Cyber Business Interruption Cover for Indian Corporates: 2026 Wordings Review

Cyber insurance claim data published by the General Insurance Council and aggregated by reinsurer panels through 2025 shows a structural shift in the Indian cyber loss profile. Through 2020 to 2022, breach response (forensic, notification, legal) was the dominant claim category by value, representing 45 to 55 percent of total cyber payouts. By 2024 to 2025, cyber business interruption had moved to 52 to 61 percent of claim value, with breach response settling at 20 to 28 percent and extortion/ransom related cover at 12 to 18 percent.

The shift reflects two underlying factors. Ransomware attacks on Indian corporates, particularly in manufacturing, healthcare, and IT services, increasingly target operational systems with downstream production halt of 5 to 35 days rather than just data exfiltration. The 2024-2025 attacks on three large Indian pharmaceutical manufacturers and two automotive component manufacturers each produced reported BI losses crossing INR 40 crore, with one incident exceeding INR 200 crore in reported gross loss before insurance recovery.

The second factor is the broader operational integration of digital systems. A manufacturing plant whose ERP, MES, and quality control systems are disabled cannot operate even if physical assets are intact. A healthcare chain whose appointment booking, patient records, and billing systems are down cannot deliver clinical services. A financial services platform whose front-end is online but core processing is disabled cannot complete transactions. The BI exposure has expanded beyond the historic IT-centric framing.

Indian non-life insurers writing cyber cover under wordings refreshed following the IRDAI Information Security Guidelines 2023 and the IRDAI Cybersecurity Circular 2026 have responded with differentiated BI structures. The wording variation across the eight largest cyber writers (ICICI Lombard, HDFC Ergo, Bajaj Allianz, Tata AIG, New India Assurance, Digit, Reliance General, SBI General) is now wide enough that headline limit comparisons miss the actual coverage difference. This post reviews the wording differences on the four issues that drive claim outcomes.

The waiting period (sometimes called the deductible in time) is the duration after a cyber event that must elapse before BI cover responds. The indemnity period is the maximum duration for which the policy will pay BI after the waiting period expires.

Indian cyber wordings show three patterns on waiting period.

Hourly waiting period (8 to 12 hours typical). Pays for any business interruption exceeding the threshold. This is the policyholder-favourable structure, common in newer wordings and in placements oriented to operational-technology-heavy insureds.

Daily waiting period (24 to 72 hours typical). Pays from the threshold forward. Standard in mid-market placements and in wordings derived from international templates.

Tiered waiting period. A combination structure where breach response and forensic costs trigger from hour one but BI itself requires a longer waiting period. Common in retail-sector and platform placements where short outages are operationally absorbable.

The waiting period choice matters most for attacks that produce short but expensive outages. A 6-hour payment-rail outage at a large e-commerce platform can generate INR 8 crore to INR 25 crore in lost revenue; under a 12-hour waiting period this is uncovered. Choose the waiting period based on operational tolerance, not headline cover comparison.

Indemnity period varies less. The market norm is 120 to 180 days for most placements, with extension to 270 to 365 days available at premium loading for insureds whose recovery may extend beyond standard windows (manufacturing with long supply chain restoration, healthcare with cumulative patient backlog).

The most consequential wording variation across Indian cyber covers in 2026 is the definition of the cyber event that triggers BI. Six trigger formulations are in current market use:

1. Security failure definition (narrowest). Triggers only on a documented unauthorised access or attack on the insured's systems. Excludes operational disruption from system failure not traceable to security cause.
2. System failure definition (broader). Triggers on any unplanned outage of insured IT systems regardless of cause. Includes hardware failure, configuration error, and non-malicious downtime.
3. Cyber incident definition (broadest). Includes both security and non-security causes plus any digital event affecting the insured.
4. Adversarial input attack extension. Specifically covers prompt injection, jailbreak, and AI-system misuse as discussed in recent IRDAI guidance on AI risk.
5. Cloud service interruption extension. Covers outages of named cloud providers affecting the insured's operations (contingent BI for cloud).
6. Internet outage extension. Covers ISP or backbone outages affecting insured operations.

The practical implication for buyers is that the headline policy limit may apply to a different set of events depending on which definitions are operative. A policy with INR 100 crore limit under a narrow security-failure definition may pay less in practice than a INR 50 crore policy under a broader system-failure definition.

A second wording point: the war and infrastructure attack exclusion has tightened materially during 2024-2026 following the Lloyd's market position on state-attributed attacks. Indian wordings increasingly carry an exclusion for attacks attributed to a state actor, with attribution governed by joint statements from named technical authorities. The exclusion can be negotiated narrower at inception but is difficult to disturb mid-term.

A third wording point: the systemic event exclusion or sublimit. Some Indian wordings cap BI recovery for events affecting multiple insureds simultaneously (large cloud outages, common-software supply chain attacks) at a sublimit of INR 5 crore to INR 25 crore within the tower. This sublimit may not be visible until claim time; check the operative wording, not just the headline.

Contingent business interruption (CBI), also called dependent business interruption, covers BI caused by a cyber event at a third party on whom the insured depends for operations. The exposure category has grown materially with cloud adoption and platform integration.

Three CBI structures in the Indian market.

Named provider CBI. Covers BI from cyber events at specifically named third parties listed in the policy schedule. The buyer must identify and disclose the providers, which is workable for the top 5 to 10 dependencies but cumbersome for the long tail of integrations.

Categorical CBI. Covers BI from cyber events at any provider falling within categories defined in the policy (cloud infrastructure, SaaS, payment processors, communications). Easier administratively but with definitional disputes over what falls within each category.

Wide CBI (rare). Covers BI from cyber events at any third party with whom the insured has a documented business relationship. Premium materially higher; offered by a small number of international markets.

For an Indian corporate dependent on AWS, Azure, or GCP infrastructure plus SaaS layers including ServiceNow, Salesforce, Workday, and SAP, the CBI configuration matters more than headline limit. A major AWS outage in the Mumbai region affecting the insured for 6 to 18 hours can generate INR 15 crore to INR 50 crore of BI for a mid-large corporate, and the recovery depends on whether AWS is named in the policy schedule or whether the categorical wording captures the event.

Premium for CBI extensions runs 15 to 35 percent over the base BI premium depending on structure and provider concentration.

How BI loss is calculated under the policy is the second most consequential wording area after trigger definition. Two methods are in market use.

Gross profit method. Loss is calculated as the gross profit (revenue minus variable costs) that would have been earned during the BI period had the cyber event not occurred, plus continuing fixed costs, less standing charges saved due to the interruption. This is the standard property BI method ported to cyber.

Net income method. Loss is calculated as the net income that would have been earned plus continuing operating expenses. Slightly different from gross profit treatment of overheads.

The two methods produce different answers in real claims, sometimes by 15 to 25 percent. Confirm which method applies and walk through a worked example with your broker before binding cover.

Concurrent causation is the wording issue that determines what happens when a cyber event coincides with another non-cyber cause. A ransomware attack during a monsoon flood, a system outage during a power grid failure, a payment system failure during a banking holiday. Two wording approaches.

Proximate cause approach. The dominant or efficient cause of the loss determines coverage. If cyber is proximate, BI responds; if the other cause is proximate, it does not.

But for approach. BI responds if the loss would not have occurred but for the cyber event, even if another cause contributed. Policyholder-favourable.

Lloyd's-influenced wordings increasingly use a cyber event significantly contributed to formulation that sits between these positions. Indian wordings vary; the negotiation point at inception is the explicit concurrent causation clause.

A related wording issue is the consequential loss exclusion. Some cyber wordings exclude indirect or consequential losses, which can be invoked to exclude lost market share, customer churn, and brand damage even where direct BI is covered. Negotiate carve-backs for specific consequential categories at inception.

Cyber events generate two BI loss categories that standard wordings handle imperfectly: revenue loss continuing after operational restoration due to customer attrition (reputational BI), and the cost of marketing and incentives to recapture lost customers (customer recapture).

Reputational BI has historically been excluded under cyber wordings as too speculative to quantify. The 2025-2026 market has begun offering an extension under specific conditions: payment for revenue loss in a defined post-restoration period (typically 90 to 180 days) where the revenue shortfall versus baseline can be statistically attributed to the cyber event. Premium loading 20 to 40 percent over base BI for the extension.

Customer recapture cover responds to documented marketing, discounting, and incentive costs incurred specifically to recover customers lost during or after the cyber event. Sublimits typically INR 2 crore to INR 10 crore within the tower. The cover is most useful for consumer-facing platforms where direct customer churn is measurable.

A structural point: both extensions require pre-event baseline data to establish the counterfactual revenue trajectory. Insureds should maintain monthly cohort analytics, segment-level revenue tracking, and statistical baselines that can support post-event attribution. Without these, the extensions are difficult to claim against even when the cover is in place.

A related extension that several Indian buyers have begun procuring is the regulatory and contractual notification cost sub-cover. The DPDP Act 2023 notification requirements, the IRDAI Cybersecurity Circular 2026 notification obligations for IRDAI-regulated entities, and contractual obligations to enterprise customers all generate notification cost exposure that breach response sub-limits may not fully cover. Dedicated notification-cost limits of INR 3 crore to INR 15 crore within the tower address this.

Cyber BI claims are quantification-heavy. Unlike property BI where the damaged asset and the affected period are usually clear, cyber BI requires reconstruction of what revenue would have been earned, attribution of the loss to the cyber event (versus other causes), and adjustment for offsets including post-restoration over-recovery, mitigation actions, and savings on variable costs.

The forensic accountant is the key claim resource. Indian cyber wordings typically include forensic accountant costs within the breach response sub-cover, with the insurer's panel including specialised cyber-claim accountants from the Big Four and specialty firms. The selection of accountant materially affects claim outcomes; panel choice and right to engage policyholder-side accountants are negotiation points.

Three practical preparation steps for cyber BI claims.

Maintain monthly financial data with revenue and cost segmentation suitable for cohort-based reconstruction. Annual financials are insufficient for cyber BI quantification.

Document the cyber event timeline rigorously from initial detection through complete restoration, with hour-by-hour records during the active phase. The timeline is the spine of the BI claim.

Reconcile the BI calculation with operational data including production volumes, transaction counts, customer-facing service availability, and SLA breach records. Multiple independent data sources strengthen the claim and reduce adjuster pushback.

For Indian corporates renewing cyber cover during 2026, a wording checklist that addresses the issues this post has covered:

1. Trigger definition. Confirm whether the policy uses security failure, system failure, or cyber incident triggers. Add AI adversarial input, cloud service interruption, and ISP outage extensions if operationally relevant.
2. Waiting period. Select hourly waiting period (8 to 12 hours) for operations where short outages are expensive. Default daily waiting period (24 to 72 hours) for operations that can absorb short outages.
3. Indemnity period. Confirm 120 to 180 days as base; extend to 270 to 365 days for long-restoration operations. Negotiate the start date to be BI commencement rather than the cyber event date.
4. CBI structure. Map top 15 dependencies and align CBI cover (named, categorical, or wide). Address provider concentration as a risk management matter, not just an insurance one.
5. Loss calculation method. Confirm gross profit or net income method. Walk through a worked example with the broker.
6. Concurrent causation. Negotiate explicit clause; avoid silence which defaults to general law that may be unfavourable.
7. Reputational BI and customer recapture. Procure extensions if consumer-facing; ensure baseline data infrastructure to support attribution.
8. Regulatory notification sub-cover. Confirm DPDP, IRDAI, and contractual notification cost limits are calibrated to actual exposure.
9. Systemic event sublimit. Check for sublimits on common-cloud and supply-chain attacks; negotiate elevation or removal.
10. War and infrastructure attack exclusion. Confirm exclusion language; negotiate narrower formulation tied to formally attributed state action.

Premium for a well-structured cyber BI cover at INR 100 crore tower for a mid-large Indian corporate runs INR 1.2 crore to INR 3.5 crore annually, with rate variation reflecting industry, security maturity, and claims experience. The 30 to 40 percent premium variance across insurers for ostensibly similar limits reflects wording variation more than insurer-specific pricing.