Broadcom Audit Defence for Insurance Companies

Insurance carriers run some of the most regulated and operationally complex IT estates outside of banking. Policy administration, claims processing, actuarial modelling, and intermediary portals all sit on virtualised infrastructure, and for the overwhelming majority of carriers that infrastructure is VMware. When Broadcom's audit programme arrives at an insurance company, the engagement has features that distinguish it from audits in other industries — and a defence strategy that doesn't account for those features will leave money on the table.

This article explains how Broadcom audits typically unfold inside insurance carriers, the regulatory and operational constraints that shape the response, and the defence playbook that has produced consistent results in our work with insurers across the United States, the United Kingdom, and continental Europe.

Why insurers are an attractive audit target

Broadcom's audit programme does not select targets at random. The internal analysis behind audit selection is driven by signals — and insurance carriers throw off several at once.

The first signal is footprint. A mid-size regional insurer typically runs between 800 and 4,000 vSphere CPU cores, with a multi-site disaster recovery posture that often doubles the licensed inventory. National and multinational carriers run substantially more. The financial size of any compliance gap scales with the footprint, so the expected return on an audit at an insurance carrier is high.

The second signal is the composition of the estate. Insurance carriers were heavy adopters of vRealize Operations and Aria Automation in the 2018-2022 window, of NSX for micro-segmentation around PCI scopes, and of vSAN for branch and disaster-recovery sites. The estate therefore contains many of the components Broadcom most wants to convert into VCF subscriptions.

The third signal is contractual age. Many insurance carriers signed multi-year enterprise licence agreements in 2019-2022 that have rolled into Broadcom's ownership without being renegotiated. Old EULA language, accumulated under-licensing in growth areas, and post-acquisition product reclassifications give Broadcom a natural pretext to inspect.

The fourth signal — and the one that does most of the work — is sensitivity. Insurance is regulated. The systems that run on the VMware estate are systems that the carrier cannot tolerate being unavailable. The combination produces a customer that is unusually inclined to settle quickly rather than fight, which improves Broadcom's expected recovery per engagement.

The regulatory constraints that shape the response

Insurance carriers operate under a layered set of regulations that affect how an audit can be answered. The most relevant in the United States are state insurance department requirements, model regulations published by the NAIC, and — for carriers that handle health insurance lines — HIPAA. In the United Kingdom and Europe, the Prudential Regulation Authority, the Financial Conduct Authority, EIOPA, and the Digital Operational Resilience Act (DORA) all impose obligations that constrain how the carrier can share data with third parties, how third-party access to its systems is governed, and how operational dependencies on critical software vendors are documented.

The practical implications for an audit response:

• Data sharing constraints. The carrier cannot hand the auditor unredacted inventory data that includes references to systems processing protected information without a documented legal basis and contractual protections. The audit clause in the underlying licence agreement usually does not satisfy regulatory data-sharing requirements on its own.
• Third-party access controls. If the auditor proposes to run discovery tools inside the carrier's environment, that access falls within the carrier's third-party risk management programme. The auditor must be onboarded, contractually constrained, and supervised; ad-hoc tool deployment is not compatible with the carrier's regulatory posture.
• Operational resilience documentation. Under DORA and equivalent frameworks, the carrier maintains a register of critical ICT third-party providers. Broadcom appears on that register; the audit relationship and any settlement decisions need to be coherent with the resilience documentation already filed with regulators.
• Records retention and discoverability. Communications with Broadcom during the audit may be discoverable in subsequent regulatory examinations or litigation. The carrier should not produce informal admissions in chat or email that could later be used against it.

None of these constraints prevent a response — they shape what a sensible response looks like. The carrier's general counsel and chief compliance officer need to be involved early, not as an obstacle to the IT team but as a source of leverage. Regulatory constraints are also constraints on the auditor.

The operational profile that shapes exposure

Insurance estates have characteristic patterns that affect the licence position.

Active-active or active-passive disaster recovery. Most insurers run paired data centres with synchronous or asynchronous replication. The licensing of the passive side has been a recurring source of dispute under Broadcom; the carrier needs to know exactly how its DR sites are licensed and which entitlements cover failover scenarios.

Heavy use of NSX micro-segmentation around regulated workloads. NSX was historically licensed as a separate product. Carriers that used NSX Enterprise Plus features without a corresponding entitlement have exposure; carriers that licensed NSX Standard or Advanced and used Enterprise Plus features (such as distributed firewalling with advanced policy) have exposure as well.

vRealize/Aria deployments for capacity management and automation. The reclassification of these products into the Aria portfolio under Broadcom has produced edition mismatches; entitlements granted under vRealize naming may not map cleanly onto Aria editions, and Broadcom auditors may interpret ambiguity in their favour.

vSAN at branch sites and DR locations. Branch and DR vSAN deployments often grew over time without formal capacity tracking. Carriers may be over-deployed against entitlement without realising it.

Test and development copies of production systems. Actuarial models, claims processing, and policy administration systems are typically replicated into test environments for rate-development cycles and system testing. Whether those test copies are properly licensed is frequently unclear.

The audit defence playbook for insurers

The defence strategy that has produced the best outcomes for our insurance clients combines a few elements.

1. Convene the right team before responding

A Broadcom audit notification at an insurance carrier should trigger a defined internal escalation. The team includes:

• The CIO or designated IT executive sponsor
• The IT asset management lead
• The infrastructure/virtualisation lead
• General counsel or designated legal lead
• The chief compliance officer or regulatory affairs lead
• The CISO or designated security lead (for tool-access governance)
• An independent licensing advisor

Procurement should be involved but should not lead the response. The audit is a legal and regulatory matter that happens to involve licensing; procurement framing tends to under-weight the regulatory dimensions.

2. Negotiate the audit scope and methodology in writing

Before any data is shared, the carrier should propose — in writing — a scope and methodology document covering: which entities and which legal entities are within scope, which products are within scope, the data the auditor will request, the security controls applied to that data, the auditor's confidentiality obligations, the carrier's right to review and challenge findings before they are finalised, and the dispute-resolution mechanism. This document is not always welcomed by the auditor, but the act of proposing it sets the negotiating frame for the rest of the engagement.

3. Conduct an internal pre-audit before the formal one

The carrier should run its own inventory and entitlement reconciliation, ideally with an independent advisor, before the formal audit collects data. The pre-audit produces three things: a current view of the carrier's actual licence position, an assessment of where the carrier's data quality is weakest, and a working baseline against which the auditor's eventual findings can be compared. Carriers that walk into an audit blind almost always settle high; carriers that walk in with their own data settle low.

4. Control data flow to the auditor

The auditor's findings are only as good as the data they're built on. Carriers that hand over raw exports lose the ability to contextualise. The right pattern is for the carrier to produce structured responses to specific data requests, with each response reviewed by the internal team before release. This is slower than a bulk-export pattern, but it produces defensible answers and avoids handing the auditor material that produces inflated claims.

5. Treat the preliminary findings as the start of negotiation, not the conclusion

Broadcom's preliminary findings reports are typically inflated. They include conservative interpretations of ambiguity, double-counting between editions, and pricing at undiscounted list. The carrier should treat the preliminary report as the opening position in negotiation and prepare a written response that itemises every disputed finding with supporting evidence. Our experience is that 50-80% of preliminary findings are reduced or eliminated when properly challenged.

Settlement framing for insurers

When an insurance audit reaches the settlement stage, the framing of the settlement matters as much as the dollar amount. Broadcom's preferred settlement is a VCF subscription conversion, with the audit findings rolled into the conversion economics. The carrier needs to consider whether this is actually the right outcome.

The questions to work through:

• Is VCF the right architectural direction? Not all carriers want or need the full VCF bundle. Converting to VCF to settle an audit locks in a five-year commitment to that bundle.
• Does the conversion price recognise the disputed status of the findings? If 70% of the preliminary findings are disputed, the settlement should not be priced as though they were undisputed.
• Are the regulatory dependencies addressed? Operational resilience documentation, third-party risk assessments, and concentration risk reporting may all need updating after a major commitment change.
• Is the carrier preserving optionality? A settlement that ends with a five-year exclusive VCF commitment forecloses options the carrier may want to preserve.

Common mistakes by insurance carriers in audits

Letting the IT team handle the audit alone

Audits at insurance carriers are not IT projects. The regulatory dimensions, the contractual dimensions, and the financial dimensions all require executive engagement. IT teams that handle audits alone tend to under-weight what they don't manage day-to-day.

Sharing data without contractual constraints

The standard audit clause in a master agreement does not provide the data-protection language an insurance carrier needs. Carriers that hand over data under the master agreement alone may be in breach of their own internal data-sharing controls.

Accepting the auditor's methodology

The methodology determines the outcome. Carriers that defer to the auditor's choice of discovery tools, edition-mapping rules, and counting methodologies will not be able to challenge findings produced under those methodologies later.

Underestimating the settlement timeline

A serious insurance-sector audit response takes three to six months from notification to settlement. Carriers that try to compress that timeline almost always overpay.

Failing to coordinate with regulators

If the audit produces material commitments or operational changes, the carrier's regulators may need to be informed. Discovering this after the settlement is signed creates a worse problem than addressing it during negotiation.

Frequently asked questions

Are insurance carriers more frequently audited than other industries?

The audit-rate evidence is partial, but our engagement pattern suggests insurance carriers are audited more frequently than average for their size, particularly mid-size carriers with vRealize/Aria and NSX in the estate.

Can our state insurance regulator help in an audit?

Regulators don't intervene in commercial disputes, but the carrier's obligations to its regulator constrain what it can agree to. A regulator's concerns about operational resilience or third-party concentration can be a legitimate negotiating point.

Should we disclose the audit to our reinsurers or rating agencies?

Generally not for the audit itself, but a material settlement may need to be disclosed depending on the carrier's disclosure obligations and the settlement size. Discuss with the carrier's general counsel.

What if our actuarial models are running on the audited infrastructure?

The audit does not entitle Broadcom to access actuarial models or any other application data. The audit covers VMware licence consumption. Carriers should refuse any audit request that crosses into application data.

Is there a difference between life insurance, P&C, and health insurance in audit posture?

The regulatory frameworks differ but the audit defence playbook is broadly the same. Health insurance carriers have additional HIPAA constraints on data handling; P&C carriers tend to have more dispersed estates; life carriers tend to have older and more contractually complex estates. The differences shape the response but not the structure of it.

How long does a typical insurance-sector Broadcom audit take?

From notification to settlement, three to six months for a well-managed defence. Shorter than that usually means the carrier accepted unfavourable terms; longer than that usually means an unresolved dispute that may move to mediation or escalation.