Insurance Products

Cyber Insurance Pricing Has Softened in India 2026: How Commercial Buyers Should Use the Window

Cyber insurance pricing has eased and stabilised even as exposure keeps rising. This piece explains why the market softened, and how Indian commercial buyers should use the better terms (higher limits, broader business-interruption and extortion extensions, more sensible retentions) while watching the systemic-event exclusions that the softer cover leaves in place.

Sarvada Editorial TeamInsurance Intelligence
11 min read

Listen to this article

Audio version • 11 min read

cyber-insurancemarket-softeningbusiness-interruptioncyber-extortionpolicy-limitsretentionssystemic-riskcommercial-buyers

Last reviewed: June 2026

Why Cyber Pricing Eased While Exposure Kept Rising

For most of the period after the cyber market hardened, Indian commercial buyers faced a familiar story: rising rates, falling limits, narrower wordings, and ever-longer proposal forms demanding controls before an insurer would even quote. That phase has turned. Through the recent renewal cycles the cyber market has moved from hard to softer, and the pricing that buyers see at renewal in 2026 is generally easing or at least stabilising, even though the underlying exposure (ransomware, business-email compromise, data-breach liability, dependent-system failure) has not eased at all. Understanding why the two have decoupled is the key to using the window well.

The softening is a supply-and-loss story, not an exposure story. On the supply side, more insurers and more reinsurance capacity have come into cyber after several years of corrective re-pricing, and capacity chasing premium pushes rates down and terms wider. On the loss side, the corrective measures the market imposed during the hard phase (mandatory multi-factor authentication, endpoint detection and response, tested backups, privileged-access controls) genuinely improved the quality of the insured book, so insurers writing today are pricing a population of buyers that is, on average, better defended than the one that produced the hard-market losses. Better-defended insureds plus more capacity competing for them produces softer pricing. None of that means the threat has receded; it means the market has, for now, more appetite to carry it.

The practical message for a buyer is that the bargaining power in the negotiation has shifted toward the insured for the first time in years. The same controls that were the price of admission during the hard market are now the basis for asking for more: higher limits, broader extensions, more reasonable retentions, and the removal of restrictions that insurers imposed when they were rationing capacity. A buyer who renews on autopilot, simply accepting a rate reduction on the same narrow programme, leaves most of the value of the soft market on the table.

Buy Limit, Not Just a Rate Cut: Sizing Cyber Cover to the Real Loss

The most common mistake at a softening renewal is to take the saving as a premium reduction and keep the limit unchanged. For most Indian commercial buyers the binding problem during the hard market was not price but adequacy: limits were capped below the realistic cost of a serious event because capacity was scarce. The soft market is the moment to fix that, because additional limit is cheaper now than it has been in years.

Sizing the limit means understanding what a serious cyber event actually costs, and the cost is rarely dominated by the headline ransom. A meaningful ransomware or breach event in an Indian mid-to-large enterprise typically generates costs across several heads at once: incident-response and forensic investigation, legal and breach-notification costs, business-interruption loss while systems are down, data-restoration and system-rebuild costs, cyber-extortion negotiation and (where lawful and chosen) payment, third-party liability to customers and partners whose data was exposed, and regulatory exposure. A limit set only against the ransom number ignores the business interruption and liability layers that often dwarf it.

How to size it

  1. Start from a realistic worst-case event for your business: which systems, down for how long, affecting how many customers and what regulated data.
  2. Build the cost stack across all heads (response, BI, restoration, liability, extortion, regulatory) rather than anchoring on the ransom.
  3. Compare that figure to the limit you currently buy. Most buyers find the gap is large.
  4. Use the soft-market pricing to close the gap, buying the additional limit now while it is cheap, rather than discovering the shortfall during a live incident.

For larger buyers, the soft market also makes a layered tower more affordable: a primary layer with a chosen insurer and excess layers above it, which lets the buyer assemble a much larger total limit than any single insurer would write on a primary basis. The competition for excess capacity in a soft market is exactly what makes the upper layers cheap. A buyer who used the hard market to learn its real exposure should use the soft market to actually insure it.

Broaden the Extensions: BI, Dependent-BI and Extortion

Beyond limit, the soft market is the time to widen what the policy actually covers. During the hard phase, insurers narrowed the extensions that drive the largest cyber losses; in the soft phase those extensions are negotiable again, and they are where a buyer should concentrate.

Business interruption and the waiting period

Cyber business interruption covers the income loss and increased cost of working while the insured's own systems are unusable after a covered event. The two terms that decide its value are the waiting period (the time deductible before BI cover starts, often expressed in hours) and the indemnity period (how long BI loss is covered after the waiting period). Hard-market wordings pushed waiting periods up (longer time deductible, less paid) and indemnity periods down. In a soft market a buyer should push the waiting period back down to a level that matches how quickly its business actually loses money in an outage, and lengthen the indemnity period to cover the full realistic recovery and ramp-up time, because a complex environment rarely returns to normal the moment systems come back online. The interaction with the policy deductible and the time-based waiting period together determine how much of a real outage loss the buyer actually carries.

Dependent (contingent) business interruption

The exposure that has grown fastest is dependent-system failure: the insured is not breached, but a cloud provider, a SaaS vendor, a payment processor or a key IT supplier suffers an outage that takes the insured's operations down with it. Dependent (contingent) business interruption extends BI cover to loss caused by a security failure or system failure at a third party the insured relies on. As Indian businesses concentrate on a handful of cloud and SaaS providers, this exposure has become one of the most important parts of the programme, and the soft market is the time to add or broaden it. Read carefully whether the extension covers only a security failure at the provider or also a non-malicious system failure (an outage with no attacker), because the broader trigger is what responds to most large cloud incidents.

Cyber extortion. The cyber-extortion extension covers ransom negotiation, the cost of specialist negotiators and, where lawful and chosen, the extortion payment itself. The points to negotiate in a soft market are the sub-limit (extortion is often sub-limited below the main policy limit), the inclusion of negotiation and response costs whether or not a payment is made, and clarity on the sanctions and legality conditions that govern when a payment can be reimbursed. A buyer should understand that the extortion sub-limit and the BI limit interact: in a real ransomware event both heads fire at once, so the sub-limits need to be sized together, not in isolation.

Retentions and Coinsurance: Take Back Risk on Your Terms

Pricing is only one lever; the retention structure is the other, and a soft market is the time to revisit it deliberately rather than accept whatever the hard market left in place. The retention is the amount the buyer carries before the policy pays, and during the hard phase insurers pushed retentions up and added coinsurance (the insured sharing a percentage of loss above the retention) to force buyers to retain more risk. In a soft market both are negotiable, and the right move is not simply to minimise the retention but to set it where it makes economic sense.

A larger, well-capitalised buyer that can absorb the first tranche of a cyber loss can use a higher retention to buy down premium and direct the saving into more limit and broader extensions, where the cover actually matters. A smaller buyer for whom a large retention would itself be painful in a live incident should push it down to a survivable level. The discipline is to match the retention to the buyer's balance sheet and cash position, not to a number an insurer set when it was rationing capacity.

Coinsurance deserves specific attention. A clause that makes the insured carry a fixed percentage of every loss above the retention can quietly erode the value of a large limit, because the insured keeps paying its share all the way up. A buyer should press to remove or reduce coinsurance, particularly on the BI and extortion heads where losses are largest, because that can matter more to the net recovery than a headline rate cut.

The discipline is to direct soft-market savings deliberately. Rather than banking the whole premium reduction, redeploy part of it into more limit, broader BI and dependent-BI extensions, and a lower or removed coinsurance share. A renewal that keeps the same narrow programme and just costs less has captured the least valuable part of the soft market.

The Catch: Systemic-Event and War Exclusions Remain

The soft market has not made cyber cover unconditional, and the most important thing a buyer can do while terms are easing is to read what the policy still does not cover. The exclusions that the market tightened during the hard phase to manage accumulation risk have largely stayed in place, because they address the one exposure that softer pricing has not resolved: the systemic event that hits many insureds at once.

War and state-backed attack exclusions

Cyber wordings now commonly carry war and state-backed cyber-operation exclusions that carve out attacks attributed to nation-states or occurring in armed conflict. Refined across the global market in recent years, they exclude loss arising from a cyber operation by or attributable to a state, sometimes with carve-backs and attribution mechanics that are genuinely consequential. A buyer should not treat this as boilerplate. The exclusion's scope, how attribution is determined, and whether there is a carve-back for collateral damage to a non-target insured all decide whether a major state-linked attack is covered. The attribution mechanics are negotiable at the margin, and a buyer should understand exactly what its wording says before relying on it.

Systemic and widespread-event exclusions

The deeper concern is the systemic-event or widespread-event exclusion that some insurers use to cap their exposure to a single cause hitting many insureds simultaneously, for example a critical vulnerability in widely-used software or a failure at a hyperscale cloud provider that takes down a large share of the market at once. Because the dependent-BI extension a buyer wants for cloud outages and the systemic-event exclusion an insurer wants for cloud outages point at the same scenario, the interaction between the two is the single most important thing to read in a modern cyber policy. A dependent-BI extension that is then carved back out by a broad systemic exclusion can leave the buyer believing it has cover for the exact event that is excluded.

The broader point is that softening has improved the price and the breadth of cover for the idiosyncratic event (the single business breached on its own) far more than for the systemic event (many businesses hit at once). A buyer using the soft window should bank the gains on the idiosyncratic side while going in with eyes open on the systemic side, sizing its retained exposure to a systemic event consciously rather than assuming the broader cover has closed the gap. The consequential loss that follows a systemic outage is exactly where the wording fine print decides the recovery.

A Renewal Playbook for the Soft Cyber Market

Putting it together, a buyer renewing cyber in the 2026 soft market should run a deliberate process rather than accept a quoted rate reduction. The sequence below is how a well-advised commercial buyer should approach the window.

  1. Re-underwrite your own exposure first. Map your realistic worst-case event across all cost heads (response, BI, restoration, liability, extortion, regulatory) so you are negotiating against a number you believe, not against last year's limit.
  2. Buy limit while it is cheap. Close the gap between the limit you carry and the loss you could suffer, using a layered tower if the total limit you need exceeds single-insurer appetite.
  3. Broaden the extensions that drive the largest losses: push the BI waiting period down and the indemnity period up, add or widen dependent-BI for cloud and SaaS reliance, and size the extortion sub-limit alongside the BI limit because both fire together.
  4. Reset the retention and coinsurance to your balance sheet. Use a higher retention to fund more limit only if you can absorb it; press to remove coinsurance on the heads where losses are largest.
  5. Read the exclusions as carefully as the grants, treating the dependent-BI extension and the systemic or widespread-event exclusion as a single net question, and understanding the war and state-attack attribution mechanics before you rely on them.

The controls that won you the soft-market pricing should also be documented and maintained, because they are both the reason the cover is affordable and a condition of it. Insurers continue to expect multi-factor authentication, tested and segmented backups, endpoint detection, privileged-access management and an incident-response plan, and a control that lapses between bind and claim is a defence an insurer can use even in a soft market.

Getting this right turns on the wordings: which BI trigger, which waiting and indemnity periods, how dependent-BI is defined, where the extortion sub-limit sits, and exactly how the systemic and war exclusions are drafted and how they interact with the extensions. Sarvada gives commercial-insurance brokers and corporate risk teams structured, searchable access to insurer cyber wordings and the intelligence around them, so they can compare BI triggers, dependent-BI scope, extortion sub-limits, retentions and the systemic and war exclusions side by side and confirm the soft-market terms actually deliver the cover the business needs. Brokers and risk managers re-marketing cyber programmes in this softer window can Request Access to evaluate the wording-comparison capability the negotiation demands.

Frequently Asked Questions

If cyber risk is still rising, why has cyber insurance got cheaper?
Because price is driven by insurer appetite and the quality of the insured book, not only by the threat level. After several years of corrective re-pricing, more insurers and more reinsurance capacity have come into cyber, and capacity competing for premium pushes rates down and terms wider. At the same time the controls the market made mandatory during the hard phase (multi-factor authentication, endpoint detection, tested backups, privileged-access management) genuinely improved the average insured's defences, so insurers are now pricing a better-defended population than the one that produced the hard-market losses. Better-defended insureds plus more competing capacity produces softer pricing even while ransomware, extortion and dependent-system exposure keep rising. The right reading is that the market has more appetite to carry the risk for now, not that the risk has receded, so the soft window is a chance to buy better cover rather than a reason to buy less.
What should I prioritise at a softening cyber renewal?
Limit and extensions, in that order, ahead of banking the premium saving. First, re-size the limit against a realistic worst-case event built across all cost heads (incident response, business interruption, data restoration, third-party liability, extortion and regulatory exposure) rather than against the ransom number alone, because the BI and liability layers usually dwarf the ransom, and use cheap soft-market capacity, including a layered tower, to close the gap the hard market left. Second, broaden the extensions that drive the largest losses: push the business-interruption waiting period down and the indemnity period up, add or widen dependent (contingent) business interruption for your cloud and SaaS reliance, and size the extortion sub-limit alongside the BI limit because both fire together. Only then consider the retention and coinsurance, setting them to your balance sheet. A renewal that keeps the same narrow programme and just costs less has captured the least valuable part of the soft market.
What is dependent or contingent business interruption and why does it matter now?
Dependent (or contingent) business interruption extends cyber BI cover to income loss caused not by a breach of your own systems but by a security failure or system failure at a third party you rely on, such as a cloud provider, a SaaS vendor, a payment processor or a key IT supplier. It matters now because Indian businesses have concentrated on a handful of cloud and SaaS providers, so an outage at one of them can take many businesses down at once without any of them being attacked directly. When adding or broadening this extension, read carefully whether it responds only to a security failure (an attacker) at the provider or also to a non-malicious system failure (an outage with no attacker), because the broader trigger is what actually responds to most large cloud incidents. Critically, read the dependent-BI extension together with any systemic or widespread-event exclusion, because the same cloud-outage scenario the extension grants is often the one the exclusion carves back out.
Does softer cyber cover protect against a major systemic event like a large cloud outage?
Not necessarily, and this is the most important thing to check while terms are easing. Softening has improved price and breadth far more for the idiosyncratic event (your business breached on its own) than for the systemic event (many businesses hit at once). The exclusions insurers tightened during the hard market to manage accumulation, the war and state-backed cyber-operation exclusions and, on some policies, a systemic or widespread-event exclusion, have largely stayed in place. Because the dependent-BI extension you want for cloud outages and the systemic-event exclusion the insurer wants for cloud outages point at the same scenario, you must read the two together as a single net question: a policy can grant cloud-outage cover in the extensions and remove it in the exclusions. Bank the soft-market gains on the idiosyncratic side, but size your retained exposure to a systemic event consciously rather than assuming the broader cover has closed that gap.

Related Glossary Terms

Related Insurance Types

Related Industries

Related Articles

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform