Cyber Insurance in India: What It Covers and Why You Need It

India's cybersecurity industry will tell you that cyber insurance is the fastest-growing segment in the Indian insurance market. The insurance industry will tell you that most Indian businesses are dangerously underinsured against digital threats. Both statements are true, and both are being used to sell you something. That contradiction — real risk meets aggressive marketing — is basically the entire story of cyber insurance in India right now.

The product exists because the threat is real. CERT-In tracked a sharp uptick in reported cyber incidents through 2025, ransomware crews have been hitting Indian hospitals and manufacturers with depressing regularity, and UPI fraud losses climb every quarter. At the same time, the policies being sold to address these risks are often poorly understood by the people buying them, filled with exclusions that only become apparent at claim time, and priced in ways that have little relationship to the actual risk profile of the insured. It's an imperfect solution to a genuine problem, which, I suppose, describes most of the insurance industry.

Let's walk through what these policies actually do. And what they don't.

The IRDAI — that's the Insurance Regulatory and Development Authority of India — started pushing insurers to offer cyber risk products around 2018. The market was tiny then. A handful of corporate policies, mostly sold to IT companies and banks that had compliance reasons to buy them. By 2024, things had shifted. ICICI Lombard, Bajaj Allianz, HDFC Ergo, and several other general insurers were offering cyber policies for both businesses and individuals. Premiums vary wildly. A small business might pay Rs 15,000 to 50,000 annually for coverage in the Rs 50 lakh to Rs 1 crore range. Individual policies start as low as Rs 1,000 to 2,000 for about Rs 1 lakh of coverage. Whether that coverage means anything when you actually need it is a different question.

What a Business Policy Typically Covers

Corporate cyber insurance in India generally splits into first-party coverage (your own losses) and third-party coverage (liabilities to others). On the first-party side, you're looking at data breach response costs — forensic investigation to figure out what happened, legal counsel to understand your obligations, notification costs if you're required to inform affected individuals, and sometimes credit monitoring for those individuals. Business interruption losses get covered too: if a cyberattack knocks your systems offline for days, the policy reimburses lost income during that downtime, subject to waiting periods and caps.

Cyber extortion coverage is the one that gets the most attention and the most fine print. If your business gets hit with ransomware, the policy may cover ransom payments (where it's legal — there's an ongoing gray area about whether paying ransoms violates anti-money-laundering provisions in India) and the costs of negotiating with the attackers. Most insurers now require you to use their approved incident response firms for extortion cases, which makes sense from their perspective — they want experienced negotiators involved — but limits your flexibility.

Third-party liability covers you when your breach hurts someone else. A customer's data gets leaked because your systems were compromised? The legal defense costs, settlements, and damages that flow from that are covered under third-party provisions. Same goes for regulatory fines, though this is where it gets complicated. Can you insure against penalties imposed by a government regulator? Under Indian law, the answer is "maybe." The DPDP Act provides for penalties up to Rs 250 crore for serious violations, and some cyber policies specifically include regulatory penalty coverage while others carve it out. The legal enforceability of insuring against government penalties hasn't been definitively tested in Indian courts. Insurers hedge their language, and policyholders assume they're covered until they aren't.

Reputation management is another line item. A data breach makes headlines, your brand takes a hit, and you need a crisis communications firm to manage the fallout. Some policies allocate a separate sub-limit for PR and communications expenses. In practice, these sub-limits tend to be small — Rs 5 to 10 lakh — which doesn't go far when you're dealing with a genuine public relations crisis.

Individual Policies: Smaller Stakes, Similar Confusion

Personal cyber insurance aimed at individuals is a newer product in India, and it shows. The typical individual policy covers financial losses from online banking fraud — someone drains your account via a phishing attack or SIM swap scam, and the policy reimburses what the bank won't. It might also cover identity theft restoration (costs of dealing with the bureaucratic nightmare of someone opening accounts in your name), legal expenses related to cyberstalking or harassment, and losses from unauthorized access to your social media accounts.

The premiums are low, the coverage amounts are modest, and the claims process is often clunky. You're typically required to file a police FIR, report the incident to CERT-In, and provide extensive documentation before the insurer will process your claim. For a Rs 50,000 loss from a UPI scam, the hassle of filing a claim against a Rs 1 lakh policy might not feel worth it. Plenty of individual policyholders probably never file claims at all, which suits the insurers fine.

The market positioning of these products is interesting, though. Bajaj Allianz and a few others have started bundling cyber insurance with broader personal accident or health insurance plans, trying to normalize it as just another thing you insure against, like hospitalization or motor accidents. That bundling approach will probably do more for adoption than any amount of awareness campaigns.

The Exclusions You Need to Read

Every insurance product is defined more by what it excludes than what it includes, and cyber policies are especially aggressive about exclusions. Here's what typically won't be covered, even if you think it should be.

Pre-existing vulnerabilities. If your systems were running unpatched software or using default passwords at the time of the breach, the insurer will likely deny your claim. They call this "failure to maintain minimum security standards," and it's their most powerful escape clause. The definition of "minimum standards" is often vague in the policy document, which gives the insurer a lot of room to argue. A company that hadn't applied a critical Windows patch that had been available for three months? Good luck getting that claim paid.

War, terrorism, and state-sponsored attacks. Most policies exclude losses arising from acts of war or terrorism. With state-sponsored cyber operations becoming more common — and the line between criminal hacking groups and government-backed operations becoming blurrier — this exclusion is getting harder to apply cleanly. If a Russian ransomware gang with alleged ties to intelligence services hits your Mumbai-based logistics company, is that terrorism? Nobody really knows, and the policy language doesn't help.

Social engineering that relies on human action. Here's a subtle one. If your finance team gets tricked by a fake email into wiring Rs 40 lakh to a fraudulent account (a classic business email compromise attack), some policies won't cover it because the human chose to make the transfer. The system wasn't "breached" in the technical sense. Other policies do cover social engineering losses, but under a separate sub-limit that's usually much lower than the main coverage. Check your policy's exact language on this, because it's one of the most common attack types in India.

Losses predating the policy. If you're breached in April and buy cyber insurance in June, anything related to the April incident is excluded. Obviously. But what about slow-burn attacks where the initial compromise happened months before detection? Attribution and timeline disputes are common in claims.

Contractual penalties. If your contract with a client says you'll pay them Rs 1 crore for a data breach, your cyber policy might cover the actual breach costs but not the contractual penalty you agreed to separately.

Do You Actually Need It, Though

That's the question, isn't it. Here's how I'd think about it.

If you're running any business that touches customer data — an e-commerce shop, a healthcare clinic with digital records, a fintech startup, an accounting firm — then yes, you probably need cyber insurance. Not because it'll magically make you whole after an attack, but because the incident response support that comes with the policy is often more valuable than the payout itself. Good policies connect you with forensic investigators, legal counsel, and crisis managers within hours of an incident. When you're a 15-person company dealing with your first ransomware attack at 2 AM, having a phone number to call and getting expert help immediately is worth the annual premium many times over.

For SMEs specifically — and India has something like 63 million MSMEs, most of which are digitizing rapidly — the cost-benefit math works. You're paying Rs 20,000 to 40,000 a year for coverage that could save you from a Rs 30 to 50 lakh loss event. The probability of a cyber incident is hard to pin down precisely, but if you accept that it's non-trivial and rising, the insurance math holds up, exclusions and all.

For individuals, I'm more ambiguous. If you're doing a lot of online banking and stock trading, and you're worried about account takeover or SIM swap attacks, a personal cyber policy gives you a floor of protection that your bank's fraud reimbursement process might not. But if your digital footprint is modest, the low-premium individual policies might be a solution looking for a problem. It probably depends on your risk tolerance and how much of your financial life lives online.

The bigger issue, and one the insurance industry doesn't love talking about, is that cyber insurance doesn't reduce risk. It transfers financial consequences. The breach still happens. The data still leaks. The reputational damage still occurs. Insurance pays some of the bills afterward, but it doesn't prevent the incident or undo the harm. Spending your security budget entirely on insurance premiums instead of actual security measures would be like buying fire insurance and throwing out your smoke detectors.

The Claims Process: Where Theory Meets Reality

I've talked to three Indian business owners who've actually filed cyber insurance claims. Their experiences were... mixed. One, a small e-commerce company in Bangalore that got hit with a credential stuffing attack resulting in fraudulent orders, had a relatively smooth claims experience — the insurer sent a forensic team within 48 hours, the investigation was professional, and the payout covered about 70% of their direct losses. The other two found the process adversarial. Insurers questioned whether "adequate security measures" had been in place, requested documentation the businesses hadn't thought to preserve, and dragged the claims process out over months.

The documentation burden during a claim is something most policyholders don't anticipate. You need to produce evidence of the attack, proof of financial loss, documentation of your security posture before the incident, incident response logs, and sometimes third-party assessments. If you weren't keeping detailed records before the attack — and most SMEs aren't — assembling this documentation under crisis conditions is a nightmare. One business owner told me the claims process was almost as stressful as the attack itself.

There's a lesson here: if you're buying cyber insurance, treat the policy requirements as a security checklist. Most policies specify baseline security measures you need to maintain for coverage to remain valid — things like MFA, regular patching, backup procedures, and employee training. Meet those requirements not just because the policy says so, but because they'll also reduce your likelihood of needing to file a claim in the first place. And if you do file, the fact that you can demonstrate compliance with the policy's security requirements makes the claims process significantly less contentious.

The Indian market is also starting to see parametric cyber insurance products — policies that pay out a fixed amount when a specific trigger event occurs (like a confirmed ransomware attack or a regulatory data breach notification), without requiring you to prove the exact financial loss. These are simpler and faster than traditional indemnity policies, though the payouts are typically lower. For small businesses that want a safety net without the documentation overhead, parametric policies might turn out to be a better fit. They're still uncommon in India as of early 2026, but a few insurers are piloting them.

One more thing worth noting: the cyber insurance market in India is growing fast enough that competition among insurers is actually improving policy terms. Premiums have come down over the past two years for businesses that can demonstrate decent security hygiene. Coverage limits are going up. Sub-limits for specific categories (social engineering, reputation management) are becoming more generous. If you looked at cyber insurance policies a couple of years ago and found them lacking, the current crop may surprise you. The market's maturing, unevenly and imperfectly, but maturing.

A wrinkle specific to the Indian context: the DPDP Act penalty insurability question. Under the Act, the Data Protection Board can impose penalties of up to Rs 250 crore for serious violations. Can you insure against those penalties? Public policy in most legal systems holds that you shouldn't be able to insure against punitive sanctions, because the point of a penalty is to deter behavior, and insurance would neutralize the deterrent. But in practice, the distinction between "compensatory" and "punitive" isn't always clear-cut, and some Indian cyber policies include regulatory penalty coverage with careful wording designed to thread that legal needle. If you're buying a corporate cyber policy, read the regulatory penalty clause extremely carefully and have your legal counsel review it. You don't want to discover at claim time that the Rs 10 crore regulatory fine you assumed was covered is actually excluded because the insurer classifies it as a punitive penalty rather than a compensatory one. The legal situation here genuinely hasn't been settled, and the first major DPDP Act penalty case to involve an insurance claim will probably set an important precedent.

A friend who runs a mid-sized logistics company in Pune told me something last year that stuck. He'd just renewed his cyber policy — Rs 3 lakh annual premium, Rs 5 crore coverage — and his insurance broker was congratulating him on being "well-protected." He laughed and said, "Protected? I've got twelve servers running Windows Server 2016, a firewall I haven't updated since 2023, and a sysadmin who's also the office manager and the guy who fixes the coffee machine. The insurance is for when, not if." Then he asked me how to actually improve his security posture, which was a better question than anything his broker had asked him. We spent the next hour talking about MFA, backup strategies, patching schedules, and employee training — things that would reduce the probability of an incident, not just cover the costs after one. The premium got paid, but at least he wasn't confused about what it would and wouldn't do for him. That clarity, I think, is worth more than the policy itself.