Cyber Reinsurance Capacity in India: 2026 Treaty Renewal Dynamics and Loss Experience Flow-Through

Indian cyber treaty renewals at April 2026 priced against three years of evolving loss experience that has reshaped reinsurer view of the class. The 2023 to 2025 period included the MOVEit supply chain compromise that produced extended losses across financial services, healthcare, and education globally, the Akira ransomware campaigns that affected manufacturing and logistics across Indian and international clients, and a steady stream of mid-severity ransomware events against Indian SME and mid-market clients. Cyber treaty loss ratios for Indian primary cedents have run above sustainable underwriting levels for two consecutive years.

The Indian primary cyber market has expanded rapidly. Indian general insurers wrote approximately INR 2,200 crore in cyber premium during FY2024-25, against INR 1,400 crore in FY2023-24 and INR 850 crore in FY2022-23. The growth has been driven by IRDAI cyber disclosure mandates, ransomware event publicity, mid-market expansion of cyber buying, and composite licence-era distribution expansion.

The primary growth has outpaced reinsurance capacity growth, with the result that the 2026 renewal cycle priced not just for loss experience but for capacity-supply economics. Reinsurers writing Indian cyber treaty have selectively allocated capacity, with the strongest cedents (clean loss experience, defensible underwriting discipline, structured risk selection) accessing capacity at improved terms while weaker cedents either accepted significant retention increases or struggled to complete placements.

The regulatory framework has continued to develop. The IRDAI cyber insurance guidelines as updated through 2024 and 2025 have established product structure expectations, sub-limit disclosure requirements, and underwriting documentation standards. The IRDAI Cybersecurity 2 circular 2026 has tightened cybersecurity governance expectations for insurers and intermediaries. The DPDP Act 2023 continues to shape the underlying cyber exposure picture for Indian clients.

The cyber loss events of 2023 and 2024 produced delayed financial impact on treaty results that has continued to develop through 2025 and into 2026. The delayed pattern reflects three structural features of cyber claims development.

Claim development extension. Cyber claims develop materially after the initial breach event, with the loss adjusting cycle extending across forensic investigation, business interruption quantification, third-party claim assertion, regulatory inquiry response, and ultimate settlement. A breach event that occurred in 2023 may continue producing claim development into 2026 as litigation progresses, regulatory enforcement actions conclude, and supplementary damages emerge from related events.

Aggregation realisation. Cyber events with broad scope (supply chain compromises, widely used software vulnerabilities) produce aggregated losses across multiple policyholders that take time to identify and quantify. The MOVEit event in 2023 affected hundreds of organisations globally, with the loss aggregation across Indian primary portfolios continuing to develop through 2024 and 2025.

Systemic risk reassessment. The 2023 to 2025 events produced reinsurer reassessment of the systemic risk inherent in cyber writing, with revised view of correlation across policyholders, tail risk magnitudes, and capacity efficiency. The reassessment has influenced 2026 renewal pricing beyond direct loss experience, with reinsurers building larger margins to compensate for systemic uncertainty.

The Indian primary cedent loss experience entering the 2026 renewal cycle reflects all three features. Loss ratios on Indian cyber treaty programmes have run 78 to 105 percent for the 2024 underwriting year (developed through end of 2025) and are projecting toward 65 to 90 percent for the 2025 underwriting year. The combined load is materially above the sustainable underwriting target of 55 to 70 percent.

Indian cyber primary market structure in 2026 has been shaped materially by the IRDAI regulatory framework on cyber insurance and on cybersecurity. The framework operates at three levels with distinct implications for treaty market dynamics.

IRDAI cyber insurance guidelines as updated through 2024 and 2025 establish standard cover categories (data breach response, business interruption, cyber extortion, regulatory defence and penalties, third-party liability), sub-limit disclosure requirements, exclusion clarity expectations, and claims handling protocols. The standardisation has improved client clarity and reduced wording disputes but has also constrained product differentiation across primary insurers, with implications for treaty cession patterns.

IRDAI cybersecurity framework tightened through the Cybersecurity 2 circular 2026 has raised expectations on insurer cybersecurity governance, including required cyber risk assessments, mandatory third-party vendor cybersecurity due diligence, incident reporting obligations, and board-level cybersecurity oversight. Insurers struggling to satisfy the framework have constrained their own cyber writing capacity.

DPDP Act 2023 establishes data breach notification timelines (72 hours for material breaches), data principal rights handling obligations, and significant penalty structures for non-compliance. The framework has expanded the regulatory exposure component of cyber claims, with primary insurers and reinsurers increasingly underwriting the regulatory exposure as a substantial cost driver alongside direct breach response.

For treaty market dynamics, the regulatory framework has produced two specific effects. Reinsurers writing Indian cyber treaty have increased confidence in the structural quality of primary writing, with implications for the long-run terms reinsurers are willing to offer to disciplined cedents. Reinsurers have explicitly required documentation of primary cedent compliance with IRDAI cyber and cybersecurity frameworks as part of treaty due diligence.

Cyber treaty terms at April 2026 produced material retention growth and sub-limit tightening across the Indian market. The combined effect transfers materially more cyber loss exposure to the primary cedent net account.

Retention growth. Primary cedent retentions on cyber treaty programmes increased 30 to 60 percent at April 2026 against April 2025 retention levels. The retention increases were driven by reinsurer demand to align primary cedent skin-in-the-game with the loss experience, by primary cedent acceptance of retention growth in exchange for treaty cost containment, and by capacity-supply economics that limited primary cedent negotiating power.

Ransomware sub-limits. Cyber treaty wordings at April 2026 typically applied specific sub-limits on ransomware coverage at 30 to 50 percent of overall treaty limit for ransomware-specific claims, with additional limits on extortion payments, ransom negotiation costs, and decryption-related expenses. The sub-limit structure transfers ransomware-specific exposure back to the primary cedent net account beyond the sub-limit.

Systemic event sub-limits. The 2026 renewal cycle introduced explicit sub-limits on systemic cyber events covering supply chain compromises, widely used software vulnerabilities, and aggregated cyber events. The systemic sub-limits commonly run 20 to 35 percent of overall treaty limit for events meeting defined systemic criteria.

War and infrastructure exclusions. Cyber treaty wordings have tightened war exclusions, state-sponsored attack exclusions, and critical infrastructure exclusions through the 2024 to 2026 cycle. Primary cedents writing cyber for Indian clients in geopolitically sensitive sectors face coverage gaps that the cyber treaty does not address.

Premium and rate movement. Cyber treaty rates increased 12 to 28 percent at April 2026 against April 2025 rates for loss-affected treaties, with loss-free treaties experiencing 5 to 12 percent rate increases.

Reinsurer capacity for Indian cyber treaty is concentrated among a small number of major participants.

Munich Re writes substantial Indian cyber treaty capacity through its Indian branch operations and through its IFSCA presence at GIFT City. Munich Re cyber underwriting in India emphasises portfolio quality and risk selection, with capacity flowing preferentially to primary cedents with disciplined underwriting and clear loss experience trajectories.

Swiss Re Indian cyber treaty capacity has remained substantial through the 2025 and 2026 cycles. Swiss Re emphasises systemic risk management and has been particularly explicit in introducing systemic event sub-limits and in tightening war-related exclusions.

Hannover Re writes Indian cyber treaty capacity through its Indian operations and through IFSCA presence. Hannover Re cyber underwriting in India has been characterised by capacity discipline combined with willingness to support primary cedents through structural innovations (parametric features, multi-year structures, alternative retention designs).

GIC Re as the domestic Indian reinsurer participates in Indian cyber treaty placements through both proportional and excess of loss arrangements. GIC Re's right of first refusal on Indian risk under the IRDAI (Reinsurance) Regulations 2018 means that Indian primary cedents must offer cyber treaty placement to GIC Re before pursuing international capacity, with GIC Re's appetite and pricing setting an important floor for the Indian cyber treaty market.

Other international participants include SCOR, AXIS, Renaissance, and other international reinsurers, typically at smaller capacity allocations. Lloyd's syndicate participation in Indian cyber treaty through traditional reinsurance arrangements and through IFSCA Lloyd's vehicles has grown through 2025 and into 2026.

GIFT City IFSC syndicates entering cyber. The IFSCA framework has attracted increasing reinsurance capacity to Indian cyber through 2025, with major international reinsurers establishing IFSCA presence. The IFSCA capacity has been particularly valuable for Indian primary cedents whose appetite or capacity exceeds traditional treaty support, and for large Indian corporate cyber programmes where direct international engagement produces better economics than purely domestic structures.

The capacity picture for 2026 has been described as adequate but selective. Primary cedents with strong loss experience and clear underwriting discipline complete placements at competitive terms, while cedents with weaker positions face material retention increases, larger sub-limits, or placement difficulty.

The 2026 cyber treaty terms flow through to broker placement economics and to corporate buyer programme costs over FY2026-27.

For brokers serving cyber clients, the practical priorities are several. Client engagement on the treaty dynamics requires transparent communication that the primary insurer pricing reflects underlying reinsurance treaty economics rather than insurer profit-taking. Structural review of client programmes should include retention levels, sub-limit structures, and tower design. Capacity sourcing across primary insurers requires awareness that capacity allocation has tightened and that early engagement on placement is increasingly important.

For corporate buyers, premium for cyber renewals at FY2026-27 has been running 15 to 30 percent above FY2025-26 premium on accounts with clean loss experience and well-managed risk profiles. Accounts with loss experience or with weaker risk management have experienced larger increases or have faced capacity constraints.

Specific industry impacts. Indian IT services and IT-enabled services firms face the largest absolute exposure because of the data handling intensity of the business and the international client base. Indian manufacturing and process industries face exposure from operational technology vulnerabilities and ransomware-targeting patterns. Indian financial services face exposure from payment system threats and data breach regulatory consequences. Indian healthcare faces exposure from PHI protection and clinical operations disruption.

Sub-limit awareness for clients. Corporate clients receiving renewal terms in FY2026-27 should review the sub-limit structure carefully against their specific exposure. Ransomware sub-limits that previously did not exist may now apply. Systemic event sub-limits may apply to supply chain or software vulnerability scenarios that the client may have considered fully covered under prior-year terms.

Risk management investment. Clients with strong cybersecurity governance, demonstrated incident response capability, and structured third-party vendor management achieve materially better insurance outcomes than clients with weaker positions.

Alternative capacity exploration. Corporate clients with substantial cyber exposure and capacity demand exceeding traditional primary market can explore alternative capacity through GIFT City IFSC routes, through fronting arrangements with international carrier support, or through captive participation for large multinational programmes.

Platforms such as Sarvada are emerging in the Indian commercial broking market to integrate cyber analytical workflows with treaty market awareness and client programme management. Request Access to evaluate platform options.