Cyber Insurance

Cyber Insurance has rapidly evolved from a niche product to a critical line of coverage for Indian businesses, driven by the exponential growth of digital commerce, cloud adoption, and an increasingly hostile threat landscape. In the Indian context, the policy is particularly relevant given the regulatory obligations imposed by the Information Technology Act 2000 (and its amendments), the CERT-In Directions of 2022 requiring mandatory incident reporting within six hours, and the Digital Personal Data Protection (DPDP) Act 2023 which introduces significant penalties for data breaches. A typical cyber insurance policy provides first-party coverage for incident response costs, forensic investigation, data restoration, business interruption losses due to network downtime, cyber extortion payments (where legally permissible), and crisis communication expenses. On the third-party side, it covers legal defence costs, regulatory fines and penalties (where insurable by law), and liability arising from the unauthorised disclosure of personal or confidential data. Indian insurers and reinsurers have been refining cyber products under IRDAI oversight, with many policies now offering sub-limits for social engineering fraud and funds transfer fraud — both highly prevalent in the Indian market. Underwriting typically involves a detailed assessment of the applicant's IT security posture, including endpoint protection, access controls, backup protocols, and employee training programmes. Businesses operating in sectors such as BFSI, healthcare, e-commerce, and IT services face elevated cyber risk and are increasingly finding that cyber insurance is a prerequisite for enterprise client contracts and regulatory compliance.