Industry Risk Profiles

IT Services in India: Managing Cyber Risk and Professional Liability

India's IT services industry powers global digital infrastructure but faces mounting cyber risk and professional liability exposure. A comprehensive look at the insurance landscape for India's technology sector.

Sarvada Editorial TeamInsurance Intelligence3 min read
cyber insuranceIT servicesprofessional indemnitydata breachDPDP Acttechnology E&O

Last reviewed: February 2026

In this article

  • Indian IT services companies face dual exposure to cyber risk and professional liability, with global client contracts mandating minimum PI limits of USD 5-10 million.
  • The DPDP Act, 2023 creates direct statutory liability for data processors with penalties up to INR 250 crore, fundamentally changing the cyber insurance calculus for IT companies.
  • CERT-In's six-hour incident reporting mandate means that delayed breach detection or response can create compliance violations that complicate insurance claims.
  • Cyber business interruption cover is distinct from traditional BI insurance and requires careful evaluation of waiting periods, sub-limits, and revenue quantification methodology.
  • Multi-policy programme coordination is essential to avoid gaps where a single incident triggers cyber, PI, and D&O claims simultaneously.

India's IT Services Sector: Risk Profile Overview

India's IT services industry generated revenues exceeding USD 245 billion in FY2025, employing over 5.4 million professionals across Bengaluru, Hyderabad, Pune, Chennai, and Gurugram. The sector spans IT outsourcing, business process management, software product development, cloud services, and emerging areas like AI/ML services.

From an insurance perspective, IT services companies face two primary risk categories: cyber risk (data breaches, ransomware, system failures) and professional liability (errors, omissions, and contractual failures in service delivery). Unlike manufacturing, physical asset exposure is minimal — the risk is overwhelmingly in the digital and contractual domain. This makes accurate risk assessment challenging for traditional underwriters accustomed to tangible property risks.

Cyber Risk Landscape for Indian IT Companies

Indian IT services companies are both targets and custodians of cyber risk. They process and store vast volumes of client data, including personally identifiable information (PII) of millions of end-users across multiple jurisdictions. A data breach at an Indian IT services provider can trigger notification obligations under GDPR (for European clients), CCPA (for Californian clients), and the Digital Personal Data Protection Act, 2023 (DPDP Act) domestically.

CERT-In reported over 1.39 million cybersecurity incidents in 2023 alone. Ransomware attacks targeting Indian IT companies have increased sharply, with average ransom demands reaching INR 5-15 crore for mid-sized firms. The CERT-In Directions of April 2022 mandate six-hour incident reporting, VPN log maintenance, and system clock synchronisation — compliance failures carry penalties and can invalidate insurance claims.

Professional Indemnity: Technology Errors and Omissions

Professional indemnity (PI) or Technology Errors and Omissions (Tech E&O) insurance is the foundational coverage for IT services companies. It covers claims arising from negligent acts, errors, or omissions in the provision of professional services — software bugs that crash a client's system, project delivery failures, data migration errors, or inadequate cybersecurity implementations.

Master Service Agreements (MSAs) with global clients routinely mandate PI cover with minimum limits of USD 5-10 million. Indian IT companies servicing BFSI clients face particularly stringent requirements, as financial regulators in the US, UK, and EU require their regulated entities to ensure vendor insurance adequacy. Premium rates for Tech E&O in India typically range from 0.3-0.8% of the limit of indemnity, depending on revenue, client concentration, and claims history.

The DPDP Act and Its Insurance Implications

The Digital Personal Data Protection Act, 2023 represents a watershed for Indian IT companies' liability exposure. The Act imposes obligations on data fiduciaries and data processors regarding consent, purpose limitation, data minimisation, and breach notification. Penalties for non-compliance can reach INR 250 crore per instance.

For IT services companies acting as data processors for their clients, the DPDP Act creates direct statutory liability that supplements existing contractual obligations. Cyber insurance policies must be evaluated for whether they adequately cover DPDP Act regulatory defence costs, penalty coverage (where insurable), and breach notification expenses. Underwriters are increasingly assessing data governance frameworks, privacy impact assessments, and data protection officer appointments when evaluating cyber risk for IT companies.

Business Interruption in a Digital Context

Business interruption for IT services companies manifests differently from physical-damage-triggered BI. A ransomware attack rendering systems inoperable, a cloud service outage, or a DDoS attack can halt service delivery across multiple client engagements simultaneously without any physical damage occurring.

Cyber business interruption coverage — available as an extension within cyber insurance policies — addresses this gap. However, waiting period deductibles (typically 8-12 hours), sub-limits, and the challenge of quantifying revenue loss for project-based businesses create coverage adequacy questions. An IT company in Bengaluru that suffered a 72-hour ransomware-induced outage estimated its combined revenue loss and recovery costs at INR 22 crore, underscoring the need for adequate limits.

Structuring the Insurance Programme

A well-structured insurance programme for an Indian IT services company should include: cyber liability insurance covering first-party losses (breach response, data recovery, business interruption) and third-party claims (privacy liability, regulatory defence); professional indemnity / Tech E&O covering service delivery failures; directors and officers liability given increasing personal accountability under DPDP Act and Companies Act; and crime/fidelity insurance covering employee fraud and social engineering losses.

The key challenge is ensuring these policies work together without gaps or overlaps. A claim may involve elements of cyber breach, professional negligence, and regulatory investigation simultaneously. Policy wordings must be reviewed for consistency in trigger definitions, hammer clauses, and allocation of defence costs across overlapping coverages.

Frequently Asked Questions

What is the difference between cyber insurance and professional indemnity for IT companies?
Cyber insurance covers losses arising from cyber events — data breaches, ransomware attacks, system intrusions, and privacy violations — including first-party costs (forensic investigation, data recovery, notification expenses, business interruption) and third-party claims (privacy liability, regulatory fines). Professional indemnity (PI) or Tech E&O covers claims arising from negligent professional services — software defects, project failures, missed deadlines, or inadequate implementations — regardless of whether a cyber event is involved. An IT company needs both: a software bug crashing a client's system is a PI claim, while a data breach through that same software is a cyber claim.
Does the DPDP Act, 2023 affect insurance requirements for Indian IT companies?
Yes, significantly. The Digital Personal Data Protection Act, 2023 imposes direct obligations on data processors (which includes most IT services companies processing client data) including breach notification within prescribed timelines, data minimisation, and purpose limitation. Penalties up to INR 250 crore per violation create substantial financial exposure. IT companies must ensure their cyber insurance policies cover DPDP Act regulatory defence costs, breach notification expenses, and — where the policy wording permits — regulatory penalties. The Act also drives underwriter scrutiny of data governance frameworks and privacy compliance programmes.
How are cyber insurance premiums calculated for Indian IT services companies?
Cyber insurance premiums for Indian IT companies are calculated based on several factors: annual revenue (the primary exposure base), type and volume of data processed (PII, financial data, health records), client industry mix (BFSI clients increase exposure), cybersecurity maturity (assessed through security questionnaires covering endpoint protection, MFA, backup protocols, incident response plans), regulatory jurisdiction exposure (GDPR, CCPA, DPDP Act), and claims history. Premium rates typically range from 0.5-2% of the limit of indemnity. Companies with SOC 2 Type II certification and robust security postures receive preferential pricing.

Related Glossary Terms

Cyber Insurance
Professional Indemnity
Business Interruption
Directors Officers Liability
Fidelity Guarantee

Related Insurance Types

Cyber Insurance
Professional Indemnity
Directors Officers Liability

Related Industries

It Services
Healthcare
Retail

Related Articles

Cyber Insurance in India: A Comprehensive Guide for 2026
Professional Indemnity Insurance for Consultants and Advisors in India
How AI Is Improving Underwriting Accuracy in Commercial Lines

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform