Insurance Products

Cyber Insurance in India: A Comprehensive Guide for 2026

As cyber threats escalate across Indian enterprises, cyber insurance has become a boardroom priority. This comprehensive guide covers policy structures, CERT-In compliance, DPDP Act implications, and practical buying strategies for 2026.

Sarvada Editorial TeamInsurance Intelligence4 min read
cyber insurance IndiaDPDP ActCERT-In compliancedata breach insuranceransomware coverageIT Act 2000

Last reviewed: February 2026

In this article

  • India's DPDP Act imposes penalties up to INR 250 crore for data breaches, making cyber insurance a financial imperative for all data fiduciaries.
  • A comprehensive cyber policy covers first-party losses (data restoration, business interruption) and third-party liabilities (breach notification, regulatory fines).
  • Cyber insurance premiums in India range from INR 4-25 lakh depending on company size and risk profile, with INR 5-10 crore limits being common for mid-market buyers.
  • Companies with mature cybersecurity controls — ISO 27001, MFA, EDR tools, and documented incident response plans — can reduce premiums by 20-30%.
  • CERT-In's 6-hour incident reporting mandate means companies must integrate their cyber insurance breach response panel into their incident response protocols.

The Cyber Threat Landscape in India: 2026 Reality

India reported over 16 lakh cyber security incidents in 2025 according to CERT-In, making it one of the most targeted nations globally. Ransomware attacks on Indian enterprises surged 55% year-on-year, with average ransom demands exceeding INR 4 crore for mid-sized companies. The AIIMS Delhi attack, the BSNL data breach, and attacks on Indian banking infrastructure have demonstrated that no sector is immune.

The Digital Personal Data Protection (DPDP) Act, 2023, now fully operational, imposes penalties up to INR 250 crore for data breaches. CERT-In's directive mandating 6-hour incident reporting creates operational urgency that unprepared companies struggle to meet. Cyber insurance has evolved from a technology-sector product to an essential risk management tool across Indian industries.

What Cyber Insurance Covers in the Indian Context

A comprehensive cyber insurance policy in India provides both first-party and third-party coverage. First-party covers include data restoration costs, business interruption losses from network downtime, cyber extortion payments (where legally permissible), forensic investigation expenses, and notification expenses mandated under the DPDP Act.

Third-party covers address liability to customers for data breaches, regulatory defence costs and fines (where insurable by law), PCI fines and assessments, and media liability for digital content. Coverage for CERT-In compliance costs, DPDP Act notification obligations, and RBI cybersecurity framework requirements are particularly important endorsements to negotiate.

Policy Structures and Coverage Options

Indian cyber insurance policies are available as standalone products or as endorsements to existing commercial packages. Standalone policies offer significantly broader coverage and higher limits. IRDAI approved standardised cyber insurance wordings in 2023, though insurers retain flexibility to offer enhanced covers beyond the minimum template.

Key coverage sections include Network Security Liability, Privacy Liability, Cyber Extortion, Data Asset Restoration, and Business Interruption. System failure coverage — responding even without a cyber attack, merely a system malfunction — is an important extension. Contingent business interruption cover protects against failures in third-party service providers, relevant given Indian companies' heavy reliance on cloud platforms and IT outsourcing.

Premiums, Limits, and Market Dynamics in 2026

Cyber insurance premiums in India have stabilised after steep increases in 2023-2024. An IT services company in Bengaluru with INR 500 crore turnover might pay INR 15-25 lakh annually for INR 10 crore coverage. A mid-sized manufacturer in Pune with basic digital infrastructure could secure INR 5 crore cover for INR 4-8 lakh.

Deductibles typically range from INR 5-50 lakh depending on company size. Waiting periods of 8-12 hours apply for business interruption claims. The Indian cyber insurance market has grown to approximately INR 1,200 crore in gross written premium for 2025-26, with New India Assurance, ICICI Lombard, HDFC ERGO, and Bajaj Allianz among leading domestic underwriters. Lloyd's of London capacity supplements domestic market for large limits.

Regulatory Framework: DPDP Act, CERT-In, and RBI Guidelines

The regulatory environment has become the primary driver of cyber insurance adoption in India. The DPDP Act, 2023 requires data fiduciaries to implement reasonable security safeguards and notify the Data Protection Board of breaches. Penalties reach INR 250 crore, creating quantifiable exposure boards cannot ignore.

CERT-In's directive mandates reporting cyber incidents within 6 hours, maintaining ICT system logs for 180 days, and synchronising system clocks with NTP servers. RBI's cybersecurity framework requires banks and NBFCs to maintain cyber insurance. SEBI's cybersecurity circular similarly affects listed companies and market intermediaries. These overlapping regulations create a compliance matrix that cyber insurance helps Indian companies navigate.

The Underwriting Process: What Insurers Evaluate

Cyber insurance underwriting in India has matured significantly. Insurers assess IT security posture including firewall configurations, endpoint detection and response (EDR) tools, multi-factor authentication, and encryption standards. Governance frameworks — ISO 27001, SOC 2, or NIST CSF — influence pricing.

Underwriters also evaluate employee training programmes, incident response plans, data backup protocols, and vendor risk management. Companies with a CISO, regular penetration testing, and documented business continuity plans receive preferential rates. A company with mature cybersecurity controls can reduce premiums by 20-30% compared to peers with minimal security infrastructure.

Claims Scenarios: Lessons from Indian Incidents

Real-world Indian claims illustrate the value of cyber insurance. A Gurugram-based fintech company suffered a ransomware attack encrypting customer databases — the cyber policy covered INR 2.3 crore in forensic investigation, data restoration, and business interruption losses over a 10-day recovery period. A Chennai-based hospital chain experienced a data breach exposing 4 lakh patient records — the insurer funded notification costs, credit monitoring services, and regulatory defence.

A Noida e-commerce company fell victim to a social engineering attack resulting in a fraudulent fund transfer of INR 85 lakh — covered under the crime/social engineering endorsement of their cyber policy. These cases underscore the importance of understanding your specific risk profile and ensuring your policy responds to the threats most relevant to your business operations.

Buying Cyber Insurance: A Practical Framework for Indian Companies

Indian businesses should follow a structured approach to procuring cyber insurance. First, conduct a cyber risk assessment identifying critical digital assets, potential threat vectors, and regulatory obligations. Second, quantify the financial impact of plausible scenarios — a 7-day system outage, a breach of 1 lakh customer records, or a ransomware demand.

Third, engage a specialist cyber insurance broker who understands both the Indian regulatory landscape and global policy wordings. Fourth, negotiate key policy terms: ensure retroactive cover for unknown prior breaches, remove any war/nation-state exclusion that could negate ransomware claims, and secure an incident response panel that includes Indian forensic firms and legal counsel. Finally, integrate the policy into your broader incident response plan — your CISO and legal team should know how to activate the policy's breach response services within the CERT-In mandated 6-hour window.

Frequently Asked Questions

Does cyber insurance cover ransomware payments in India?
Most cyber insurance policies in India cover ransomware extortion payments, but with important conditions. The insured must obtain the insurer's consent before making any payment, engage approved forensic investigators to assess the situation, and demonstrate that payment is the last resort after exhausting other recovery options. There is no specific Indian law prohibiting ransomware payments as of 2026, unlike some other jurisdictions. However, payments to sanctioned entities remain illegal. Insurers also cover the broader costs of a ransomware attack — forensic investigation, data restoration, system rebuilding, and business interruption — which often exceed the ransom demand itself.
Is cyber insurance mandatory for Indian companies under the DPDP Act?
The DPDP Act, 2023 does not explicitly mandate cyber insurance. However, it requires data fiduciaries to implement 'reasonable security safeguards' to protect personal data, and cyber insurance is increasingly viewed by regulators and courts as a component of reasonable security. RBI mandates cyber insurance for banks and NBFCs under its cybersecurity framework. SEBI's cybersecurity circular creates similar expectations for listed companies and market intermediaries. Insurance regulators, legal advisors, and data protection consultants widely recommend cyber insurance as essential to demonstrating compliance with the DPDP Act's security safeguard requirements.
How should Indian SMEs approach cyber insurance given limited budgets?
Indian SMEs should prioritise cyber insurance even with constrained budgets, as their limited IT resources make them disproportionately vulnerable. Start with a basic standalone cyber policy offering INR 1-3 crore coverage, which typically costs INR 1.5-4 lakh annually for companies with under INR 100 crore turnover. Focus on core covers: data breach response, business interruption from cyber events, and cyber extortion. Implement basic cybersecurity hygiene — MFA, regular backups, employee training — to qualify for better rates. Many Indian insurers now offer simplified cyber products designed for SMEs with streamlined application forms and pre-approved incident response panels.

Related Glossary Terms

Cyber Insurance
Business Interruption
Third Party Liability
Exclusion
Irdai

Related Insurance Types

Cyber Insurance
Liability Insurance
Professional Indemnity

Related Industries

It Services
Healthcare
Retail

Related Articles

IT Services in India: Managing Cyber Risk and Professional Liability
IRDAI's Digital Transformation Roadmap: What Insurers Must Know
How AI Is Improving Underwriting Accuracy in Commercial Lines

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform