Cyber Insurance in India: What It Covers and What It Does Not

Why Cyber Insurance Matters in India

Cyber insurance shifted from a niche product to a board-level discussion in India after a series of high-profile incidents and the rise of ransomware as a sustained threat to Indian businesses. The 2022 to 2025 incident set demonstrated that even well-prepared organisations face material direct and consequential losses from cyber incidents. Insurance is the financial transfer mechanism for losses that prevention does not fully address.

DPDP Act 2023 added a parallel driver: significant penalties for personal data breach (up to INR 250 crore for failure of reasonable security safeguards), with insurance markets responding by adjusting coverage for regulatory fines. Customer security questionnaires from international parents increasingly include questions about cyber insurance coverage levels, which pushes Indian organisations to formalise their position.

What Cyber Insurance Typically Covers

Coverage varies by policy, but most modern Indian cyber insurance offerings include the following major categories:

• Incident response costs: external IR consultant, forensics, executive coordination
• Legal counsel: privilege management, regulator interaction, contract review, litigation defence
• Breach notification: per-affected-individual notification cost, call centre, credit monitoring
• Public relations and crisis communication: external PR firm engagement
• Ransom payment: where the policy covers it, with sanctions screening and payment intermediary requirements. Coverage varies and is increasingly capped or excluded.
• Business interruption: revenue loss during the incident and recovery, often subject to retention period
• Data restoration: cost of restoring data from backups or rebuilding lost information
• Hardware replacement: cost of replacing hardware destroyed or rendered unrecoverable by the incident
• Regulatory fines: where insurable under applicable law (DPDP fines coverage varies; some jurisdictions prohibit insurance of penalties)
• Third-party liability: claims from affected customers, business partners, or other parties harmed by the breach

Common Exclusions That Catch Buyers Off Guard

Coverage gaps in Indian cyber insurance policies are common and often discovered only at claim time. The exclusions that most frequently surprise buyers:

Nation-state attribution: many policies exclude losses attributed to nation-state actors, which is increasingly difficult to apply cleanly given attribution complexity. Some Lloyd's policies introduced 'war exclusion' clauses post-NotPetya that are still being interpreted in courts globally.

War and terrorism: standard exclusion across most general-liability policies. The boundary between cyber and physical conflict is fuzzy and contested.

Unpatched known vulnerabilities: many policies exclude losses where the customer failed to patch a known critical vulnerability within a specified window (often 30 days for critical, 90 days for high). This is meaningful because most ransomware incidents involve exploitation of known unpatched flaws.

Prior known incidents: losses related to incidents the customer was aware of before policy inception are excluded.

Insider intentional acts: malicious insider activity may be excluded or covered separately under crime / fidelity policies.

Social engineering fraud: BEC and CEO fraud are often covered only under specific social engineering coverage add-on, not under base cyber coverage.

Failure to comply with policy conditions: not having MFA, not running EDR, not maintaining backups, not following the IR plan can be cited as policy condition failures.

How Insurers Assess Risk

Indian cyber insurance underwriting has tightened materially since 2023. Underwriting now typically involves: detailed security questionnaire (often 50 to 200 questions), evidence of baseline controls (MFA, EDR, backups, IR plan), recent VAPT report (increasingly required), evidence of compliance frameworks where applicable (ISO 27001, SOC 2, PCI DSS), claims history (any prior incidents, near-misses, regulatory actions), and external attack surface scan (some insurers run their own external scan as part of underwriting).

Questionnaire questions vary by insurer but commonly probe: MFA coverage (everywhere or partial), EDR deployment (every endpoint or partial), backup architecture (offline immutable or online only), patch management (cadence, exceptions, evidence), privileged access management (PIM, JIT, vault), incident response (plan, retainer, exercise cadence), vendor management (register, attestation, contract terms), and SOC operation (in-house, MDR, or none).

Premium Factors and How VAPT Helps

Premium factors include: industry (banking, healthcare, retail, manufacturing all have different baseline rates), revenue and asset value (larger means more potential loss), data volume and sensitivity (more PII means higher exposure), security maturity (better controls means lower premium), claims history (prior claims drive premium up), coverage limits and retention chosen, and geography served (multi-jurisdiction means more regulatory exposure).

VAPT specifically improves insurability in three ways: provides evidence of baseline control maturity that satisfies underwriting questions; surfaces and remediates findings before they become claim events; signals to the insurer that the organisation takes security seriously, which often translates to better premium and broader coverage.

Indian organisations that recently completed VAPT typically see 10 to 25 percent better terms at renewal. Organisations that completed ISO 27001 or SOC 2 see broader improvement, often 20 to 40 percent. The security investment frequently pays for itself through insurance premium reduction within 2 to 3 years.

Claims Process: What to Expect

Claims process starts with incident notification to the insurer (timing critical, most policies require notification within hours to days of awareness). The insurer assigns a claims handler and (for major incidents) coordinates with the panel IR firm if the customer has not engaged their own. Coverage decisions on specific cost categories are made as the incident progresses; reimbursement happens through agreed milestones.

Common claim disputes: policy condition failures (was MFA actually deployed everywhere as the customer claimed in the questionnaire); definition disputes (does this incident qualify as a covered event); proximate cause (was the failure caused by the cyber event or by a pre-existing condition); duration disputes for business interruption; documentation gaps.

Practical recommendations: maintain evidence of policy condition compliance continuously (MFA reports, EDR coverage dashboards, backup test logs, IR plan version control), engage outside counsel quickly for major claims, work with the insurer's panel IR firm if your retainer is not already in place, document everything in the incident timeline (we cover this in our IRP blog).

Indian Cyber Insurance Market Overview

Indian cyber insurance market is led by domestic general insurers (ICICI Lombard, Bajaj Allianz, HDFC ERGO, Tata AIG, SBI General, Liberty Mutual) plus specialist Lloyd's of London syndicates and global carriers (AIG, Chubb, AXA XL) for larger risks. Premium ranges widely by organisation size and risk profile.

Typical Indian premium indication 2026: small business (under INR 50 crore revenue): INR 50,000 to 3 lakh per year for basic cover. Mid-size business (INR 50 to 500 crore revenue): INR 3 lakh to 25 lakh per year. Large enterprise (over INR 500 crore revenue): INR 25 lakh to several crore per year. Limits typically scale from INR 1 crore for small business up to INR 100 crore plus for large enterprises (with reinsurance for higher limits).

Specialist brokers (Marsh, Aon, Howden, Lockton, plus India-focused brokers) add value through market knowledge, policy structuring and claims support. For any organisation with meaningful cyber exposure, a specialist broker pays for themselves.