Insurance Coverage Needs for Early-Stage InsurTech Startups in India

An InsurTech startup occupies a position that very few other types of company share. On one side, it is a technology company building software products that carry the professional liability and cyber risks familiar to any SaaS vendor. On the other side, it is a regulated financial services entity — a licensed broker, corporate agent, web aggregator, or participant in the IRDAI Innovation Sandbox — that handles sensitive policyholder data, manages premium flows, and makes or influences decisions about insurance cover that have real financial consequences for individuals and businesses.

This duality means an InsurTech's own insurance programme must be built from a different baseline than a standard SaaS company's. A company like Acko (a licensed general insurer since 2017) carries the full regulatory capital and solvency obligations of an insurer, plus the technology and professional liability exposure of a digital-first product company. A company like PolicyBazaar (an IRDAI-licensed insurance web aggregator) carries intermediary professional liability, data protection risk across tens of millions of records, and D&O exposure from operating as a listed entity under SEBI oversight. A company like Turtlemint (a broker and distribution platform for advisors) adds the fidelity and premium float risk that comes with holding client money in transit. Each of these risk profiles requires a meaningfully different insurance programme.

The failure mode that InsurTech-specific programmes must address is not just the typical startup failure mode of product-market fit not working. It includes regulatory enforcement action, policyholder mis-sell complaints filed with IRDAI's Grievance Cell, automated pricing errors that cause systematic undercharging across a book of business, data breaches affecting financial and health data subject to the Digital Personal Data Protection Act 2023, and board-level decisions about product strategy that are later scrutinised as irresponsible by investors or regulators. Each of these triggers a different coverage type.

An InsurTech's regulatory status under IRDAI directly determines which professional liabilities it carries. IRDAI recognises several categories of insurance intermediary under the Insurance Regulatory and Development Authority of India (Insurance Intermediaries) Regulations, 2016 (and subsequent amendments): insurance brokers (direct, reinsurance, composite), corporate agents, insurance marketing firms, insurance repositories, and web aggregators.

Each licence category creates a specific duty of care to policyholders. A direct insurance broker owes a duty to advise clients on appropriate coverage and to place business with financially sound insurers. If the broker recommends a product that does not meet the client's needs, and the client suffers a loss that the product does not cover, the broker faces a professional liability claim. For an InsurTech broker like Turtlemint or Riskcovry, this duty of care is discharged partly through technology (recommendation engines, coverage comparison tools), and partly through human advisors. Both the technology and the human layer create E&O exposure.

A web aggregator has a narrower duty — primarily to provide accurate comparative information rather than personalised advice — but still faces professional liability risk if the comparison engine presents incorrect or misleading data that causes a buyer to purchase an unsuitable product. PolicyBazaar's regulatory history includes several IRDAI directions on disclosure practices, illustrating that even aggregators face conduct risk that translates into professional liability exposure.

The IRDAI Innovation Sandbox, established under IRDAI Circular IRDA/RI/CIR/MISC/185/07/2019 and updated in 2024, offers a structured relaxation of product approval requirements for InsurTech startups. Sandbox participants can test products for up to six months without full regulatory approval, subject to participant caps (usually 10,000 customers or a defined premium threshold), enhanced reporting obligations, and the requirement to wind down or fully comply at the end of the sandbox period. The sandbox does not eliminate professional liability exposure — participants still owe duties of care to sandbox policyholders — but it does reduce the regulatory enforcement risk during the test period. InsurTechs in the sandbox should ensure their PI coverage explicitly extends to sandbox activities.

[Professional Indemnity insurance](/glossary/professional-indemnity) is a regulatory requirement, not merely a prudent choice, for IRDAI-licensed insurance brokers. Regulation 26 of the IRDAI (Insurance Brokers) Regulations, 2018 requires brokers to maintain PI coverage with a minimum limit of INR 50 lakh for direct brokers and higher limits for composite brokers, calibrated to their annual income. The regulatory minimum is a floor, not a recommendation; it is set at a level that would cover a small claims volume but not a systemic error event.

For an InsurTech broker, the relevant risk scenarios are more complex than for a traditional broker. An InsurTech's recommendation engine might systematically mis-categorise policyholders and recommend motor policies with incorrect coverage for two-wheelers used commercially, exposing the startup to claims from thousands of affected customers simultaneously. A claims processing platform might misroute claim documents, causing delays that breach IRDAI's Circular on Time Limits for Claim Settlement (IRDA/NL/CIR/MISC/173/09/2012) and resulting in complaints and regulatory penalties. A distribution API that connects to third-party distribution partners might pass incorrect premium calculations, creating rectification costs and client dispute exposure.

These scenarios call for PI limits substantially above the regulatory minimum. A well-structured PI programme for a mid-size InsurTech broker with INR 100 crore in annual gross written premium handled across its platform should carry limits in the range of INR 5–15 crore, depending on the average claim size in the lines it distributes and the concentration of its business in any single product or insurer. The programme should include a clear definition of 'professional services' that captures the technology platform's functions, not just the advisory acts of human brokers.

For InsurTechs participating in the IRDAI Bima Sugam digital insurance marketplace (the government-backed platform for direct insurance distribution launched in phases from 2024), participation agreements include specific liability provisions. Distribution platforms connecting to Bima Sugam must carry minimum PI limits as specified in the platform's participation guidelines, and the standard participation agreement includes representations about professional liability insurance that are reported to IRDAI. InsurTechs joining Bima Sugam should review the participation agreement liability provisions with their broker before committing to the platform.

InsurTech companies handle data categories that attract materially higher cyber liability exposure than general SaaS companies. A standard B2B SaaS company might hold client contact data and usage logs. An InsurTech holds: policyholder PAN and Aadhaar-linked identity data, health declarations and medical reports (for health and life distribution), vehicle and property information, financial account details for premium collection, and claims history including descriptions of losses. This combination creates a multi-dimensional breach exposure.

Under the Digital Personal Data Protection Act 2023, InsurTechs operating as data fiduciaries are obligated to implement 'reasonable security safeguards' to protect personal data, notify the Data Protection Board of India and affected data principals of significant breaches, and respond to data principal rights requests (access, correction, erasure). Penalties for breach of these obligations can reach INR 250 crore for serious violations. Health data is expected to be classified as 'sensitive personal data' under the implementing rules, attracting heightened obligations.

For InsurTechs that also handle health insurance distribution — a category that includes companies like Onsurity (group health for startups) and several others — the exposure is compounded by the sensitivity of health information and by the fact that policyholders' claims data is typically shared between the InsurTech, the insurer, and third-party administrators (TPAs). A breach at any point in this chain can create liability that traces back to the distribution platform.

Cyber liability insurance for an InsurTech should cover: first-party incident response costs (forensic investigation, legal counsel, notification to regulators and data principals, credit monitoring for affected individuals), business interruption during a platform outage caused by a cyber event, cyber extortion (ransomware response costs), regulatory defence costs in proceedings before IRDAI or the Data Protection Board, and third-party liability to policyholders and insurer partners affected by a breach. Premium benchmarks for a mid-size InsurTech processing INR 500 crore in annualised premium through its platform, holding data on 5 lakh or more policyholders: INR 30–80 lakh annually depending on security maturity, breach history, and the health data concentration in the portfolio.

InsurTech boards face regulatory investigation risk that is meaningfully higher than that of general technology startups. IRDAI's enforcement powers include the ability to cancel licences, levy financial penalties, require remediation actions, and in serious cases refer matters to other agencies. Board members of an InsurTech that is found to have mis-sold products, violated IRDAI conduct circulars, or failed to maintain required solvency margins (in the case of licensed insurers like Acko or Go Digit) can face personal scrutiny in regulatory proceedings.

The D&O policy (Directors and Officers Liability) covers the personal legal defence costs and damages arising from claims made against individual directors and officers in their capacity as such. For an InsurTech, the primary D&O scenarios include: IRDAI regulatory investigation of a mis-sell allegation, investor derivative claims arising from undisclosed regulatory risk in a fundraising disclosure, securities fraud allegations in the case of listed InsurTechs (Policy Bazaar's listed parent PB Fintech Limited carries this exposure on BSE and NSE), employment practice claims from founders or senior employees in restructuring events, and claims from insurer partners for allegedly reckless distribution decisions.

Go Digit General Insurance Limited's IPO experience in 2024, which involved regulatory scrutiny of its shareholding structure in the period before listing, illustrates the kind of board-level regulatory interface that creates D&O exposure even for InsurTechs with clean product records. D&O cover for InsurTech boards should include: a broad definition of 'wrongful act' that captures regulatory investigations even without a formal finding of liability, Side A coverage (for directors who are not indemnified by the company because the company itself is under investigation or is insolvent), and run-off coverage provisions in the event of a change of control.

Premium benchmarks for D&O for a funded InsurTech at Series A (pre-revenue or early revenue, funded by institutional VCs, unlisted): INR 8–20 lakh annually for INR 10–25 crore limits. At Series B and beyond, with regulatory licences in place and insurer partnerships creating partner indemnity exposure: INR 25–60 lakh for INR 25–50 crore limits. Listed InsurTechs are a separate pricing tier entirely, aligned with SEBI-listed company D&O benchmarks.

InsurTech companies that collect premiums on behalf of insurers — which includes most licensed brokers and corporate agents operating on a digital platform — hold premium float: cash collected from policyholders that has not yet been remitted to the insurer. The IRDAI (Insurance Brokers) Regulations, 2018 require that broker premiums collected be maintained in a separate account and remitted to insurers within 24 hours of collection (for direct brokers). In practice, settlement cycles vary, and during the float period the InsurTech is holding insurer money.

Fidelity guarantee insurance covers losses arising from the dishonest or fraudulent acts of an employee. For an InsurTech with access to premium float accounts, this means protection against an employee (or a group of employees) diverting float funds, manipulating accounting records, or defrauding the insurer by misreporting premium receipts. The exposure is more acute than in a typical tech startup because the amounts involved are proportional to premium volumes — an InsurTech processing INR 200 crore in annual premium can have INR 5–15 crore in float at any point in its settlement cycle.

Beyond premium float, InsurTechs also face fidelity exposure in claims operations. An InsurTech that manages claims on behalf of an insurer partner holds claims settlement funds. An employee authorised to initiate claim payments has the ability to divert payments to controlled accounts. Fidelity coverage for claims operations is a separate coverage need from premium float fidelity, and the aggregate limit should be sized to reflect the maximum single settlement authority held by any employee.

A well-structured fidelity guarantee policy for a mid-size InsurTech should carry limits in the range of INR 2–10 crore per occurrence, with the specific limit determined by peak float balances and claims settlement authority levels. Premium for this cover is typically INR 1.5–5 lakh annually depending on the limit and the insurer's assessment of internal controls. IRDAI's Principal of Protection of Policyholders' Interests Regulations create a regulatory expectation that intermediaries maintain adequate controls over client money, and fidelity insurance is one component of demonstrating that adequate protection is in place.

InsurTechs that use automated pricing algorithms to generate insurance quotes face a risk that has no direct equivalent in traditional intermediary operations: a systemic error in the algorithm can affect thousands or hundreds of thousands of quotes simultaneously before anyone notices.

Acko, operating as a direct insurer, uses machine learning pricing models for its motor and health products. Go Digit has built proprietary pricing tools for commercial lines. Aggregators and distribution platforms use algorithm-driven comparison and recommendation engines. When an error enters any of these systems — a miscoded rating factor, an incorrect data feed from a third party, a model that was trained on a biased sample — the consequences scale with the volume of quotes issued before the error is caught.

The insurance response to algorithmic errors depends on the nature of the error and whether the InsurTech is the insurer or an intermediary. If the InsurTech is the insurer (Acko, Go Digit), an undercharging error means the insurer has written business at inadequate premium. Rectification may involve voiding and re-quoting policies (if within the free-look period) or absorbing the undercharge as a loss for the policy term. Neither outcome is covered by conventional insurance; this is an underwriting risk that the insurer itself bears. InsurTechs operating as insurers should treat pricing algorithm integrity as a core operational risk with reserves, not as an insurable loss.

If the InsurTech is an intermediary and the pricing error caused the insurer partner to receive incorrect premium data, the InsurTech faces professional liability to the insurer for the undercharge. This is a Tech E&O / PI scenario: the technology service failed in a way that caused financial harm to the insurer client. A PI policy covering technology services should respond, subject to the exclusions discussed in the context of SaaS coverage. Rectification costs — the internal IT costs, consultant fees, and communication costs involved in identifying and correcting a pricing error — may be partially covered under certain PI extensions but are often excluded as a business cost.

InsurTech investors at Series A and beyond have specific insurance expectations that go beyond the regulatory minimums. A US-based VC leading a Series A in an Indian InsurTech will typically include insurance covenants in the SHA and term sheet that reflect the VC's own LP reporting obligations and portfolio risk management standards.

Typical investor-driven insurance requirements at Series A for an Indian InsurTech include:

• Professional liability (PI / Tech E&O): USD 1–3 million in limits, to be maintained and evidenced at each board meeting or annually
• D&O: USD 2–5 million in limits, covering all board-designated officers and directors including investor-nominated directors
• Cyber liability: USD 1–2 million in limits if the company holds policyholder data
• Key person life and disability: coverage on the two or three founders identified as key persons in the term sheet
• Employers' liability: statutory compliance as a condition of investment

At Series B and beyond, investors — particularly those with secondary market exposure through structured notes or co-investors in the US or EU — begin to require alignment with international insurance standards. This is when a layered programme, potentially combining IRDAI-filed policies with Lloyd's excess layers, becomes relevant for Indian InsurTechs with cross-border ambitions or international client relationships.

The sequencing of insurance programme build-out for an InsurTech typically follows this pattern:

1. At IRDAI licence application stage: PI at regulatory minimum, fidelity guarantee
2. At first significant data volume: add cyber liability
3. At first institutional funding round (Series A): add D&O, increase PI and cyber limits to meet investor covenants
4. At Series B: structure layered programme, add employment practices liability, review ERP provisions
5. At pre-IPO: full listed company D&O programme, securities representations and warranties coverage, comprehensive public company risk management review

The total annual premium for a well-structured Series A-stage Indian InsurTech programme — covering PI, D&O, cyber, and fidelity — typically falls in the range of INR 35–90 lakh depending on the specific risk profile. Companies with higher AUM health data, insurer partnerships carrying mutual indemnities, or founders with prior regulatory history will sit toward the upper end.