Indian IT Companies and Cyber Liability Exposure in US and UK Jurisdictions

India's IT services industry generates approximately USD 227 billion in export revenue annually, with the United States accounting for roughly 55% of that total and the United Kingdom for a further 15 to 17%. For Infosys, Wipro, HCL Technologies, Tech Mahindra, Mphasis, and hundreds of mid-tier IT services companies, the US and UK are not simply large markets: they are the jurisdictions where the most significant cyber liability exposures reside. The data processed for US healthcare clients, UK financial institutions, and American retail chains is subject to regulatory frameworks that carry penalties and litigation costs that can exceed the annual revenues of all but the largest Indian IT firms.

The structural difference between domestic Indian cyber risk and US-UK cyber exposure comes from three sources. The first is regulatory jurisdiction: a breach affecting US residents triggers state-level breach notification obligations under 50 different state laws, with Massachusetts, California, and New York having the most onerous requirements. The second is litigation culture: class action lawsuits following a data breach are a standard feature of the US legal environment, with plaintiffs' firms filing within days of a breach announcement. Settlements in major US healthcare or retail data breach class actions run to USD 50 to 700 million. There is no meaningful equivalent litigation exposure in India. The third is contractual indemnity: Master Services Agreements with US and UK clients routinely require the Indian vendor to indemnify the client for losses arising from a security breach, with minimum cyber insurance limits of USD 5 to 10 million per occurrence and sometimes USD 25 million in aggregate.

The Indian IT industry's exposure has grown as the sophistication of services delivered has increased. Moving from application maintenance (low data sensitivity) to digital transformation engagements (deep access to client production environments), cloud migration (access to client infrastructure), and AI model training on client data (ingestion of large proprietary datasets) has raised the potential impact of any security incident from a data exposure affecting a contained legacy system to a breach that touches the client's entire operational and customer data estate.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) effective January 2023, is the most significant state-level data privacy statute affecting Indian IT vendors serving US clients. CCPA grants California residents rights over their personal information and places obligations on businesses that process that information, including service providers who process data on behalf of covered businesses. An Indian IT firm that processes data on behalf of a California-based enterprise client is a service provider under CCPA and must comply with the data use restrictions in its service provider agreement. Statutory damages for non-compliance range from USD 100 to USD 750 per consumer per incident, and for breaches involving large consumer datasets, the aggregate exposure can reach hundreds of millions of dollars.

Beyond California, 47 US states, the District of Columbia, Puerto Rico, and Guam have enacted breach notification laws. New York's SHIELD Act and Massachusetts 201 CMR 17 are particularly demanding. The SHIELD Act requires notification within the fastest reasonable time without unreasonable delay (interpreted as 30 days in most regulatory guidance). Massachusetts 201 CMR 17 requires not just notification but a written information security programme (WISP) from any entity holding Massachusetts resident data. An Indian IT firm breached on a Monday morning must be prepared to notify 47 state attorneys general, affected individuals, and potentially credit bureaus within timelines that in some states are as short as 30 days. This requires a breach response infrastructure that most mid-tier Indian IT firms have not built.

The SEC Cyber Disclosure Rules, effective December 2023, require US-listed public companies to disclose material cybersecurity incidents within four business days of determining materiality and to describe their cybersecurity risk management processes in annual reports. Indian IT companies listed on US exchanges (Infosys, Wipro, HCL Tech, HDFC Bank's US ADR holders) are directly subject to these rules. More significantly, many US-listed clients of Indian IT firms must now disclose material incidents that involve their vendors. A breach at an Indian IT vendor that affects a US-listed client's systems triggers the client's four-day disclosure obligation. The resulting reputational and contractual consequences for the Indian vendor can be severe even if the vendor itself is not SEC-reporting.

The Health Insurance Portability and Accountability Act (HIPAA) applies to Indian IT firms that are business associates (processing protected health information on behalf of US healthcare covered entities). HIPAA breach penalties range from USD 100 to USD 50,000 per violation, with an annual cap of USD 1.9 million per category. However, the Office for Civil Rights (OCR) has imposed multi-million dollar settlements in major breach cases, and the exposure for an Indian IT firm holding large volumes of US patient data is material.

The UK General Data Protection Regulation (UK GDPR), retained in domestic law after Brexit and supplemented by the Data Protection Act 2018, applies to Indian IT firms processing personal data of UK residents. The maximum penalty under UK GDPR is GBP 17.5 million or 4% of global annual turnover, whichever is higher. The Information Commissioner's Office (ICO) has demonstrated willingness to use these powers: its enforcement actions against British Airways (GBP 20 million), Marriott International (GBP 18.4 million), and other organisations following major data breaches establish the regulatory benchmark.

For Indian IT firms, UK GDPR Article 28 governs the relationship between data controllers (the UK client) and data processors (the Indian IT vendor). The Article 28 data processing agreement must specify the technical and organisational security measures the processor will implement. A breach of those commitments is not only an ICO enforcement risk for the controller but a contractual claim by the client against the Indian vendor for breach of the data processing agreement.

The UK Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have issued supervisory statements on operational resilience and third-party risk management that directly affect Indian IT vendors serving UK financial services firms. PS21/3 (Operational Resilience) requires UK FCA-regulated firms to identify important business services and set impact tolerances; vendors who support those services must demonstrate they can maintain continuity within those tolerances. A UK bank's reliance on an Indian IT firm for core banking application support requires the bank to assess and manage the vendor's operational resilience, and the bank's insurance requirements flow through to the vendor's MSA.

The Network and Information Systems (NIS) Regulations in the UK apply to operators of essential services and relevant digital service providers. Indian IT firms that are relevant digital service providers (cloud computing services, online search engines, online marketplaces) operating in the UK must register with the ICO and comply with security and incident reporting obligations. Failure to do so can result in penalties up to GBP 17 million.

The practical driver of cyber insurance purchasing decisions for most mid-tier Indian IT firms is not regulatory compliance but contractual obligation. The Master Services Agreements used by large US and UK clients specify minimum insurance coverages that the Indian vendor must maintain as a condition of contract. Across a sample of MSAs reviewed from US technology clients, US healthcare payers, and UK financial services firms, the typical minimum cyber liability requirements are:

• USD 5 to 10 million per occurrence for IT services providers with annual revenues below USD 500 million
• USD 10 to 25 million per occurrence for providers with revenues above USD 500 million or with access to particularly sensitive data categories (health, financial, government)
• USD 25 to 50 million per occurrence for contracts involving critical infrastructure, defence-related work, or financial market infrastructure

These limits must typically be maintained on policies placed in US or UK admitted markets or on Lloyd's of London paper with specific wording provisions. The MSA usually requires the vendor to provide a certificate of insurance naming the client as additional insured, confirming the coverage limit, and confirming that the policy includes a waiver of subrogation in the client's favour.

The gap between these contractual requirements and what IRDAI-filed Indian cyber products provide is significant on several dimensions. Indian cyber insurance products approved under IRDAI's Cyber Liability Insurance product guidelines are designed for domestic risk: they cover first-party costs (breach response, notification, forensics, public relations) and third-party liability claims arising from Indian privacy law obligations. They do not typically include US-jurisdictional coverage for CCPA statutory damages, HIPAA business associate liability, or the specific breach response vendor networks required by US clients (US-admitted legal counsel, US forensic firms, US credit monitoring providers). They also do not include SEC disclosure support, which requires a US securities attorney and a crisis communications firm retained within hours of a material incident determination.

Indian IT firms with significant US-UK revenue typically need to consider three types of cyber insurance placement, which differ in structure, coverage scope, and claims response capability.

An IRDAI-filed Indian cyber product (available from New India Assurance, Tata AIG, ICICI Lombard, HDFC Ergo, and others) covers the domestic risk competently: INR-denominated coverage, breach of DPDP Act 2023 obligations, domestic notification costs, and third-party claims under Indian jurisdiction. Annual premiums for an Indian IT firm with INR 500 crore in revenue typically run INR 30 to 80 lakh for INR 25 to 50 crore in coverage. These policies are not appropriate as the primary insurance instrument for US-UK regulatory or contractual exposure because coverage is framed around Indian law and the claims response panel is India-based.

A Lloyd's of London cyber policy (placed through a London broker or a global broker's Indian desk with Lloyd's market access) provides USD or GBP-denominated coverage with global territorial scope, US-admitted paper available on some syndicates, broad breach response provisions including US legal counsel, forensic firms, and notification services, and coverage for regulatory defence costs and fines in jurisdictions where they are insurable. Annual premiums for an Indian IT firm with USD 50 million in US revenue, a clean loss history, and mature security controls typically run USD 150,000 to 400,000 for USD 10 million in coverage. For firms with cloud access to client environments, weaker controls, or a prior breach history, premiums can be two to three times those benchmarks.

A US-admitted cyber policy (placed with carriers such as Chubb, AIG, Beazley, Travelers, or Coalition in the US) is required in some MSAs that specify the policy must be admitted in the vendor's state of operations or in a specified US state. US-admitted policies trigger state insurance regulation in the US, which provides payment security but can limit coverage flexibility compared to Lloyd's non-admitted paper.

For most Indian IT firms in the USD 20 to 500 million revenue range with material US-UK exposure, the practical solution is a layered programme: a primary US or Lloyd's policy for USD/GBP exposure, supplemented by a domestic Indian policy for DPDP Act and domestic client obligations. Firms with revenues above USD 500 million (Infosys, Wipro, HCL Tech, Tech Mahindra) typically place global cyber programmes through multinational insurance platforms with local admitted policies in each major operating jurisdiction.

The Digital Operational Resilience Act (DORA), which came into full application in January 2025 across EU member states, introduces a new compliance dimension for Indian IT vendors serving EU financial institutions. DORA classifies certain IT service providers as Critical ICT Third-Party Providers (CTPPs) subject to direct EU regulatory oversight by the European Supervisory Authorities (ESAs). Even vendors not formally designated as CTPPs face indirect DORA obligations through contractual requirements imposed by their EU financial institution clients.

For Indian IT firms, DORA's practical impact comes through three channels. The first is contract requirements: DORA Article 30 mandates that EU financial institutions include specific provisions in ICT service contracts, including clear service level definitions, right-to-audit clauses, incident notification obligations (the EU financial entity must notify its regulator of major ICT incidents; the vendor must notify the entity in time for this to happen), and termination rights in specified circumstances. Indian IT vendors with EU financial institution clients are renegotiating their MSAs to include DORA-compliant provisions.

The second channel is incident notification timelines. DORA requires EU financial institutions to notify their competent authorities of major ICT incidents within 4 hours of classification (initial notification) and submit an intermediate report within 72 hours and a final report within one month. To comply, the EU financial institution needs the Indian vendor to notify it of any incident affecting EU-related services within one to two hours of detection. This requires the Indian vendor to have an incident response capability that operates around the clock and can triage and communicate incident information within hours, not days.

The third channel is testing requirements. DORA requires EU financial institutions to conduct Threat-Led Penetration Testing (TLPT) at least every three years, and the scope of TLPT can extend to critical IT vendors' systems and infrastructure. Indian IT vendors supporting critical functions of EU financial institutions may be required to participate in TLPT exercises, which involves authorising red team access to production-equivalent environments.

From an insurance perspective, DORA creates coverage demand that existing policies may not satisfy. The cyber extortion and system failure coverage required to respond to a DORA-reportable incident includes not just breach response but also the cost of regulatory liaison (engaging a compliance specialist to prepare regulatory notifications), business interruption on the vendor's own operations, and contractual liability to the EU financial institution client for SLA breaches during the incident. Indian IRDAI-filed cyber products rarely include DORA-specific regulatory liaison costs or EU-jurisdictional regulatory defence as covered heads of loss.

Premium benchmarks for Indian IT companies purchasing cyber coverage for US and UK exposure reflect both the risk profile of the sector and the loss experience that has accumulated in the cyber insurance market since 2020. The following figures reflect Lloyd's and US market pricing as of early 2026 and should be treated as directional rather than definitive, given the high volatility of cyber insurance pricing.

For an Indian IT services firm with USD 100 million in US revenue, no prior cyber loss, mature security controls (MFA on all remote access, EDR deployed, offline backups, incident response plan tested annually), and no public cloud environment access to client systems, a realistic primary limit of USD 10 million can be placed for USD 180,000 to 280,000 annually on Lloyd's paper. The same firm with a prior ransomware incident or with privileged access to client cloud environments would expect premiums of USD 350,000 to 600,000.

For an Indian BPO firm handling US healthcare data as a HIPAA business associate with USD 50 million in US revenue, the health data sensitivity adds a loading: USD 10 million primary can cost USD 250,000 to 450,000 annually depending on security maturity and the volume of protected health information processed.

For an Indian fintech or IT firm serving UK FCA-regulated clients with DORA-relevant obligations, UK-specific regulatory defence and DORA compliance support endorsements add 10 to 20% to base premiums.

Programme structuring best practices for Indian IT firms include:

Aligning the policy year with the largest MSA renewal to ensure coverage is confirmed at contract renegotiation. Placing coverage through a global or Lloyd's broker with access to specialist cyber underwriters who understand Indian IT vendor risk profiles (Marsh, Aon, WTW, and Howden all have dedicated practices). Reviewing the definition of covered services to ensure IT outsourcing, cloud services, BPO, and GCC activities are all within the policy scope. Negotiating retroactive date coverage to address prior acts that may surface as claims after the policy is placed. Confirming that sub-limit structures for social engineering, system failure (not just security failure), and DORA-related regulatory costs are adequate. And critically, ensuring the breach response panel includes US and UK legal counsel, forensic firms, and notification service providers who are pre-approved by major MSA counterparties.