Insurance for Indian SaaS Unicorns: Structuring Global Coverage Across Jurisdictions

Indian SaaS companies at unicorn scale occupy a peculiar position in the global market. Their registered offices and engineering teams sit in Bangalore, Hyderabad, or Pune. Their revenue, often 80-95% of total billings, comes from enterprise customers in the United States, Europe, and the Middle East. Their holding structures frequently involve a US or Singapore parent with an Indian operating subsidiary. Their boards include investors domiciled in three or four countries. And their contracts are governed by the laws of California, Delaware, or England, not India.

This geographic fragmentation creates an insurance problem that neither a purely Indian policy nor a purely US policy can solve. An Indian-admitted policy placed through an IRDAI-licensed insurer covers the Indian entity but may not respond to claims brought against the US subsidiary in a California court. A US surplus lines policy covers the American operations but leaves the Indian entity, which employs the bulk of the workforce and holds most of the intellectual property, without admitted coverage.

The stakes are not hypothetical. SaaS companies processing customer data across borders face data breach notification obligations under multiple regulatory regimes simultaneously: India's Digital Personal Data Protection Act (DPDPA), the EU's GDPR, and various US state privacy laws including the CCPA. A single breach event can trigger parallel regulatory investigations, class action litigation in the US, and contractual indemnification claims from enterprise customers, each governed by different substantive law and each requiring insurance that responds in the relevant jurisdiction.

For unicorns on an IPO track, the problem intensifies. Public market investors, underwriters of the IPO itself, and stock exchange listing requirements all demand evidence of adequate D&O coverage. But 'adequate' means different things depending on the listing venue. A SEBI-regulated Indian listing has different D&O requirements than a US SEC-regulated listing. Many Indian SaaS unicorns are evaluating dual listings or US-only listings, and each path demands a different insurance architecture.

The standard solution for multinational insurance needs is a controlled master programme (CMP), sometimes called a global programme. For Indian SaaS unicorns, the CMP architecture typically involves three layers.

The first layer is the master policy, placed in the jurisdiction of the parent entity. If the holding company is incorporated in Delaware or Singapore, the master policy is placed there. This policy provides the broadest coverage terms and the highest limits. It acts as the 'umbrella' that catches claims falling through gaps in local policies. The master policy is typically placed with a global insurer, such as AIG, Chubb, Zurich, or Allianz, that has the capacity to issue local policies through its network in each jurisdiction where the company operates.

The second layer consists of local admitted policies in each jurisdiction where the company has a meaningful presence. For the Indian operating subsidiary, this means an IRDAI-admitted policy placed through a licensed Indian insurer or the Indian branch of a global insurer. For the US subsidiary, it means a policy admitted in the relevant state (or placed on a surplus lines basis if admitted market capacity is insufficient). Local admitted policies are necessary for two reasons: regulatory compliance (many jurisdictions require insurance to be placed with locally licensed insurers) and tax efficiency (premium paid for non-admitted coverage may not be tax-deductible, and the policyholder may face penalties for violating local insurance regulations).

The third layer is the difference in conditions / difference in limits (DIC/DIL) provision within the master policy. This provision ensures that if a local policy provides narrower coverage or lower limits than the master policy, the master 'drops down' to fill the gap. Conversely, if the local policy provides broader coverage on a specific point (for instance, if Indian law mandates a coverage feature not present in the master), the broader local terms prevail.

For an Indian SaaS unicorn with operations in India, the US, and possibly the UK or Germany, a well-structured CMP might involve four to six policies working in concert. The coordination between these policies, ensuring no gaps and no unintended overlaps, is the core challenge. This coordination requires a broker with genuine multinational programme expertise, not merely a domestic broker with a 'global network' affiliation.

For Indian SaaS companies selling to US enterprise customers, technology errors and omissions (Tech E&O) insurance is not optional. It is a contractual prerequisite. Virtually every enterprise SaaS agreement with a Fortune 500 or mid-market US buyer includes a provision requiring the vendor to maintain Tech E&O coverage with minimum limits, typically USD 5 million to USD 10 million for mid-market contracts and USD 10 million to USD 25 million for large enterprise deals.

Tech E&O covers claims arising from failures in the SaaS product or service: software bugs that cause customer data loss, system outages that disrupt the customer's operations, failures to meet contractually warranted service levels, and errors in the technology that lead to financial loss for the customer. The policy responds to third-party claims brought by the SaaS company's customers or their end users, not first-party losses suffered by the SaaS company itself.

The critical coverage question for Indian SaaS unicorns is where the E&O policy should be placed. US enterprise customers typically require that the policy be issued by an insurer rated A- or better by AM Best and placed on admitted or surplus lines paper in the United States. An IRDAI-admitted E&O policy issued by an Indian insurer, even a subsidiary of a global carrier, generally does not satisfy this requirement. US risk managers want assurance that the policy will respond under US law, that claims can be reported to a US-based claims team, and that disputes will be resolved in a US court.

The practical solution is to place the primary Tech E&O policy in the US, either on admitted paper in the state where the US subsidiary is domiciled or on surplus lines paper through a licensed surplus lines broker. The Indian entity is added as a named insured on the US policy. If the Indian entity has domestic customers (government contracts, Indian enterprise sales), a separate IRDAI-admitted professional indemnity policy may be necessary to cover those engagements, since the US policy may not respond to claims governed by Indian law.

Premium for Tech E&O varies based on the SaaS company's revenue, the nature of data processed, and claims history. For an Indian SaaS unicorn with USD 100-300 million in annual recurring revenue, primary Tech E&O limits of USD 10 million typically cost between USD 150,000 and USD 400,000 annually. Companies processing healthcare or financial data pay premiums at the higher end.

Cyber insurance for an Indian SaaS unicorn must respond to data breach events across multiple regulatory regimes simultaneously. The policy must cover breach notification costs under India's DPDPA, which requires notification to the Data Protection Board of India. It must cover GDPR notification obligations (72-hour notification to the relevant EU supervisory authority) if the company processes data of EU residents. And it must address the patchwork of US state breach notification laws, each with its own definition of 'personal information,' its own notification timeline, and its own penalty structure.

The first-party coverage section typically includes: incident response costs (forensic investigation, legal counsel, public relations), notification costs across all applicable jurisdictions, credit monitoring for affected individuals, business interruption loss resulting from a cyber event, data restoration costs, and cyber extortion payments (subject to sanctions compliance checks and pre-approval requirements from the insurer).

The third-party coverage section addresses: defence costs and damages in lawsuits brought by affected individuals or businesses, regulatory defence costs and fines (to the extent insurable in the relevant jurisdiction), payment card industry (PCI) fines and assessments, and media liability claims arising from the company's online content.

A significant coverage gap arises around regulatory fines. Under Indian law, the DPDPA empowers the Data Protection Board to impose penalties up to INR 250 crore for certain violations. Whether these penalties are insurable remains unsettled. The general principle that fines imposed for unlawful conduct are not insurable applies, but DPDPA penalties for failures in security safeguards are closer to civil liability than criminal punishment. The insurance market has taken a cautious approach, with most policies covering 'regulatory fines to the extent insurable by law' and leaving the question to be tested when a claim actually arises.

GDPR fines (up to 4% of global annual turnover) are treated differently depending on the EU member state. France and Germany generally treat administrative fines as insurable; others take a more restrictive view. US state privacy law fines vary by state. A well-drafted cyber policy includes a 'most favourable jurisdiction' clause that applies the law of the jurisdiction most favourable to coverage when determining the insurability of fines.

Directors and officers liability insurance becomes the single most consequential insurance purchase for an Indian SaaS unicorn as it approaches a public listing. The personal liability exposure of board members multiplies at the point of IPO, and sophisticated directors, particularly independent directors and US-based investor-nominees, will not serve on the board without adequate D&O coverage in place.

For a company planning an Indian listing on the NSE or BSE, SEBI's listing obligations and the Companies Act 2013 define the regulatory framework. SEBI can pursue enforcement actions against directors for disclosure failures, insider trading, and market manipulation. Indian D&O policies, placed with IRDAI-admitted insurers, cover defence costs and financial losses arising from wrongful acts committed in the capacity of a director or officer, subject to standard exclusions for fraud, deliberate criminal acts, and bodily injury.

For a company planning a US listing on NYSE or NASDAQ, the D&O requirements are fundamentally different in scale. US securities class action lawsuits are the primary risk driver. Average settlements for securities class actions against technology companies have exceeded USD 30 million in recent years, with mega-settlements reaching USD 100 million or more. Defence costs alone can consume USD 10-20 million. A US-listed Indian SaaS unicorn needs D&O limits of at least USD 50 million, and most advisors recommend USD 75-100 million for companies with market capitalisation above USD 1 billion.

The D&O programme for a US-listed company is built as a tower, with multiple insurers each taking a layer. The primary layer (first USD 10 million) is the most expensive and is placed with an insurer willing to defend the initial litigation wave. Excess layers (USD 10-25 million each) are stacked above, with each insurer's obligation triggered only when the layer below is exhausted.

A dual-listing scenario (India and US) requires D&O coverage that responds to both SEBI and SEC enforcement, to shareholder class actions in US federal courts, and to derivative actions under the Companies Act in Indian courts. The master D&O policy is typically placed in the US or Bermuda, with a local admitted policy in India providing IRDAI-compliant coverage.

One overlooked consideration: D&O policies for IPO-track companies should include an IPO exclusion buyback. Many standard D&O policies exclude claims arising from the IPO itself, specifically prospectus misrepresentation. A separate POSI (public offering of securities insurance) policy must be purchased to cover this exposure, typically placed concurrently with the IPO.

India's insurance regulatory framework, governed by the Insurance Act 1938 and IRDAI regulations, imposes specific requirements on insurance placements for Indian entities. These requirements constrain the structuring options available to Indian SaaS unicorns and must be navigated carefully to avoid regulatory penalties and tax inefficiencies.

The fundamental rule is that risks located in India must be insured with IRDAI-licensed insurers. The Indian subsidiary of a SaaS unicorn cannot rely solely on a policy issued by a US or Bermuda insurer to cover its Indian operations. The Indian entity's property, employee-related liabilities (workers' compensation, group health, group personal accident), and commercial general liability exposures must be placed with admitted Indian insurers. IRDAI has progressively tightened enforcement of this requirement, and non-compliance exposes the company to penalties under the Insurance Act.

For professional indemnity and cyber liability, the admitted coverage requirement creates a structuring challenge. If the Indian entity is added as a named insured on a US-placed Tech E&O or cyber policy, that policy technically provides coverage for risks located in India without being placed through an IRDAI-licensed insurer. The standard market practice is to place a local Indian policy with an IRDAI-admitted insurer for a portion of the coverage (often with lower limits reflecting the Indian revenue exposure) and to rely on the US master policy for the balance through the DIC/DIL mechanism.

Reinsurance provides the mechanism that makes this structure work. Indian insurers routinely cede risk to international reinsurers, and many global programmes are structured so that the local Indian insurer fronts the policy (issuing it on admitted paper) while ceding most of the risk to the master programme insurer through a facultative reinsurance arrangement. The fronting fee, typically 5-15% of the local premium, is the cost of regulatory compliance.

Tax treatment adds another dimension. Premium paid for IRDAI-admitted policies is subject to GST at 18%. Premium paid to non-admitted foreign insurers may attract withholding tax obligations, and the premium may not be deductible as a business expense if the placement violates IRDAI regulations. Structuring the programme correctly from the outset avoids these tax leakages, which can be material on large premium spends. As of early 2026, there is no specific IRDAI product filing designed for SaaS companies. Indian admitted coverage for tech-specific risks is placed using general professional indemnity and cyber liability wordings, supplemented by endorsements negotiated on a case-by-case basis.

Indian SaaS unicorns selling to US enterprises quickly discover that insurance is not just a risk management tool but a sales enablement requirement. The procurement and legal teams of US enterprise buyers review insurance certificates with the same rigour they apply to SOC 2 reports and penetration test results. Failing to produce acceptable insurance documentation can stall or kill a deal.

The standard contractual insurance requirements in a US enterprise SaaS agreement typically include: commercial general liability (CGL) with limits of USD 1-2 million per occurrence and USD 2-5 million aggregate; technology errors and omissions with limits of USD 5-25 million; cyber liability / privacy breach coverage with limits of USD 5-25 million; workers' compensation as required by the applicable state law; and umbrella / excess liability with limits of USD 5-10 million. For SaaS companies providing services to regulated industries (healthcare, financial services), additional requirements may include specific HIPAA-compliant cyber coverage or fidelity / crime insurance.

Beyond the limits, US enterprise customers scrutinise several specific policy features. They require that the customer be named as an additional insured on the CGL and sometimes the E&O policy. They require a waiver of subrogation, meaning the SaaS company's insurer agrees not to pursue the customer for contribution if a covered claim arises. They require that the policy include a 30-day notice of cancellation provision, ensuring the customer receives advance warning if the SaaS company's insurance lapses. And they require certificates of insurance issued by the insurer or an authorised broker, not self-certified documents.

For Indian SaaS companies, producing compliant certificates from IRDAI-admitted Indian policies is often insufficient. US risk managers expect certificates issued on the standard ACORD 25 form, referencing US-admitted or surplus lines insurers with AM Best ratings. This is one of the primary reasons Indian SaaS unicorns must maintain US-placed insurance alongside their Indian policies. The cost of maintaining parallel programmes is significant, but the revenue enabled by having compliant insurance documentation in place typically dwarfs the premium spend.

A practical tip that many growing SaaS companies learn the hard way: centralise your certificate management process. When you have 50 or 100 enterprise customers each requiring customised certificates with specific additional insured endorsements, the administrative burden becomes material. Assign a dedicated person or use a certificate management platform to track requirements, issue certificates promptly, and ensure renewals are communicated to all customers requiring notification.

Assembling a global insurance programme for an Indian SaaS unicorn is not a task for a generalist insurance broker. The broker must understand multinational programme architecture, have genuine placement capability in the US, London, and Indian markets, and possess subject-matter expertise in technology company risks. The wrong broker will place a collection of disconnected policies that leave gaps at the jurisdictional boundaries, precisely where claims are most likely to arise.

The selection criteria for a broker should include: demonstrated experience placing global programmes for technology companies (request references from companies of comparable size); a network presence or correspondent broker relationships in India, the US, and any other jurisdiction where you operate; claims advocacy capability (the broker's value is tested at the point of claim, not the point of placement); and the ability to provide programme analytics showing how the various policies interact and where residual coverage gaps exist.

The major global brokers (Marsh, Aon, WTW, Gallagher) all have Indian operations and US technology practice groups. Several specialist technology insurance brokers and managing general agents (MGAs) focus exclusively on SaaS company risks and can provide deeper expertise at the cost of a narrower geographic footprint.

Market strategy matters at renewal. Insurance markets for technology risks have experienced significant volatility, driven by ransomware losses, securities class action frequency, and the evolving space. A broker who approaches the market with a well-prepared submission, including a clear narrative of the company's risk profile, security posture (SOC 2 Type II report, penetration test results, incident response plan), revenue breakdown by geography, and claims history, will obtain materially better terms than one who submits a last-minute application.

Renewal discipline is especially important as the company scales. SaaS unicorn insurance programmes should be reviewed at least 90 days before renewal. The review should assess whether limits remain adequate given revenue growth, whether coverage terms need updating for new products or markets, whether claims experience has changed the risk profile, and whether the programme needs adjustment for corporate restructuring. Starting early gives the broker time to market the programme properly and negotiate from strength rather than desperation.

Finally, maintain a relationship with the underwriters, not just the broker. Invite lead underwriters to visit your offices, present your technology and security practices, and understand your business. Underwriters who understand the risk they insure are more likely to offer favourable renewal terms and respond constructively when a claim arises.