IRDAI Cyber Insurance Guidelines: What Commercial Buyers Need to Know

IRDAI's regulatory treatment of cyber insurance has evolved significantly since the first standalone cyber policies were filed in the Indian market around 2016-2017. The early period was characterised by a light-touch approach: insurers filed cyber products under the broad product approval process, the coverage terms were largely adapted from Lloyd's market wordings, and IRDAI's principal concern was solvency and disclosure rather than coverage standardisation. That approach has given way to a more interventionist framework as cyber losses have grown and as the Indian data protection and cybersecurity regulatory environment has developed new obligations that interact directly with insurance.

The pivotal regulatory document is IRDAI's Product Filing Guidelines (consolidated and updated in 2024 under IRDAI's broader Insurance Products Regulations framework), which set out the minimum information that an insurer must include in a cyber insurance product filing and the coverage elements that IRDAI expects to see addressed in any product marketed as cyber insurance. These guidelines do not prescribe exact policy wordings, but they establish a structural expectation: a compliant cyber insurance product must address, at minimum, first-party loss, third-party liability, regulatory defence costs, and crisis management expenses. Products that do not address these four categories must explain in the filing why they have been excluded.

Separately, IRDAI's Information Security Guidelines 2023, directed at insurers themselves rather than at policyholders, require all IRDAI-regulated insurers to maintain minimum information security standards, report cyber incidents affecting their own operations to IRDAI within defined timelines, and conduct periodic cyber risk assessments. These guidelines are significant for commercial buyers because they affect the security posture and claims-handling capability of their insurer. A buyer should, as part of their insurer selection process, verify that their insurer has a credible cyber incident response capability — not just coverage under the policy, but the operational capacity to respond to a claim efficiently when the buyer's own systems are compromised.

IRDAI's Sandbox Regulatory Framework (IRDAI (Regulatory Sandbox) Regulations, 2019 and subsequent orders) has been used by a small number of insurers to obtain approval for innovative cyber products that sit outside the standard product filing framework. Sandbox approvals have been granted for parametric cyber products (paying a fixed sum upon verified occurrence of a defined cyber event without requiring loss quantification) and for products covering novel cyber risks such as deepfake-facilitated fraud. Buyers seeking cover for emerging cyber risk categories should ask their insurer whether the product they are purchasing is a mainstream filed product or a sandbox-approved product, as the regulatory treatment and renewal certainty differ.

The Indian Computer Emergency Response Team (CERT-In) Directions, 2022, issued under Section 70B of the Information Technology Act, 2000, represent the most immediately operationally relevant cybersecurity regulation for Indian commercial organisations. The Directions require covered entities — which include virtually all companies providing digital products or services, all cloud service providers, government bodies, and data centres — to report 52 categories of cyber incidents to CERT-In within 6 hours of noticing the incident. This 6-hour window is among the shortest mandatory reporting timelines in any jurisdiction globally.

For a commercial buyer holding a cyber insurance policy, the CERT-In 6-hour obligation has direct implications for how the policy should work in practice. The first question is whether the policy's incident response process is fast enough to support a CERT-In notification. A cyber policy that requires the buyer to notify the insurer before contacting authorities, or that has an insurer-controlled incident response process with slow activation, is structurally incompatible with the CERT-In timeline. Buyers should specifically review the policy's notification clause to confirm that it permits immediate regulatory notification without prior insurer consent, and that the duty to notify the insurer does not override or delay the duty to notify CERT-In.

The second implication is on evidence preservation. CERT-In's Directions also require covered entities to maintain logs of specified categories of ICT system activity for 180 days and to provide these logs to CERT-In on demand. From an insurance perspective, these logs are critical evidence in a cyber claim — they establish the timeline of the incident, the systems affected, the data accessed, and the attacker's methods. A cyber policy should ideally include coverage for the reasonable costs of log preservation, forensic evidence collection, and CERT-In response obligations as part of its crisis management expense coverage. Buyers should verify that their policy wording includes these specific expense categories rather than assuming they fall under a generic 'costs and expenses' provision.

The CERT-In Directions additionally require organisations to synchronise their ICT system clocks with the National Information Centre's Network Time Protocol server, maintain contact information for CERT-In on a 24x7 basis, and designate a point of contact for CERT-In communications. These operational requirements, while not insurance-related, are part of the compliance programme that cyber insurance underwriters assess during underwriting, and a buyer with demonstrably compliant CERT-In posture is better positioned to negotiate lower premiums and broader terms.

IRDAI's product filing guidance for cyber insurance identifies four structural coverage elements. Understanding what each element does and does not cover — and where the gaps are in Indian market policy wordings — is the central skill a commercial buyer needs to evaluate cyber insurance intelligently.

First-party coverage addresses losses directly suffered by the insured organisation: the cost of forensic investigation to determine the extent and cause of a cyber incident, data restoration costs (the cost of recreating or recovering data that has been destroyed or corrupted), system repair and replacement costs, business interruption loss (loss of income or increased cost of working while systems are unavailable), and cyber extortion or ransomware response costs (discussed separately below). Indian cyber policies vary considerably in how these first-party heads of loss are defined. The most common gaps are: narrow definitions of 'system damage' that exclude cloud infrastructure not owned by the insured; sub-limits on business interruption that are inadequate relative to the organisation's actual income exposure; and waiting periods (typically 8 to 24 hours) before business interruption cover begins, which exclude the initial loss period. Buyers should specifically negotiate these sub-limits and waiting periods rather than accepting the standard policy structure.

Third-party coverage addresses liability claims brought against the insured by customers, business partners, or regulators for losses they have suffered as a result of a cyber incident affecting the insured's systems. In the Indian context, the most relevant third-party exposures are: claims by customers whose personal data was compromised in a breach (relevant post-DPDP Act implementation), claims by business partners for contractual breach or for losses caused by a cyber incident that propagated through supply chain systems, and regulatory penalties or defence costs arising from investigations by CERT-In, the Data Protection Board, SEBI, or RBI. Indian cyber policies commonly include third-party coverage, but the extent to which regulatory fines and penalties are covered varies: some policies cover regulatory defence costs (the legal costs of responding to a regulatory investigation) but exclude the fine or penalty itself; others include limited penalty coverage.

Regulatory defence coverage is the specific coverage for the costs of responding to a regulatory investigation or enforcement action arising from a cyber incident. Given the proliferation of Indian cyber and data protection regulations — CERT-In Directions, DPDP Act, RBI cybersecurity framework, SEBI cyber circular, IRDAI information security guidelines — the number of regulators who might initiate post-incident scrutiny of a large Indian commercial organisation is significant. A well-structured cyber policy should name, or at minimum not exclude, the major Indian regulators whose investigations could generate defence costs.

Crisis management expense coverage addresses the immediate response costs of a cyber incident that are not easily categorised as first-party loss or third-party liability: public relations and crisis communications consulting (managing the reputational damage of a publicly disclosed breach), notification costs (the cost of notifying affected individuals, now a legal requirement under the DPDP Act for significant breaches), credit monitoring services offered to affected individuals, and the costs of engaging a specialist breach coach or cyber counsel to manage the incident response. These costs can individually run into crores of rupees for a large breach event, and they need to be explicitly covered rather than assumed.

Ransomware coverage — specifically, coverage for the payment of a ransom demand to a threat actor who has encrypted the organisation's systems — is the most legally and regulatorily contested element of cyber insurance in India. Understanding the constraints is essential for any commercial buyer who considers ransomware payment coverage a meaningful element of their cyber protection.

The core legal constraint operates through the Foreign Exchange Management Act, 1999 (FEMA) and the regulations issued by RBI under it. Virtually all ransomware demands are denominated in cryptocurrency (typically Bitcoin or Monero) and are directed to wallet addresses controlled by threat actors who are almost certainly located outside India. A payment from India to such a wallet address involves an outward remittance of foreign exchange. Under FEMA and the RBI's master directions on remittances, outward foreign exchange remittances must be made through an Authorised Dealer bank and must conform to the categories of permissible current account transactions under the current account rules. A ransomware payment to an offshore criminal does not fit any recognised permissible current account transaction category, and there is no RBI approval mechanism for this type of payment. The FEMA legal risk — prosecution of the paying organisation under FEMA — is therefore real.

Beyond FEMA, the CERT-In Directions 2022 require organisations to report ransomware attacks to CERT-In within 6 hours. CERT-In's published guidance, while not legally prohibiting ransomware payment, strongly discourages payment on the ground that it encourages further attacks and does not guarantee data recovery. The combination of CERT-In's position, FEMA constraints, and potential sanctions risk under the Ministry of Finance's notification on sanctions compliance (which India has aligned partially with international financial sanctions frameworks) means that most Indian cyber insurers include ransomware payment coverage in their policies but with a clause requiring that the payment not violate applicable law. In practice, this reservation means that the ransomware payment coverage is illusory for most Indian-domiciled insureds making payment from India to foreign wallets.

Buyers who consider ransomware payment coverage material to their risk management should ask insurers two specific questions: first, whether the policy has been structured with overseas policy issuance or co-insurance involving a non-Indian insurer such that a payment can be facilitated through a compliant non-Indian entity; second, whether the insurer has a tested ransomware response protocol that includes legal advice on the FEMA position at the time of the incident. The answer to both questions will reveal whether the ransomware coverage is genuinely functional or merely a marketing feature.

IRDAI's data localisation requirements for insurers — established through the IRDAI Information Security Guidelines 2023 and reinforced by broader Indian data localisation policies — require that all policyholder data maintained by Indian-licensed insurers be stored on servers located within India. This requirement has a direct practical consequence for cyber insurance claims servicing: the forensic evidence, claims documentation, legal correspondence, and settlement records relating to an Indian cyber insurance claim must be processed and stored within the Indian regulatory perimeter.

For commercial buyers, this data localisation requirement matters because it constrains the way a global insurer's cyber claims response can work. A multinational insurer with a global cyber claims team that processes all claims through a platform hosted outside India cannot fully service Indian cyber claims in compliance with the localisation requirement. Buyers should verify that their cyber insurer has a claims handling infrastructure that complies with the data localisation rules — either a full India-based claims team or a technical architecture that ensures all India policyholder data remains on Indian servers even where global specialist resources are involved in the response.

The RBI Cyber Security Framework for Banks (RBI Circular No. RBI/2015-16/418, updated through subsequent master directions) establishes detailed cybersecurity requirements for all scheduled commercial banks and, by extension, for the non-bank financial institutions (NBFCs) that RBI regulates. Banks that purchase cyber insurance as part of their operational risk management — and most significant Indian banks now include cyber insurance in their risk transfer programme — need to ensure that the cyber policy is consistent with RBI's framework. Specifically: RBI requires banks to have a detailed cyber crisis management plan, to conduct regular penetration testing and vulnerability assessment, to report cyber incidents to RBI's CSITE (Cyber Security and Information Technology Examination) cell within specified timelines, and to maintain specific recovery time objectives for critical banking systems. A bank evaluating a cyber policy should check that the policy's incident response structure does not conflict with its RBI-mandated crisis management plan, and that the policy's business interruption provision covers the specific categories of loss (including reputational and regulatory costs) that the RBI framework recognises as material.

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), issued as a circular in 2024, applies to all SEBI-regulated market intermediaries including stock brokers, depository participants, mutual funds, and portfolio managers. The CSCRF requires these entities to maintain a baseline of technical controls (covering endpoints, networks, applications, and data), to submit annual cybersecurity compliance reports to their respective stock exchanges or depositories, and to report significant cyber incidents to SEBI within specified timelines. For a stock broker or portfolio manager evaluating cyber insurance, the intersection with SEBI's CSCRF creates specific coverage questions: does the cyber policy cover regulatory defence costs for a SEBI investigation following a breach, and does the policy's definition of a cyber incident align with SEBI's incident classification? The D&O (Directors and Officers liability) vs. cyber coverage intersection is also relevant here: SEBI has taken action against senior management of regulated entities for cybersecurity failures, which may fall under D&O coverage if framed as a governance failure rather than a pure technical incident. Buyers with both D&O and cyber policies need to verify that there is no coverage gap between these policies on the regulatory action risk.

The Digital Personal Data Protection Act, 2023 (DPDP Act) fundamentally changes the cyber insurance calculus for Indian commercial organisations that process personal data — which includes virtually every commercial enterprise of any scale. The DPDP Act, as operationalised through Rules notified in 2025, establishes: a mandatory breach notification obligation to the Data Protection Board of India (DPBI) for significant personal data breaches; the potential for civil monetary penalties up to INR 250 crore for violations of the Act's provisions on data security; and a framework for adjudication by the DPBI of breach complaints.

For cyber insurance buyers, the DPDP Act creates three specific coverage needs that did not exist (or existed in attenuated form) under the previous regulatory regime. First, breach notification costs: the DPDP Act requires data fiduciaries (organisations that determine the purpose and means of processing personal data) to notify both the DPBI and affected data principals (individuals) of a personal data breach without delay. The cost of this notification — particularly for large-scale breaches affecting millions of individuals — can run into significant sums, covering identity verification, postal or electronic notification, a 24-hour notification hotline, and credit monitoring services. These costs should be explicitly covered under the cyber policy's crisis management expense provision.

Second, regulatory penalty coverage: the DPDP Act's penalty structure is graduated and can reach INR 250 crore for the most serious violations (failure to implement reasonable data security safeguards resulting in a personal data breach, and subsequent failure to notify). Most Indian cyber policies currently exclude regulatory fines and penalties from coverage on the grounds that fines are uninsurable as a matter of public policy, but this exclusion deserves careful review. Regulatory defence costs — the legal costs of responding to a DPBI investigation and adjudication — are generally insurable and should be explicitly included. Buyers should verify that the policy language on regulatory penalty exclusion is narrowly drawn (excluding only the penalty itself) and does not bleed into excluding defence costs.

Third, third-party claims by data principals: under the DPDP Act, a data principal who has suffered harm as a result of a breach can file a complaint with the DPBI and may pursue compensation through the adjudication mechanism. These claims against the data fiduciary are third-party liability risks that should fall under the cyber policy's third-party coverage. However, the Act's compensation mechanism is relatively new and the volume of such claims has not yet been established, so insurer appetites and sub-limits on this coverage vary. Buyers should ask specifically how their insurer has structured the third-party section to respond to DPDP Act-related claims and whether the sub-limit is adequate for the organisation's data processing scale.

Buyer action point: If your cyber policy was placed before the DPDP Rules notification in 2025, obtain an endorsement from your insurer that confirms coverage for DPDP Act breach notification costs, DPBI investigation defence costs, and third-party claims arising from DPDP Act adjudication. Do not assume that a pre-2025 policy automatically responds to the new statutory obligations.

The regulatory inputs described in this article — IRDAI product filing requirements, CERT-In incident reporting obligations, FEMA constraints on ransomware payment, RBI and SEBI sectoral cybersecurity frameworks, and the DPDP Act's data breach obligations — collectively require a more rigorous and technically specific approach to cyber insurance purchasing than was necessary even two years ago. The following checklist reflects the specific verification steps that an Indian commercial buyer should complete before binding a cyber policy.

On policy structure: verify that the policy addresses all four coverage elements in IRDAI's filing guidance (first-party loss, third-party liability, regulatory defence, and crisis management expenses) with sub-limits that are adequate for the organisation's actual risk profile rather than market default amounts. For a mid-sized IT services company processing sensitive client data, a INR 25 crore first-party sub-limit may be insufficient; model the probable loss from a major ransomware incident affecting the organisation's revenue-generating systems over a realistic recovery period before accepting the proposed sub-limit.

On CERT-In compatibility: read the policy's notification clause carefully to confirm that it permits immediate notification to CERT-In and other regulators without prior insurer consent. If the clause is ambiguous, request a specific endorsement confirming this permission. Also verify that the policy's crisis management expense coverage explicitly includes CERT-In response costs, log preservation costs, and forensic evidence collection.

On ransomware coverage: have an explicit conversation with the insurer and with legal counsel about whether a ransomware payment from India to a foreign wallet is legally permissible under FEMA in the event of a severe attack. If the legal advice is that payment from India carries FEMA risk, understand how the policy proposes to address this — and whether the ransomware coverage is actually functional.

On DPDP Act alignment: if the policy was placed before the DPDP Rules notification in 2025, request an endorsement confirming coverage for DPDP Act breach notification costs, DPBI investigation defence costs, and third-party claims under the DPDP Act adjudication framework. At renewal, negotiate explicit policy language rather than relying on endorsements.

On sectoral frameworks: if the buyer is regulated by RBI or SEBI, verify that the policy's incident response structure does not conflict with the RBI crisis management plan or the SEBI CSCRF reporting obligations, and that the D&O and cyber policies have been reviewed together for gaps in regulatory action coverage arising from cybersecurity-related governance failures.

On data localisation: ask the insurer to confirm in writing that its claims handling infrastructure for the India policy complies with IRDAI's data localisation requirements, and that the claims team or breach response panel that will handle the buyer's claim has the expertise to manage regulatory interactions with CERT-In, the DPBI, RBI, and SEBI simultaneously, which is the realistic scenario in a large-scale breach event.