Technology

IT Services & Technology

Insurance risk profiling for Indian IT services, SaaS, and technology companies covering cyber liability, professional indemnity, errors and omissions, and data privacy compliance under the Digital Personal Data Protection Act.

5 key risks5 recommended coverage lines

Last reviewed: April 2026

Industry overview

India's IT and business process management (BPM) industry generates over $245 billion in revenue, with exports exceeding $200 billion. The sector employs approximately 5.4 million people directly and over 10 million indirectly. Major hubs include Bengaluru, Hyderabad, Pune, Chennai, Gurugram, and Noida, with emerging centres in Kochi, Jaipur, and Indore. The industry spans IT services (TCS, Infosys, Wipro), product companies, SaaS startups, GCCs (Global Capability Centres), and BPM operations.

The insurance risk profile for IT services differs fundamentally from traditional industries because physical assets are relatively low-value while intangible exposures — intellectual property, client data, contractual obligations, and professional reputation — are extremely high-value. Professional Indemnity (Errors & Omissions) insurance is the cornerstone coverage, protecting against claims arising from service delivery failures, software bugs, project delays, and advisory errors that cause financial loss to clients.

Cyber risk has escalated to a board-level concern. Indian IT companies handle vast volumes of personal data, financial records, and proprietary business information for global clients. A data breach affecting a major client can trigger contractual penalties, regulatory fines under GDPR (for EU data), CCPA (for US data), and now the Digital Personal Data Protection Act, 2023. Ransomware attacks targeting Indian IT infrastructure have increased significantly, with attackers specifically targeting managed service providers to gain access to multiple downstream client environments.

Directors and Officers (D&O) liability is significant for listed IT companies and VC-funded startups alike. SEBI regulations for listed entities and investor protection norms for startups create personal liability exposure for management. The rise of shareholder activism and regulatory scrutiny following corporate governance lapses has made D&O coverage essential. Employment practices liability also features prominently, given the sector's large workforce and issues around layoffs, non-compete enforcement, and workplace harassment claims.

Key risks

Data Breach and Cyber Attack

high

Ransomware, phishing, and supply chain attacks targeting IT infrastructure and client data. Indian IT companies managing global client data face multi-jurisdictional breach notification requirements and potential regulatory fines under GDPR, CCPA, and India's DPDP Act.

Professional Liability (Errors & Omissions)

high

Claims arising from software defects, project delivery failures, system outages, or advisory errors causing client financial loss. A critical bug in a banking application or ERP implementation failure can generate claims worth crores.

Intellectual Property Infringement

medium

Allegations of IP theft, patent infringement, or misuse of open-source software in deliverables. Indian IT companies developing products for global markets face IP litigation risk, particularly in US jurisdictions.

Directors & Officers Liability

medium

Personal liability claims against management for governance failures, financial misstatements, or regulatory non-compliance. SEBI enforcement actions against listed IT companies and investor disputes in startup fundraising create D&O exposure.

Business Continuity and Service Disruption

medium

Failure to maintain contracted service levels due to infrastructure outage, natural disaster, or workforce disruption. SLA penalties and client termination following extended outages can cause significant revenue and reputation loss.

Common claim scenarios

Ransomware Attack on Managed Service Provider in Bengaluru

A mid-size IT services company in Bengaluru providing managed hosting to 30 clients was hit by a ransomware attack that encrypted production servers. The company was offline for 72 hours, breaching SLA commitments across multiple contracts. The cyber insurance policy covered incident response costs, client notification, forensic investigation, and business interruption losses totalling ₹8 Cr.

₹5-15 Cr

ERP Implementation Failure for Retail Chain

A Pune-based IT company deployed an ERP system for a national retail chain that failed during the go-live phase, causing inventory management chaos across 200 stores during the Diwali season. The retailer claimed ₹12 Cr in lost sales and remediation costs. The professional indemnity policy responded to the claim and funded legal defence.

₹5-20 Cr

Data Breach Exposing EU Customer Records

A GCC in Hyderabad processing personal data for a European financial services client suffered a data breach affecting 500,000 records. GDPR breach notification obligations were triggered, and the client invoked contractual indemnities. The cyber liability policy covered regulatory response costs, credit monitoring for affected individuals, and the contractual penalty.

₹10-50 Cr

Underwriter checklist

Assess cyber security maturity: ISO 27001 certification, SOC 2 reports, penetration testing frequency, and incident response plans
Review professional indemnity exposure: contract values, limitation of liability clauses, and SLA penalty structures
Evaluate data handling practices: classification of data processed, encryption standards, and data residency compliance
Check regulatory compliance posture: DPDP Act readiness, GDPR compliance for EU data, and sector-specific standards
Review business continuity and disaster recovery plans: RTO/RPO targets, DR site availability, and testing frequency
Assess D&O exposure: corporate governance structure, regulatory compliance history, and shareholder composition
Evaluate vendor and sub-contractor management for outsourced development and infrastructure

Regulatory and compliance notes

Indian IT companies are subject to the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 for data privacy. CERT-In rules mandate 6-hour breach reporting for specified cyber incidents. Listed IT companies must comply with SEBI (LODR) regulations for corporate governance and disclosure. The Software Technology Parks of India (STPI) and SEZ regulations govern tax benefits for export-oriented units. For companies handling international data, compliance with GDPR, CCPA, HIPAA, and PCI-DSS may be contractually mandatory depending on client jurisdiction and data type.

Frequently Asked Questions

Is cyber insurance mandatory for IT companies in India?

Cyber insurance is not legally mandated by IRDAI or any Indian statute for IT companies. However, it has become a de facto commercial requirement. Most enterprise clients, particularly in banking, financial services, and healthcare, require their IT service providers to maintain cyber liability coverage as a contractual condition. CERT-In's 2022 directive mandating 6-hour breach reporting, combined with the Digital Personal Data Protection Act's penalty provisions (up to ₹250 crore), has made the financial exposure from a cyber incident severe enough that cyber insurance is considered essential risk management for any IT services company handling client data or operating critical systems.

What does a Professional Indemnity policy cover for an IT services company?

A Professional Indemnity (PI) policy for IT services covers legal liability arising from acts, errors, or omissions in the provision of professional services. This includes claims from clients for software bugs causing business loss, project delivery delays, system implementation failures, data loss due to negligence, and incorrect technical advice. The policy typically covers defence costs, settlements, and judgments. Key extensions for IT companies include cyber liability (sometimes bundled), intellectual property defence costs, and subcontractor errors. PI policies are typically written on a claims-made basis, meaning the policy in force when the claim is first made responds, regardless of when the error occurred.