
Against this background, insurer-side cyber underwriting in India has tightened materially. ICICI Lombard, HDFC Ergo, TATA AIG, Bajaj Allianz and the foreign reinsurers writing Indian cyber treaty business (Munich Re, Swiss Re, Hannover Re, SCOR, Lloyd's syndicates) are now requiring incident response readiness evidence at underwriting submission. A tabletop exercise within the last 12 months, with documented board engagement and corrective action tracking, has become a standard underwriting question on cyber proposal forms for risks above INR 100 crore turnover. Where the exercise is absent or perfunctory, insurers either decline, impose substantial sub-limits on ransomware and business interruption sections, or load the rate by 25% to 60%.
The tabletop exercise also matters for the policy itself once a real incident occurs. Cyber policies in 2026 typically include a panel response clause requiring the insured to engage panel forensic vendors, panel legal counsel and panel public relations support within a defined window (commonly 24 to 72 hours of discovery). The exercise is the operational mechanism through which the insured proves it can mobilise the panel response in real time. A board and management team that has rehearsed the panel engagement, the CERT-In six-hour clock, the DPDP breach notification timing and the internal communications sequence will execute these steps under real-incident pressure. A team that has not rehearsed will not.
This post sets out a 2026 India-specific framework for designing, running and documenting cyber tabletop exercises: scenario selection grounded in actual Indian incident patterns, board engagement structures that satisfy audit committee and risk committee oversight expectations, regulatory trigger mapping that aligns with CERT-In, DPDP and sectoral regulators (RBI, SEBI, NCIIPC for critical information infrastructure), and the specific insurance triggers that the exercise should cover. The audience is the corporate risk manager, CISO, internal audit lead and broker advisor who must collectively land the exercise as a credible governance and operational instrument.
The framing matters because tabletop exercises produce widely different outcomes depending on design and execution. A well-designed exercise with realistic scenarios, the right participants, honest facilitation and rigorous post-exercise corrective action programmes typically surfaces 20 to 50 specific operational findings, drives material improvement in incident readiness, and produces credible evidence for both underwriting and audit committee oversight. A poorly designed exercise with generic Western scenario templates, junior facilitators, missing senior participants and weak post-exercise follow-up produces a tickbox satisfying the underwriting question but no real improvement, and may even create a false sense of preparedness that produces worse outcomes than no exercise at all. The Indian corporate experience through FY2023-24 and FY2024-25 includes both extremes, and the maturing 2026 practice is converging on the design and execution disciplines that distinguish the two outcomes. The broker plays a central role in this convergence: brokers with credible cyber advisory capability provide scenario design support, panel pre-engagement, insurer policy alignment and post-exercise renewal narrative that materially improve the exercise value. Brokers that treat the exercise as a checkbox item on the broker scorecard rather than as integrated risk advisory work add limited value and may even contribute to the false-sense-of-preparedness failure mode.
The Indian Regulatory Stack the Exercise Must Map: CERT-In, DPDP, NCIIPC and Sectoral Rules
A 2026 cyber tabletop exercise that does not map the Indian regulatory stack will mislead the participants about what they actually need to do in a real incident. The stack has four layers: the horizontal CERT-In framework, the DPDP Act personal data layer, the NCIIPC critical information infrastructure layer for protected sectors, and sectoral regulator overlays for regulated entities.
The CERT-In Direction of 28 April 2022
The CERT-In Direction issued under Section 70B(6) of the Information Technology Act, 2000 binds every body corporate, intermediary, data centre, service provider and government organisation operating in India. The headline obligation is the six-hour incident reporting requirement: any cyber incident falling within the 20 reportable categories listed in the Annexure (including ransomware, unauthorised access, data breach, identity theft, denial of service and several others) must be reported to CERT-In within six hours of noticing or being brought to notice. The reporting channel is the CERT-In incident reporting form at the official portal, with supporting forms via email at incident@cert-in.org.in.
A tabletop exercise must rehearse the six-hour clock specifically. The clock starts at the moment of noticing the incident, which is usually the moment a security operations centre analyst escalates a confirmed positive finding to the CISO or equivalent. The clock does not wait for full root cause analysis, exposure scoping or executive approval. The exercise should make participants confront the fact that a partial report filed at hour five with what is known is the regulatory expectation, not a comprehensive report filed at hour twenty after analysis is complete. Many Indian corporates discover during their first serious tabletop that their internal approval pathway for external regulatory communications cannot complete in six hours, and remediation of that pathway becomes one of the most important exercise outputs.
The Direction also imposes logging retention (180 days, accessible to CERT-In on demand), point-of-contact registration with CERT-In, and synchronisation with NTP servers operated by NIC or NPL. The exercise should test whether the registered point of contact is current and reachable, since a stale point of contact registered three years ago by an employee who has since left is a common gap.
DPDP Act breach notification
The DPDP Act, 2023, with its operative rules and the Data Protection Board of India fully constituted through 2025, layers a personal data breach notification obligation on top of CERT-In. A personal data breach (defined broadly to include any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data) must be reported to the DPBI and to affected data principals within the timeline prescribed by rules, which in 2026 stands at within 72 hours of becoming aware for the DPBI and without undue delay for data principals (with detailed content requirements set out in the rules).
The DPDP layer is operationally distinct from the CERT-In layer. CERT-In addresses cyber incidents broadly; DPDP addresses personal data breaches specifically. The same event commonly triggers both layers (a ransomware event that encrypts a customer database is both a CERT-In reportable incident and a DPDP personal data breach), and the exercise must rehearse parallel reporting tracks rather than sequential ones. The reports go to different regulators, contain different information, and have different downstream consequences (CERT-In is investigative and supervisory; DPBI has direct penalty authority up to INR 250 crore per breach for specified violations).
NCIIPC for protected sectors
Organisations notified as protected systems under Section 70 of the IT Act, falling within Critical Information Infrastructure (CII) sectors (power, banking, telecom, transport, government, strategic public enterprises), are subject to oversight by the National Critical Information Infrastructure Protection Centre (NCIIPC). NCIIPC operates its own incident reporting framework with separate timelines and content requirements, and runs sector-specific advisory and exercise programmes. Corporates operating CII assets must layer NCIIPC reporting onto CERT-In and DPDP, and the exercise must rehearse the three-way reporting choreography.
Sectoral regulator overlays
Regulated entities have additional sectoral reporting obligations. RBI-regulated entities (banks, NBFCs, payment system operators) report to RBI under the cyber security framework circulars (2016 for banks, with subsequent updates for NBFCs and payment operators) with their own timelines and content. SEBI-regulated entities (stock exchanges, depositories, listed companies in the context of material disclosure) report under SEBI cyber circulars and LODR Regulation 30 material disclosure obligations. IRDAI-regulated entities report under the IRDAI Information and Cyber Security Guidelines 2023. TRAI-regulated telecom operators have additional obligations under licence conditions. The exercise must include the sectoral reporting layer for the entity's specific regulatory profile, and must rehearse the public disclosure timing tension that arises for listed companies where material cyber incidents must be disclosed under LODR Regulation 30 within prescribed windows.
A practical exercise design dedicates an early scenario phase to the regulatory clock, simulating the first six hours from incident noticing through to the CERT-In report submission, the DPBI notification draft, the NCIIPC report where applicable, the sectoral regulator report, and the LODR disclosure preparation. Participants experience the parallel-track nature of the reporting obligations and the operational pressure of executing them simultaneously.
Scenario Design Grounded in Actual Indian Cyber Incident Patterns from 2022 to 2025
A credible 2026 cyber tabletop exercise uses scenarios that reflect the actual attack patterns hitting Indian corporates rather than generic Western incident templates. The pattern data from CERT-In annual reports, the RBI fraud monitoring publications, and the published lessons from named Indian incidents through 2022-2025 supports four core scenario archetypes that should rotate through an organisation's exercise programme.
Archetype 1: Ransomware with operational disruption and ransom demand in cryptocurrency
The AIIMS Delhi 2022 incident is the canonical Indian reference. The scenario design should include a ransomware deployment that encrypts production systems (typically the ERP, the customer database, and selected operational systems), operational disruption preventing normal business operations for an extended period, a ransom demand in cryptocurrency (commonly Bitcoin or Monero) with a typical demand in the range of INR 50 crore to INR 200 crore depending on the organisation size and threat actor sophistication, and the secondary threat of data exfiltration with publication on a leak site if the ransom is not paid (the double-extortion pattern that has become standard since 2021).
The exercise should force decisions on ransom payment that the participants likely have not previously had to make. The Indian regulatory and law enforcement position discourages ransom payment, with CERT-In and law enforcement (CBI, state cyber cells) emphasising reporting and forensic engagement rather than payment. The Office of Foreign Assets Control (OFAC) US sanctions exposure for payments to sanctioned threat actor groups creates an additional complication for organisations with US presence or counterparty exposure. The cyber insurance policy may cover ransom payment subject to conditions including insurer pre-approval, sanctions screening and panel facilitator engagement, but the operational reality of executing a cryptocurrency payment within a hostile-actor timeline is unfamiliar to most Indian corporates. The exercise should make participants confront the payment decision in concrete terms rather than leaving it as an abstract policy question.
Archetype 2: Data breach with personal data and reputational exposure
The ICICI Lombard 2024 endpoint exposure and the recurring pattern of Indian e-commerce, fintech and healthcare data exposures provide the reference. The scenario design should include a discovery that customer personal data (KYC documents, financial information, health records, biometric data) has been accessible through an unauthorised channel for a period (commonly weeks or months before discovery), with the volume of records exposed running from hundreds of thousands to tens of millions depending on the organisation's customer base.
The exercise should rehearse the DPDP breach notification track with specific attention to the content requirements: the nature of the breach, categories and approximate number of data principals and records, likely consequences, measures taken or proposed, and the contact point. The DPBI report draft should be produced during the exercise and reviewed by data protection counsel. The data principal notification draft should also be produced, with attention to the language calibration required (regulatory compliance, customer trust preservation, litigation exposure management).
The scenario should also rehearse the media and regulatory response. Indian data breach incidents typically attract media coverage within 24 to 72 hours of public disclosure or unauthorised disclosure on online forums. The exercise should include a simulated journalist enquiry, a simulated regulatory enquiry from DPBI, and a simulated investor enquiry for listed companies. The participants experience the simultaneous pressure of regulatory compliance, customer trust management and capital markets disclosure that real incidents produce.
Archetype 3: Banking phishing or business email compromise with funds transfer
The Indian banking phishing pattern, with credential theft, social engineering of corporate finance teams, and unauthorised funds transfer in the range of INR 5 crore to INR 50 crore per event, provides the reference. The scenario design should include a CFO impersonation email or voice deepfake instructing an urgent transfer to a supplier account that turns out to be controlled by the threat actor, with the transfer completing before discovery.
The exercise should rehearse the funds recovery track: immediate engagement with the bank to recall the transfer (typically possible only within minutes to hours), engagement with the destination bank where the funds may have been moved, engagement with cyber crime cells (state and central), and the cyber insurance claim for the funds transfer fraud sub-section. Cyber policies in 2026 typically include funds transfer fraud coverage with sub-limits in the range of INR 5 crore to INR 25 crore depending on the policy structure, with specific conditions on call-back verification and dual control procedures. The exercise should test whether the actual finance team practices satisfy the policy conditions, since a gap between practice and policy condition will lead to coverage denial.
Archetype 4: Supply chain or third-party software compromise
The SolarWinds-style supply chain attack pattern, with subsequent variants affecting Indian corporates through compromised third-party software updates, contractor remote access channels and managed service provider compromise, provides the reference. The scenario design should include a discovery that a trusted third party (a software vendor, a managed IT provider, a contractor with remote access) has been compromised, with the threat actor leveraging the trusted access path to reach the organisation's systems.
The exercise should rehearse the third-party liability and contractual response: contract review for the third party's incident notification obligations, breach disclosure to the third party's other customers if shared infrastructure is implicated, recourse claims against the third party for losses, and cyber insurance coverage for losses arising from third-party compromise. The 2026 cyber market is increasingly excluding or sub-limiting third-party software compromise events, particularly after the systemic implications became visible in global incidents, and the exercise should expose participants to the coverage limitations they actually face.
Board Engagement: Audit Committee, Risk Committee and Director Liability Dimensions
The 2026 cyber tabletop exercise must engage the board credibly without becoming a marketing performance for executive sponsors. The engagement structure varies by organisation but should include audit committee oversight of the exercise programme, risk committee or full board participation in selected exercises, and explicit linkage to director liability and D&O insurance considerations.
Audit committee oversight of the exercise programme
The audit committee, which under the Companies Act, 2013 and SEBI LODR Regulation 18 has explicit oversight of internal financial controls and risk management systems, should treat the cyber tabletop programme as a routine oversight area. The audit committee receives a programme document setting out the annual exercise schedule, the scenario archetypes covered, the participant groups, the regulatory mapping, and the corrective action tracking. The committee reviews the post-exercise report for each major exercise, focuses on findings and management response, and tracks closure of corrective actions through the year.
The audit committee oversight role is supervisory rather than participative. The committee does not need to attend the exercise itself in most cases (though it may attend a tailored director-level exercise once every two to three years), but it should receive credible evidence that the exercise was conducted as designed, that findings were honestly identified, and that corrective actions are closing on track.
Risk committee or full board participation in selected exercises
Large Indian corporates increasingly include a director-level tabletop in the annual programme, either as a standalone exercise once a year or as a high-level overlay on a management-level exercise. The director-level exercise focuses on the decisions that only the board can make: ransom payment authorisation, public disclosure timing, regulatory engagement strategy, customer communication tone, and crisis governance.
The director-level exercise typically runs for two to three hours rather than the full-day management exercise, uses a scenario that has been distilled to the decisions requiring board input, and is facilitated by a senior external advisor (often the lead cyber broker, a specialised consultancy or a senior partner from a law firm). The directors should leave the exercise with concrete familiarity with the decision pressure they would face in a real incident, the regulatory and reputational stakes, and the support structures (broker, insurer panel, counsel, communications) they can rely on.
Director liability and D&O insurance linkage
A 2026 cyber incident at an Indian listed company can produce director liability exposures that the directors and the company should understand in advance. The exposures include shareholder claims under the Companies Act, 2013 for breach of director duties (Section 166), SEBI enforcement for inadequate disclosure under LODR Regulation 30, class action exposure under Section 245, and potential criminal exposure under specific circumstances. The D&O insurance policy responds to many of these exposures subject to its terms, and the cyber policy may include some overlap with the D&O policy on specific items.
The tabletop exercise should explicitly cover the D&O policy notice obligations that arise during a cyber incident. D&O policies typically require notice of a circumstance reasonably likely to give rise to a claim, with the notice often required within 30 to 60 days of awareness. A material cyber incident, even before any specific claim is filed, can constitute a circumstance triggering the notice obligation. Failure to give timely notice can prejudice coverage when a claim materialises. The exercise should rehearse the parallel D&O notice track alongside the cyber policy claim track, with the company secretary, the broker and the D&O insurer engaged in the simulated workflow.
The D&O premium and capacity implications of cyber incidents are also worth surfacing for directors. Following a material cyber incident, the D&O renewal typically faces premium increases, retention increases, and capacity reduction. Directors should understand that the cyber incident has implications for their own protection structure, not only the company's cyber policy, and that those implications strengthen the rationale for credible cyber risk management investment.
Linkage to internal audit and the second line
The tabletop exercise should be designed and supervised in a way that gives internal audit and the risk function credible engagement without diluting the first-line ownership. A common structure has the CISO and the head of business continuity lead the exercise design and facilitation, with internal audit and risk acting as observers and post-exercise reviewers. Internal audit's role is to verify that the exercise was conducted as designed, that findings were honestly identified, and that corrective actions are tracked through to closure. The risk function's role is to integrate the exercise findings into the enterprise risk register and the residual risk assessment that goes to the risk committee.
Insurance Triggers: What the Exercise Must Rehearse for Cyber Policy Response
The cyber tabletop exercise has direct bearing on the cyber insurance policy in three ways: it satisfies underwriting expectations of incident readiness, it rehearses the policy response mechanics so that real-incident execution is fluent, and it surfaces gaps between operational practice and policy conditions that should be remediated before they cause claim denial.
The panel response clause
Cyber policies issued by ICICI Lombard, HDFC Ergo, TATA AIG, Bajaj Allianz and the foreign reinsurer-led wordings used by GIFT City IFSC and Lloyd's market placements typically include a panel response clause. The clause requires the insured, upon noticing a covered cyber event, to engage from the insurer's panel one or more of: a forensic vendor, a legal counsel specialising in cyber and data protection, a public relations firm, a ransomware negotiator, and a notification service for affected individuals. The panel is set out in the policy schedule or referenced through the insurer's portal. Engagement of non-panel vendors is permitted only with insurer pre-approval, and unapproved engagement can void cover for those costs.
The tabletop exercise should rehearse the panel engagement specifically. Participants should be required to identify the panel vendors for the policy in force, the contact mechanism (a 24x7 hotline number typically embedded in the policy schedule), and the engagement script. The exercise should expose the common gap where the operational team would default to its existing forensic vendor relationship, which may not be on the insurer's panel, with consequent coverage exposure. Where the existing relationship is not panel-approved, the corrective action is either to negotiate addition of the vendor to the panel during renewal or to pivot the operational relationship to a panel vendor.
The 24-72 hour clock for incident notification to insurer
The policy itself contains a notification clause typically requiring notice to the insurer within 24, 48 or 72 hours of discovering a covered event. Late notification is one of the most common bases for claim disputes. The exercise should rehearse the notification mechanics: the broker as the primary notification channel, the policy details required for the notification (policy number, insured name, brief description of the event, estimated severity), the broker's onward escalation to the insurer's claims team, and the simultaneous activation of the panel response. The exercise should test whether the broker contact details held by the security operations centre are current and reachable on a 24x7 basis, since a broker contact that goes to voicemail at 2 AM Sunday morning when the incident is noticed is a common gap.
The CERT-In and DPDP regulatory cost coverage
Cyber policies in 2026 commonly include coverage for regulatory investigation costs, including legal costs for responding to CERT-In enquiries, DPBI investigations and sectoral regulator inquiries, subject to sub-limits typically in the range of INR 1 crore to INR 10 crore. The coverage may be conditional on engagement of panel legal counsel and may exclude certain types of regulatory engagement (proactive disclosure assistance versus enforcement defence). The exercise should rehearse the regulatory engagement track with panel counsel engaged from the start, since a defence built up by non-panel counsel may not be covered when the bills are submitted.
Business interruption sub-section
The cyber business interruption sub-section is the largest exposure area in most policies and the area most prone to claim disputes. The sub-section typically covers loss of net profit and increased cost of working arising from interruption to business operations caused by a covered cyber event, subject to a waiting period (commonly 8 to 24 hours), an indemnity period (commonly 90 to 180 days, sometimes longer for specific organisations) and specific exclusions. The exercise should rehearse the BI claim preparation: financial documentation of the loss, segregation of cyber-caused loss from other causes, broker support for the claim preparation, and loss adjuster engagement. The exercise should expose the gap that is common between the finance team's normal management accounts cadence and the documentation a BI claim requires, with corrective action on the financial documentation infrastructure required.
Ransomware sub-section and ransom payment workflow
Where the ransom payment is contemplated under the ransomware sub-section, the workflow is unusually intricate. The policy typically requires the insurer's pre-approval before any payment, engagement of a panel ransomware negotiator, sanctions screening of the threat actor, OFAC and other sanctions compliance for the payment route, and execution of the cryptocurrency payment through an approved channel. The exercise should rehearse the full workflow with attention to the timing pressure that real-incident threat actors impose (commonly a 72-hour deadline before the leak site goes live). The participants experience the operational complexity of executing a ransom payment within the insurer's compliance framework under threat-actor time pressure, and the exercise outputs typically include refinements to the pre-incident relationship with the insurer's ransomware response panel.
Coverage gap surfacing
The exercise documentation should explicitly identify the policy sections rehearsed, the gaps surfaced, and the renewal-cycle remediation actions. This documentation forms part of the insurer underwriting submission for the subsequent renewal and is highly persuasive evidence of mature cyber risk management.
Running the Exercise: Facilitation, Documentation and Post-Exercise Closure
The operational mechanics of running a credible cyber tabletop exercise determine whether the exercise produces useful outputs or becomes a compliance theatre that satisfies the underwriting question without changing real readiness. Indian corporates that have run multiple exercise cycles over FY2023-24 to FY2025-26 have converged on a consistent operational structure.
Pre-exercise preparation
The exercise design phase typically runs four to six weeks before the exercise date. The lead facilitator (commonly the CISO or an external advisor) drafts the scenario in consultation with the risk function, internal audit and the broker. The scenario is calibrated to the organisation's specific industry, threat profile and current control posture; a generic scenario imported from a vendor template will lack the specificity needed to drive useful learning. The participant list is identified across functions: security operations, IT operations, legal, communications, finance, business continuity, the relevant business unit leadership, the company secretary, the broker, and observer representation from internal audit and the risk function. The exercise sponsor (commonly the CRO, CISO or COO) confirms the leadership-level participants.
The broker's involvement in pre-exercise preparation is material. The broker reviews the scenario for alignment with the policy in force, supplies the policy schedule details that the exercise will reference, identifies the insurer panel vendors that the exercise should engage in simulation, and confirms the notification mechanism that the participants should rehearse. Some brokers offer a separate broker-led exercise focused specifically on the insurance response mechanics, which can complement a fuller operational exercise.
Exercise day mechanics
The full-day operational exercise typically runs six to eight hours including breaks. The structure has three phases. Phase one (90 to 120 minutes) covers the initial detection, escalation, regulatory clock activation, and panel response engagement. Phase two (120 to 180 minutes) covers the sustained response, regulatory reporting, stakeholder communication, and operational containment. Phase three (90 to 120 minutes) covers the recovery, claim preparation, and post-incident review.
The facilitator drives the exercise through scenario injects: pieces of new information introduced at scheduled points or in response to participant actions. The injects test specific decisions and decision points. A typical inject set for the ransomware archetype includes the initial encryption alert, the first ransom note discovery, the leak site publication threat, the journalist enquiry, the regulator enquiry, the customer notification scope clarification, the insurance broker call, and the recovery progress update. Each inject creates a decision point that participants must work through, with the facilitator probing the rationale and surfacing the assumptions.
The exercise should use realistic operational tooling where possible. Participants should draft the actual CERT-In incident report on the actual portal screen (using a sandbox version where possible), the actual DPBI notification template, the actual board communication, and the actual customer notification. The realism extracts the operational gaps that abstract discussion would miss.
Documentation discipline
The exercise documentation determines whether the outputs persist beyond the exercise day. A typical documentation package includes the scenario brief, the inject list, the participant attendance record, the decision log (recording each material decision made during the exercise, by whom, on what basis), the findings register (identifying gaps surfaced), the corrective action list (with owner and target closure date), and the post-exercise report submitted to the audit committee.
The findings register should be honest. Indian corporates with mature exercise programmes typically generate 20 to 50 findings per exercise across operational, regulatory, communications and insurance dimensions. The findings should be specific ("the CERT-In point of contact registered in 2022 is no longer with the organisation" rather than "CERT-In registration needs review") and ranked by severity. The corrective action list should assign each finding to a specific owner with a target closure date, and the audit committee should track closure through the year.
Post-exercise corrective action and re-test
The corrective action programme typically runs through the 12 months following the exercise. Common corrective actions include: refreshing the CERT-In registration, updating the broker emergency contact details on the SOC console, negotiating with the broker for adjustments to the insurer panel at renewal, updating internal approval pathways to support the six-hour CERT-In clock, refining the public relations playbook, refreshing the third-party contracts for incident notification clauses, and improving the financial documentation infrastructure for BI claim support.
The corrective action closure should be verified, not assumed. A common pattern is for actions to be marked closed on the basis of a stated remediation step without verification that the remediation actually addresses the gap. Internal audit should verify a sample of closures each quarter, and the audit committee should call out any pattern of weak closure for management attention.
The next exercise cycle should include a re-test of selected findings from the previous exercise. A scenario inject that simulates the previously identified gap tests whether the remediation was effective. Re-tests are typically the highest-value exercise content because they directly verify that previous investment has produced improvement.
Edge Cases, Operational Gotchas and the FY2026-27 Forward View for Indian Corporates
Even mature cyber tabletop programmes encounter edge cases and operational gotchas that distinguish well-prepared organisations from those that simply complete the exercise. The 2026-27 forward view also includes regulatory and market developments that organisations should anticipate.
The cross-border data complication
Indian corporates with significant international operations face cross-border data complications in real cyber incidents that simple India-centric exercises miss. The DPDP Act's data localisation provisions interact with GDPR breach notification (72-hour for European data), with state-level US data breach laws, with Singapore's PDPA notification regime, and with sectoral regulator obligations across jurisdictions. The exercise for multinational Indian operations should include a multi-jurisdiction inject that forces participants to navigate parallel regulatory tracks. The complication is particularly acute for IT services companies, pharmaceutical companies with US operations, and large industrial groups with European subsidiaries.
The deepfake and AI-generated content complication
The 2025-26 wave of AI-generated content has materially changed the social engineering and impersonation threat. Voice deepfakes of CFOs, video deepfakes of CEOs in fraudulent contexts, and AI-generated text in phishing emails have all been documented in Indian incidents. The exercise should include an AI-generated content inject that tests whether the verification protocols in place can defeat the modern impersonation threat. Many organisations discover that their existing call-back verification protocols, designed for human impersonation, are inadequate against AI-generated voice impersonation, and require additional verification layers (multi-channel verification, behavioural challenge, transaction time delays for high-value transfers).
The OT and IoT scope question
Manufacturing, power, oil and gas, and infrastructure operators have material operational technology (OT) and Internet of Things (IoT) infrastructure that the IT-centric cyber programme may not adequately cover. A 2026 cyber tabletop for these sectors should include an OT or IoT scenario specifically: a programmable logic controller compromise affecting production safety, a building management system compromise affecting critical infrastructure, or an industrial control system targeting (the pattern observed in incidents affecting Indian and global utilities). The cyber insurance policy's OT coverage is often narrower than the IT coverage, with specific exclusions for physical damage that may follow an OT compromise, and the exercise should expose these coverage limitations.
Insider threat and the disgruntled employee scenario
Most exercises focus on external threat actors, but a material proportion of Indian incidents involve insider threats: employees or contractors who exfiltrate data on departure, sabotage systems in retaliation, or facilitate external compromise through privilege misuse. The cyber policy's coverage for insider events varies, with some policies excluding intentional acts of executives or controlling owners and others limiting coverage for malicious insider acts. An insider threat scenario in the exercise rotation surfaces these coverage nuances and the operational response specifics (HR engagement, evidence preservation, law enforcement coordination, civil and criminal recourse).
Cloud service provider concentration
The concentration of Indian corporate infrastructure on three major cloud providers (AWS, Microsoft Azure, Google Cloud) creates systemic risk from cloud provider compromise or outage. The 2026 tabletop should include a cloud provider scenario that tests the organisation's response to a major cloud event affecting its core operations. The cyber insurance market's response to cloud concentration risk has evolved, with some insurers introducing cloud outage coverage as a specific sub-section and others excluding it. The exercise should expose the policy's cloud event coverage to participants.
Forward view through FY2026-27
Several developments will shape the 2026-27 cyber tabletop landscape. The DPBI is expected to issue specific guidance on breach notification content and timing through 2026, with the first wave of significant penalty orders likely to set precedent on what the regulator expects. CERT-In is expected to publish updated guidance on the 2022 Direction reflecting practical implementation experience. The cyber insurance market is expected to continue tightening on specific exposures (third-party software compromise, supply chain events, AI-related events) and to introduce more standardised exercise documentation expectations through proposal forms.
The broker market is also evolving. Specialist cyber brokers are positioning to provide deeper exercise support, panel pre-engagement work and claims advocacy than generalist brokers have historically supplied. For organisations with material cyber exposure, the broker selection should weight cyber-specific capability heavily in 2026 and beyond. Brokers offering integrated exercise design, insurer panel pre-engagement and claims advocacy provide a different value than placement-only brokers, and the integrated offer is increasingly the standard for sophisticated buyers.
[!NOTE] Platforms supporting brokers in delivering integrated cyber risk and insurance advisory work are emerging in the Indian market, including capability to track exercise programmes, panel vendor relationships and policy condition compliance across multiple insureds. Sarvada supports brokers in building this kind of integrated cyber advisory motion across their corporate client base. Request Access to evaluate the platform capabilities for cyber risk advisory and exercise programme support.
The organisations that treat the cyber tabletop as a governance and operational instrument rather than an underwriting form-filling exercise will be materially better prepared for the incidents that the FY2026-27 threat environment will produce. The exercise programme is one of the few risk management investments where the gap between mature and immature practice is starkly visible in real-incident outcomes, and the organisations investing now in mature exercise practice are protecting both their operational resilience and their insurance cover continuity.