Third-Party Vendor Indemnity Requirements in India: Insurance Obligations for Buyers

When an Indian company engages a third-party vendor — a facility management company, an IT service provider, a catering contractor, a security agency, or a logistics partner — it introduces risk into its operations that it cannot fully control. The vendor's workers access the buyer's premises. The vendor's software touches the buyer's data. The vendor's vehicles carry the buyer's goods. Any one of these interactions can generate a loss: a slipping incident by a contract cleaner, a data breach caused by a vendor's unsecured API, a delivery driver's road accident injuring a third party while carrying the buyer's cargo.

The indemnity clause in a vendor agreement is the contractual mechanism by which the buyer attempts to transfer the financial consequence of these vendor-caused losses back to the vendor. The structure is straightforward: the vendor agrees to indemnify, defend, and hold harmless the buyer from any claims, losses, costs, or liabilities arising from the vendor's negligence, breach of contract, or wilful misconduct. The indemnity clause is the legal obligation; vendor insurance is the financial resource that makes the obligation meaningful.

Without vendor insurance, an indemnity clause is an unsecured promise from a counterparty that may have limited assets. In a real loss scenario — a third-party claim for INR 3 crore arising from an IT vendor's data breach — the value of the indemnity clause depends entirely on whether the vendor's Professional Indemnity (PI) or Cyber Liability policy will pay. If the policy has lapsed, been excluded for the specific peril, or has a sub-limit smaller than the claim, the buyer faces the residual loss.

Understanding this connection between the indemnity clause and the vendor's insurance policy is the starting point for any effective vendor risk management programme in India. The contract drafting challenge is not simply to include an indemnity clause but to ensure the clause is backed by specific, verifiable, and maintained insurance coverage.

Indian commercial agreements across sectors use a range of indemnity structures, varying from broad unlimited indemnities to narrowly capped mutual indemnity regimes. Understanding the spectrum helps buyers assess what they are actually getting.

Unlimited indemnity clauses, common in early-stage IT outsourcing agreements and facility management contracts, provide the broadest textual protection for the buyer. The vendor indemnifies the buyer for all losses arising from vendor negligence without a monetary cap. In practice, unlimited indemnity clauses are only as valuable as the vendor's ability to pay, and most mid-market Indian vendors cannot absorb a multi-crore claim from their own resources. An unlimited indemnity clause without corresponding unlimited (or at least high-limit) vendor insurance is illusory protection.

Liability caps pegged to annual contract fees have become the market standard in IT service agreements, particularly those following NASSCOM's model contract frameworks and international IT outsourcing practice. A typical IT services agreement will cap the vendor's aggregate liability at one to three times the annual fees paid under the contract, with further sub-limits for specific loss categories. For a INR 2 crore per year IT service contract, this means the vendor's maximum liability is capped at INR 4-6 crore. If the vendor's data breach causes a regulatory fine of INR 8 crore plus third-party claims of INR 5 crore, the buyer bears the uncapped excess.

Gross negligence and wilful misconduct carve-outs from liability caps are included in most professionally negotiated contracts: the cap does not apply to losses arising from the vendor's gross negligence or intentional wrongdoing. In theory, this preserves the buyer's right to full recovery in the worst cases. In practice, Indian courts have interpreted the boundary between ordinary negligence and gross negligence narrowly, and litigation to establish gross negligence before recovering beyond the cap is slow and expensive.

Mutual indemnity regimes, where both vendor and buyer indemnify each other for their respective negligence, have become common in large IT and infrastructure contracts. The practical effect for the buyer is a reduction in net recovery rights, because the buyer's own negligence (even partial) can reduce or eliminate the vendor's indemnity obligation. In sectors with ambiguous contributory negligence (joint IT system failures, shared infrastructure incidents), mutual indemnity structures can significantly complicate post-loss recovery.

The minimum insurance requirement clause is the operational bridge between the indemnity obligation and the insurance that funds it. A well-drafted clause specifies exactly what insurance the vendor must maintain, at what limits, with what insurer, and how compliance is demonstrated. Vague clauses like "the vendor shall maintain adequate insurance" are unenforceable in any meaningful sense.

An effective minimum insurance requirement clause for an Indian vendor agreement should include the following elements:

Coverage type: specify each policy that the vendor must maintain. For a facility management vendor, this would include at minimum: (i) Employees' Compensation insurance covering all workers deployed at the buyer's premises, (ii) Public Liability insurance for third-party bodily injury and property damage arising from the vendor's operations, and (iii) if the vendor handles the buyer's property, a Marine Cargo or Inland Transit policy or a goods in custody extension under the PL policy. For an IT vendor, add (iv) Professional Indemnity (Errors and Omissions) insurance, and (v) Cyber Liability insurance.

Minimum limits: express limits in Indian Rupees with explicit per-occurrence and aggregate limits. For a mid-market IT vendor handling sensitive customer data, a PI policy limit of INR 5 crore per claim / INR 10 crore aggregate and a cyber liability limit of INR 3 crore are reasonable starting points as of 2026 market practice. These limits should be reviewed when the contract is renewed and calibrated to the actual data volume and revenue at risk.

IRDAI-licensed insurer requirement: specify that all insurance must be placed with an insurer licensed by the Insurance Regulatory and Development Authority of India (IRDAI) under the Insurance Act, 1938, or with a Lloyd's of London syndicate through a permitted cross-border arrangement. This prevents vendors from presenting certificates from unlicensed entities or foreign insurers that cannot be verified or relied upon for claims in India.

Policy period alignment: require the vendor's insurance policies to be maintained throughout the contract term and for a specified run-off period after contract termination (typically 24-36 months for PI cover, to capture late-emerging errors and omissions claims).

Certificate of insurance requirement: require the vendor to provide a certificate of insurance (COI) from the insurer (not just from the vendor or broker) before work commences and at each policy renewal. The COI should confirm coverage type, policy number, insurer, coverage period, and minimum limits. Some buyers additionally require the insurer to notify the buyer directly in the event of policy cancellation or material change, accomplished through an endorsement to the vendor's policy.

The enforceability of vendor indemnity clauses in India is governed by Sections 124 and 125 of the Indian Contract Act, 1872. Section 124 defines a contract of indemnity as a contract by which one party promises to save the other from loss caused by the promisor's own conduct or the conduct of any other person. Section 125 specifies the rights of the indemnity holder: recovery of damages, costs, and sums paid in any suit concerning matters covered by the indemnity.

India's courts have historically interpreted indemnity clauses narrowly, consistent with the principle that a contract that derogates from the promisor's rights is construed strictly against the party seeking to enforce it. Broad indemnity language covering all losses, whether direct or indirect, foreseen or unforeseen, suffered by the buyer arising from the vendor's conduct, has been questioned by courts on grounds of unconscionability and lack of mutuality. Several High Court decisions have refused to enforce unlimited indemnity clauses where they found the clause one-sided and capable of generating liability grossly disproportionate to the commercial benefit received by the vendor.

The broad form indemnity (covering the buyer's own concurrent negligence) is particularly problematic in India. Unlike the US where broad form indemnities are enforced in many states in commercial contracts, Indian courts have not consistently upheld indemnity clauses that purport to make the vendor liable for loss caused by the buyer's own negligence or fault. This creates a coverage gap in scenarios of joint liability, particularly common in IT system incidents, facility accidents on jointly managed premises, and supply chain losses with multiple contributing parties.

Limited form indemnity (covering only losses caused solely by the vendor's negligence, excluding any loss to which the buyer contributed) is more reliably enforceable under Indian law and is the preferred structure for agreements that must withstand Indian court scrutiny. The trade-off is that the buyer's recovery is reduced in any mixed-fault scenario.

A separate enforceability dimension concerns consequential loss exclusions. Most vendor agreements in India exclude liability for consequential loss: lost profits, loss of business, reputational damage, and indirect losses are excluded from the indemnity. From the buyer's perspective, these exclusions can eliminate the most significant categories of loss following a vendor failure. An IT vendor's system outage causing the buyer's e-commerce platform to be down for 48 hours may generate direct costs of INR 50 lakh (incident response, remediation) and consequential revenue loss of INR 3 crore. The indemnity, if subject to a consequential loss exclusion and a liability cap of annual fees, may pay only INR 50 lakh of direct costs — leaving the buyer to absorb the revenue loss.

Buyers should review these exclusions carefully and consider whether their own business interruption or cyber insurance can fill the gap left by the vendor's consequential loss exclusion.

Obtaining an insurance certificate at contract signature is the first step in vendor insurance management, not the last. The real operational challenge is maintaining visibility into the vendor's insurance status throughout the contract lifecycle, particularly across multi-year agreements where vendor circumstances change.

Certificate collection and storage: the buyer's procurement or legal team should maintain a vendor insurance register mirroring the structure recommended for contractor insurance in large principal employer programmes. Each vendor entry should include: policy types and numbers, insurer names, policy periods, minimum limits confirmed by the COI, and the next renewal dates. Renewal dates should be flagged automatically 60 days in advance, triggering a request to the vendor for updated certificates.

What to do when a vendor's policy lapses mid-contract: a vendor's failure to renew its PI or PL policy creates an immediate gap in the risk transfer chain. The buyer's options are:

1. Issue a formal notice to the vendor requiring reinstatement of coverage within a specified cure period (typically 5-10 business days). Suspend vendor access to sensitive systems or premises during the cure period if the risk profile warrants.
2. Purchase a replacement policy at the vendor's cost. For short-term gaps, some buyers purchase a contingency third-party liability policy that covers the specific vendor's operations at the buyer's site, seeking reimbursement from the vendor under the contract's cost recovery clause.
3. Invoke the contract's termination for cause provisions if the vendor persistently fails to maintain required insurance. Insurance compliance is a material contract obligation; persistent breach justifies termination.

Sector-specific monitoring challenges: IT outsourcing vendors present a particular challenge because their PI policies are claims-made policies — they cover claims made during the policy period, regardless of when the underlying error occurred, but only if the policy is in force when the claim is submitted. If an IT vendor's PI policy lapses and a claim arising from a pre-lapse error is submitted after the lapse, there is no coverage. Buyers with multi-year IT outsourcing relationships should require vendors to maintain run-off cover for a minimum of 24-36 months after any policy cancellation and after contract termination.

For facility management, catering, and security agency vendors, the monitoring focus is on EC insurance and public liability policies, both of which are annually renewable occurrence-based policies. Lapse detection is more straightforward but the consequences of a lapse are immediate: an uninsured facility management worker injured during the lapse period creates uninsured EC Act exposure for both the vendor and (under Section 12) the principal employer.

India's vendor ecosystem has predictable insurance gaps that vary by sector. Buyers should calibrate their insurance requirements and monitoring intensity based on the sector's known gap profile.

IT outsourcing vendors: India's IT services sector comprises thousands of companies ranging from large listed players (Infosys, Wipro, HCL) with sophisticated insurance programmes to small application development boutiques and staffing firms with minimal coverage. The large IT vendors typically carry PI policies with aggregate limits of INR 50-500 crore from IRDAI-licensed insurers, often backed by Lloyds facultative reinsurance. Smaller IT vendors below INR 50 crore in annual revenue frequently carry PI policies with limits of INR 1-5 crore that are grossly inadequate relative to the data exposure they manage for clients. The gap between the contractual liability cap (typically one to three times annual fees) and the PI policy limit is often bridged by nothing. Buyers should independently assess each vendor's PI limit relative to the data volume and business criticality of the services procured, not rely on template minimum limit requirements.

Facility management companies in India range from large listed companies (BVG India, Updater Services, Quess Corp) to thousands of small regional contractors. Large facility management companies typically carry EC insurance and PL policies as a matter of standard practice, often required by institutional client contracts. Small operators, particularly those deployed in tier-2 and tier-3 cities, routinely lack valid EC insurance for their workers and may carry PL policies with limits as low as INR 25-50 lakh, which are inadequate for liability claims in major urban centres where medical costs and income loss calculations are significantly higher. Buyers should require facility management vendors to produce EC certificates naming each deployment location and showing the worker count.

Security agencies present a unique dual exposure: the risk of a security guard injuring a third party in excess of force during an incident, and the risk of theft or pilferage during the guard's watch. Security agency insurance should include EC coverage for guards, public liability coverage for excess-force incidents, and a fidelity guarantee or crime insurance section for theft by guards. Many small Indian security agencies carry minimal insurance: EC coverage only, without PL or fidelity sections. The fidelity gap is significant for buyers where guards have access to inventory, cash, or sensitive materials.

Catering contractors managing in-house canteens or event catering at the buyer's premises create food safety liability (claims under the Food Safety and Standards Act, 2006 and regulations thereunder), worker injury liability (EC coverage for catering workers), and property damage liability (fire and contamination events in the buyer's kitchen facilities). FSSAI-licensed catering contractors are required to maintain food safety management systems, but FSSAI licensing does not mandate food product liability insurance. Buyers of catering services should specify minimum public liability cover with a food contamination extension and require FSSAI licence copies alongside the insurance certificate.

Even with well-drafted insurance requirements and diligent monitoring, buyers will encounter vendors whose coverage is inadequate for the risk profile. This is particularly common when procuring specialised or niche services from vendors with limited market alternatives: a single-source software vendor whose product is deeply integrated into the buyer's operations, or a specialist technical service provider with unique expertise. The buyer cannot simply replace them, and the vendor's insurance market access is limited by the specialist nature of their risk.

In these situations, buyers have several practical responses:

Risk retention through contract pricing: if the buyer determines that the vendor's maximum liability under its insurance is INR 2 crore but the buyer's actual exposure from vendor failure is INR 8 crore, the buyer can treat the INR 6 crore gap as a retained risk and price it into the vendor relationship: either through a contract price reduction that reflects the buyer's increased risk assumption, or by building the gap into the buyer's own risk reserve.

Backup coverage from the buyer's own policies: buyers with a Commercial General Liability (CGL) policy or a Cyber Liability policy can examine whether their own policies provide a backstop for losses arising from vendor negligence. CGL policies typically cover third-party bodily injury and property damage for which the insured (the buyer) is found legally liable, which can include situations where the buyer is jointly liable alongside a vendor for a third-party loss. However, most CGL policies exclude vendor errors and omissions from the GL coverage, and losses that are purely vendor-caused without any buyer contribution will typically not trigger the buyer's CGL. The buyer's cyber policy may provide better overlap for technology vendor failures if the policy's third-party coverage section extends to cyber events caused by vendor negligence.

Additional insured endorsements: in Indian insurance practice, naming a party as an additional insured on the vendor's policy is available but not a standard market feature — it requires a specific endorsement from the vendor's insurer. The additional insured endorsement gives the buyer the right to claim directly under the vendor's policy for losses that would otherwise be the vendor's indemnity obligation. This is particularly valuable when the vendor's financial condition is uncertain. Buyers should negotiate additional insured status for high-value vendor relationships and confirm the endorsement exists on the actual policy, not just in the contract.

Contract price adjustment for insurance cost: when a vendor cannot obtain required insurance at commercially reasonable cost (for example, a small IT startup that cannot access cyber liability cover), the buyer can offer a pricing adjustment: the buyer purchases the additional coverage itself (a contingency cyber policy covering the specific vendor's access to the buyer's systems) and adjusts the contract price downward by the cost of that coverage. This approach keeps the vendor engaged while filling the insurance gap at the buyer's initiative.

The common thread across all these strategies is that vendor insurance management cannot be delegated entirely to the procurement process. It requires ongoing involvement from the buyer's legal, insurance, and risk management teams throughout the vendor relationship lifecycle.