Insurance for Startups & New Economy

Neobanking and Banking-as-a-Service Startup Insurance India 2026: Cyber, Crime, and Conduct Cover

Indian neobanks and Banking-as-a-Service platforms operate within tightened RBI rules on PA-PG licensing, partner-bank dependency, and KYC liability. The 2026 insurance stack across cyber, crime, conduct, and D&O has been reshaped by IRDAI Information Security Guidelines, DPDP Act, and CERT-In reporting obligations.

Sarvada Editorial TeamInsurance Intelligence
17 min read

Listen to this article

Audio version • 17 min read

neobanking-insurancebaas-insurancerbi-pa-pgkyc-failure-liabilitytransaction-fraudcert-in-reportingirdai-info-securityindia-2026

Last reviewed: May 2026

Indian Neobanking and BaaS Through 2026

The Indian neobanking and Banking-as-a-Service (BaaS) sector has matured through 2020-2026 from early-stage partnerships into a structurally significant segment of the fintech ecosystem. Combined funded base across Indian neobanks and BaaS platforms crossed USD 3.4 billion across 200+ disclosed deals between 2020 and Q1 2026, with notable names including:

  • Jupiter with partnership-based retail banking services delivered through RBL Bank, Federal Bank, and partner-bank arrangements; over 28 lakh customers as of Q1 2026.
  • Fi Money with partnership-based retail banking through Federal Bank; over 15 lakh customers.
  • Slice with consumer credit and payment services, historically partnering with SBM Bank India and progressively building toward an independent bank charter through its merger with North East Small Finance Bank in 2024.
  • Open Financial Technologies with SME-focused BaaS infrastructure and partner-bank rails.
  • Razorpay with the largest BaaS infrastructure for businesses, including the RazorpayX neobanking suite.
  • Cashfree with payments and banking infrastructure.
  • NiYO with employee-benefits-focused neobanking through DCB Bank partnership.
  • Karbon Card with corporate-credit-focused services.
  • Falcon and Decentro as BaaS infrastructure platforms.
  • Smaller and emerging players across niche verticals including freelancer banking, student banking, healthcare-aligned banking, and gig-worker financial services.

The operational model has evolved through three phases. The 2020-2022 phase featured partner-bank arrangements where the neobank provided a customer-facing experience while the partner bank held deposits, processed transactions, and held the regulatory licences. The 2022-2024 phase saw the RBI's intervention on prepaid payment instruments and partner-bank credit lines that materially reshaped the business model for some players (notably the August 2022 RBI circular on PPI-loaded credit lines that affected Slice, Uni, and similar players). The 2024-2026 phase has featured tighter RBI oversight on KYC, partner-bank governance, and consumer-grievance handling.

The insurance market supporting neobanks has had to track this evolution. Standard cyber and crime wordings filed with IRDAI are oriented to traditional banking and corporate operations; neobank-specific exposures require careful structuring. This post maps the 2026 cover stack with reference to the RBI's Payment Aggregator and Payment Gateway (PA-PG) framework, the DPDP Act 2023, the IRDAI Information Security Guidelines 2023, the CERT-In Directions of April 2022, and emerging market practice.

RBI PA-PG Framework and the Partner-Bank Dependency

The Reserve Bank of India's regulatory framework for non-bank payment and banking services has tightened materially through 2020-2026, with specific implications for neobanks and BaaS platforms.

Payment Aggregator and Payment Gateway licensing

The RBI's Guidelines on Regulation of Payment Aggregators and Payment Gateways issued in March 2020 and amended through 2021-2025 created a licensing framework for entities aggregating payments from merchants and consumers. Key provisions:

  • Authorisation required for payment aggregators handling payment flows.
  • Net-worth requirement of INR 25 crore within stipulated timelines.
  • Storage of payment data restrictions including tokenisation requirements.
  • Customer-protection obligations including grievance redress, refund timelines, and transparent fee disclosure.
  • Reporting obligations to RBI including transaction-level reporting and incident reporting.

Through 2022-2026 the RBI has issued multiple operational directives including the 2024 PA-PG cross-border framework for international payment flows and the 2025 framework updates for offline PA operations.

Prepaid Payment Instrument (PPI) framework

The RBI's Master Direction on Prepaid Payment Instruments governs entities issuing prepaid instruments including wallets and prepaid cards. The framework's interaction with neobanking has been complex:

  • The August 2022 RBI circular prohibiting loading of credit lines onto PPIs materially reshaped business models that combined PPI-based wallets with embedded credit.
  • The 2024 PPI master direction update clarified KYC and interoperability requirements.

Partner-bank governance

For neobanks operating through partner banks (RBL/Jupiter, Federal Bank/Fi Money, SBM India/Slice historically, DCB/NiYO), the RBI has tightened expectations on partner-bank governance through 2023-2025:

  • Outsourcing guidelines requiring partner banks to apply governance, risk-management, and customer-protection standards to neobank partners.
  • Service-provider rules including incident-reporting, complaint-handling, and operational-resilience requirements.
  • Customer-grievance accountability with the partner bank retaining ultimate accountability for customer interactions.

The neobank's regulatory position

Neobanks are typically not banks under Indian law. They do not hold a banking licence under the Banking Regulation Act 1949. Their regulatory position depends on the specific services provided:

  • Where they provide payment services, they may be authorised as payment aggregators under the PA-PG framework.
  • Where they provide PPI services, they may hold PPI authorisations.
  • Where they provide banking services through partner banks, they operate under business correspondent or technology-service-provider arrangements.
  • Where they provide credit services, they operate under partner NBFC arrangements or hold NBFC licences directly.

The specific authorisations affect cover requirements. Authorised entities have direct regulatory obligations including incident reporting, audit, and net-worth maintenance; technology-service providers operate under contractual obligations to partner banks.

KYC failure liability

Know Your Customer obligations are a recurring source of regulatory enforcement. The framework includes:

  • RBI Master Direction on KYC specifying verification standards.
  • PMLA 2002 and rules on customer identification and beneficial-ownership disclosure.
  • CKYC framework for central KYC repository integration.
  • Aadhaar-based eKYC with specific requirements and limitations.

KYC failures (deficient verification, fraudulent customer onboarding, money-laundering through inadequately verified accounts) can produce:

  • Regulatory penalties on the partner bank, with cost-allocation to the neobank under partnership agreements.
  • Direct penalties on the neobank where the neobank is the authorised entity.
  • Civil claims by affected parties (where the inadequately verified customer commits fraud against third parties).
  • Reputational impact affecting customer retention and growth.

Insurance response to KYC failure exposure includes regulatory defence cover under cyber/crime or specific regulatory cover, defence-cost cover under D&O, and indemnity for civil claims subject to wording specifics.

Cyber Liability for Neobanking Platforms

Cyber risk is the single largest exposure category for neobanks. The cover stack must address multiple attack vectors, regulatory obligations, and operational dependencies.

Attack vector exposures

Neobanks face cyber attacks across several vectors:

  • Account takeover (ATO): attackers gaining access to customer accounts through credential theft, phishing, SIM swap, or social engineering.
  • API and platform compromise: attacks on the neobank's APIs (including partner-bank-facing APIs and customer-facing APIs).
  • Insider threat: employee or contractor misuse of access.
  • Third-party compromise: attacks through vendors, technology suppliers, or partner systems.
  • Mobile app exploitation: attacks on the neobank's mobile applications including reverse engineering, runtime manipulation, and malware-based attacks.
  • Payment-rail compromise: attacks on UPI, IMPS, NEFT, RTGS interfaces and Card payment processing.
  • Ransomware: encryption of operational systems, exfiltration of customer data with extortion demands.

Documented incidents in 2024-2025 include several high-profile ATO and API-compromise events at Indian fintech platforms with affected customer counts in the millions and direct financial losses in the INR 50 crore to INR 250 crore range per major incident, plus regulatory penalties, customer compensation, and reputational damage.

IRDAI Information Security Guidelines 2023

The IRDAI Information Security Guidelines 2023 apply to IRDAI-regulated entities; their relevance to neobanks is indirect. However, the guidelines have influenced security expectations across the broader financial-services ecosystem and are referenced in some cyber-insurance underwriting and policy wording.

CERT-In Directions April 2022

The CERT-In Cyber Security Directions issued in April 2022 require:

  • Incident reporting within 6 hours of noticing specified cyber incidents.
  • Maintenance of logs for 180 days within Indian jurisdiction.
  • KYC requirements on cloud service providers and VPN providers for specified customers.
  • Synchronisation with NTP servers at specified Indian NTP sources.

Neobanks subject to CERT-In Directions must maintain incident-response capability to meet the 6-hour reporting requirement. Cyber insurance covers the cost of CERT-In reporting compliance including legal advisory, forensics, and notification preparation.

DPDP Act 2023

Neobanks are clear-cut data fiduciaries under the DPDP Act 2023, processing significant personal data including financial information, identity documents, transaction history, and behavioural data. Obligations include:

  • Lawful basis for processing with consent or specified exceptions.
  • Data principal rights including access, correction, and erasure.
  • Breach notification to the Data Protection Board of India and affected data principals.
  • Significant Data Fiduciary classification for larger neobanks crossing thresholds.
  • DPO appointment and impact-assessment obligations for significant data fiduciaries.
  • Penalty exposure up to INR 250 crore per breach for specified violations.

Cyber cover scope and pricing

Cyber liability cover for neobanks typically includes:

  • First-party cyber: incident response, forensics, ransomware response, breach notification, system restoration, business interruption.
  • Third-party cyber liability: claims by customers, partners, and regulators.
  • Regulatory defence and penalty where insurable.
  • Payment-card-industry (PCI) exposures for card-handling neobanks.
  • Cyber crime / social engineering for specific fraud scenarios.

Sum insured benchmarks:

  • Early-stage neobanks (under 1 lakh customers): INR 25 crore to INR 100 crore at premium of INR 15 lakh to INR 75 lakh annually.
  • Mid-size neobanks (1-10 lakh customers): INR 100 crore to INR 500 crore at premium of INR 75 lakh to INR 4 crore annually.
  • Large neobanks (10+ lakh customers): INR 500 crore to INR 2,000 crore at premium of INR 4 crore to INR 18 crore annually.

Crime Cover and Transaction Fraud Reimbursement

Beyond cyber liability, neobanks face crime exposure that requires distinct cover.

Crime cover scope

A standard Crime / Financial Lines Crime cover for neobanks includes:

  • Computer fraud and funds transfer fraud: theft of money or securities through fraudulent computer entries or fraudulent funds-transfer instructions.
  • Social engineering fraud: vendor-payment fraud, executive-impersonation fraud, customer-impersonation fraud where a fraudster induces an employee to transfer funds.
  • Forged or counterfeit instruments: cheque fraud, document fraud.
  • Employee dishonesty: theft, embezzlement, or fraud by employees.
  • In-transit cash: cash in transit between locations (limited relevance for digital-only neobanks).
  • Customer-claim cover: in some wordings, fraud claims by customers where the bank is liable.

Transaction fraud reimbursement

A distinctive exposure category for neobanks is customer-transaction fraud where the bank reimburses customers for fraud committed against their accounts. Several scenarios:

  • ATO fraud: customer's account is compromised and funds are transferred fraudulently.
  • UPI fraud: customer is tricked into authorising a fraudulent transaction.
  • Card fraud: customer's card is used fraudulently.
  • App-based fraud: customer is misled through manipulated mobile app interfaces.

The RBI's framework on customer liability for unauthorised electronic transactions (Circular DBR.No.Leg.BC.78/09.07.005/2017-18 of July 2017 and subsequent updates) establishes a zero-liability framework for customers in specified circumstances. The framework typically requires the bank to reimburse the customer for unauthorised transactions reported within specified timelines, with the bank then pursuing recovery from the fraudster.

The reimbursement obligation creates direct financial exposure to the bank. For neobanks operating through partner banks, the cost is typically allocated between the neobank and partner bank under partnership agreements. The allocation creates specific insurable interest for the neobank.

Crime cover with transaction-fraud-reimbursement extension responds to this exposure subject to wording specifics. Typical sub-limits for transaction-fraud reimbursement run INR 5 crore to INR 50 crore per occurrence with aggregate limits at INR 25 crore to INR 250 crore.

Pricing for crime cover

Crime cover for neobanks runs at:

  • Small neobanks: sum insured INR 10-50 crore at premium INR 8 lakh to INR 35 lakh annually.
  • Mid-size neobanks: sum insured INR 50-250 crore at premium INR 35 lakh to INR 2 crore annually.
  • Large neobanks: sum insured INR 250-1,000 crore at premium INR 2 crore to INR 8 crore annually.

Wording issues to negotiate

Neobanks should specifically negotiate:

  • Social-engineering sub-limit sized to typical fraud amounts (recent incidents show INR 5-25 crore per event).
  • Customer-claim cover scope explicitly including transaction-fraud reimbursement.
  • Insider threat scope covering both employees and contractors.
  • Discovery period of at least 90 days post-policy-expiry for fraud discovered after the policy period.
  • Exclusions for actions known prior to policy inception narrowed to actual knowledge of named individuals.

Specie cover

For neobanks handling physical custody of customer cards, secure-storage facilities for documents, or similar physical assets, specie insurance provides specific cover. The cover is at separate pricing depending on the asset profile.

D&O for Neobanking Founders and Boards

D&O cover for neobanking founders and boards has become a critical line item given the regulatory exposure, customer-protection obligations, and investor-relations dynamics in the sector.

Specific exposure areas for neobanking D&O

Neobanking D&O cover responds to claims against directors and officers arising from:

  • Regulatory action: RBI, SEBI, IRDAI, CERT-In, Data Protection Board, and other regulators may take action against entities and senior officers for compliance failures.
  • Customer claims: class-action-style or aggregated customer claims for systemic issues including service failures, data breaches, and fraud reimbursement disputes.
  • Investor claims: shareholder claims for misrepresentation in funding rounds, capital-raising disclosures, or financial reporting.
  • Employee claims: employment-related claims including wrongful termination, discrimination, and harassment.
  • Investigation and inquiry: regulatory and law-enforcement inquiries with associated defence costs.

Disclosure-related exposure

Neobanks have been the subject of significant disclosure-related scrutiny including:

  • Customer-count disclosures: claims that customer-count metrics were inflated.
  • Transaction-volume disclosures: claims about active vs total customer ratios.
  • Regulatory status disclosures: claims that licensing or partner-bank status was misrepresented.
  • Financial performance disclosures: claims about revenue, unit economics, or profitability.
  • AI and automation disclosures: claims about the role of automation, AI, and human review in customer-service and decision-making.

A 2024 incident at an Indian fintech (not a neobank but adjacent) produced significant D&O exposure when investor claims arose alleging misrepresentation about transaction volumes and unit economics. Defence costs alone ran to several crore rupees.

Sum insured and pricing benchmarks

  • Seed and Series A neobanks: D&O at INR 10-25 crore at premium of INR 5 lakh to INR 18 lakh annually.
  • Series B and Series C neobanks: D&O at INR 50-150 crore at premium of INR 25 lakh to INR 1.5 crore annually.
  • Mature neobanks (Series D and beyond, or with banking licence): D&O at INR 150-500 crore at premium of INR 1.5 crore to INR 8 crore annually.

Specific D&O wording issues

Neobanking founders should specifically negotiate:

  • Regulatory investigation cover explicitly covering RBI, SEBI, CERT-In, and Data Protection Board inquiries.
  • Insured-vs-insured exclusion narrowed to avoid covering bona fide internal disputes.
  • Side-A cover (for non-indemnifiable claims) at adequate limit.
  • Independent legal counsel rights for senior officers.
  • Severability ensuring fraud by one insured does not void cover for others.
  • Run-off cover for departing officers with adequate post-employment duration.

Conduct Risk, Mis-Selling, and Treating Customers Fairly

Conduct risk is an emerging cover category for Indian neobanks. While not yet a standalone insurance product in the Indian market, conduct-related exposures are addressed through combinations of D&O, professional indemnity, and specific extensions.

What conduct risk covers

Conduct exposures include:

  • Mis-selling: customers being sold products unsuitable for their needs or financial situation.
  • Misleading communications: marketing, advertising, or in-app communications that mislead customers about product features, pricing, or risks.
  • Inadequate disclosure: failure to disclose material information including fees, charges, terms, or restrictions.
  • Unfair contract terms: contract provisions that operate against consumer interest beyond what is reasonable.
  • Discriminatory practices: pricing, access, or service decisions based on protected characteristics.
  • Vulnerable-customer treatment: failure to recognise or appropriately serve vulnerable customers.

Indian regulatory framework

The Indian framework includes:

  • RBI Consumer Protection Framework including the BCSBI Code of Bank's Commitment to Customers (where applicable to partner banks) and the RBI's grievance-redress framework.
  • Consumer Protection Act 2019 providing class-action standing and expanded remedies for consumer claims.
  • Banking Ombudsman Scheme providing alternative dispute resolution.
  • RBI integrated ombudsman scheme of 2021 for unified handling of customer complaints.
  • CCI provisions on unfair trade practices.

Insurance response

Conduct-related exposures are addressed through:

  • D&O cover for claims against directors and officers for conduct failures.
  • Professional indemnity for claims against the entity for professional errors and omissions.
  • Specific extensions in some wordings addressing customer-claim aggregation, regulatory inquiry response, and specific conduct scenarios.

Indian insurers have not yet filed standalone conduct-risk products comparable to UK-market conduct cover. Operators with material conduct exposure structure cover through D&O and PI wordings with specific extensions where available.

Customer-grievance and complaint volume

A practical metric for conduct risk is customer-grievance volume. The RBI's integrated ombudsman scheme publishes statistics on complaints against banks and partner-bank arrangements. Neobanks should track:

  • Complaints received per 10,000 customers as a benchmark against industry.
  • Resolution-time metrics.
  • Escalation rates to ombudsman and regulator.
  • Complaint-category distribution identifying systemic issues.

Elevated complaint metrics correlate with regulatory attention and increased likelihood of enforcement action. Insurers underwriting D&O and cyber cover are increasingly requiring complaint metrics at underwriting submission.

Group Health, WC, and Workforce Cover for Neobanks

Workforce cover for neobanks combines standard employer-benefit programmes with specific provisions for the technology-and-finance workforce mix.

Direct employees

Neobank direct employees span engineering, product, design, business, customer service, finance, legal, and operations roles. Coverage includes:

  • Employees' Compensation Act 1923: WC premium typically 0.3 to 0.7 percent of wage bill annually for office-classification staff.
  • ESI for employees under threshold.
  • Group Personal Accident at sum insured INR 5-25 lakh per employee at premium INR 350-1,200 per employee annually.
  • Group Health at competitive employer-benefit levels, typically INR 5-10 lakh per employee sum insured at premium INR 12,000-25,000 per employee annually.
  • Top-up Health for employees beyond base limit.
  • Term Life and Critical Illness as employer-benefit (increasingly standard for tech-finance roles).

Customer-service operations

For neobanks operating large customer-service centres or remote-service teams, the workforce cover should address:

  • Specific high-stress occupational considerations.
  • Mental wellness programmes (increasingly standard).
  • Extended hours and shift-work-related coverage.

Senior management cover

Senior executives at neobanks typically receive enhanced cover including:

  • Higher group health sum insured (INR 25 lakh to INR 1 crore).
  • Executive PA cover (INR 50 lakh to INR 5 crore).
  • International medical evacuation.
  • D&O personal coverage (different from corporate D&O).

Employees' Liability

Employers' Liability covers common-law claims by employees that exceed the WC schedule. Sum insured of INR 5-50 crore at premium INR 3-30 lakh annually is typical for neobanks.

Spend benchmark

For a mid-size neobank with 500 direct employees, annual workforce-related insurance spend runs INR 75 lakh to INR 3 crore depending on benefit-package competitiveness and specific covers.

Programme Construction and 2027 Outlook

A practical insurance programme for an Indian neobank or BaaS platform integrates cyber, crime, D&O, conduct, and workforce cover into a coordinated structure.

Programme construction by stage

Early-stage neobank (Seed to Series A, under 1 lakh customers):

  • Cyber Liability at INR 25-100 crore: INR 15 lakh to INR 75 lakh annually.
  • Crime at INR 10-50 crore: INR 8 lakh to INR 35 lakh annually.
  • D&O at INR 10-25 crore: INR 5 lakh to INR 18 lakh annually.
  • Professional Indemnity at INR 25-100 crore: INR 15 lakh to INR 60 lakh annually.
  • WC, Group PA, Group Health for the team: INR 8 lakh to INR 40 lakh annually.
  • Specialty covers: INR 3 lakh to INR 12 lakh annually.
  • Total: INR 55 lakh to INR 2.4 crore annually.

Mid-size neobank (Series B to Series C, 1-10 lakh customers):

  • Cyber Liability at INR 100-500 crore: INR 75 lakh to INR 4 crore annually.
  • Crime at INR 50-250 crore: INR 35 lakh to INR 2 crore annually.
  • D&O at INR 50-150 crore: INR 25 lakh to INR 1.5 crore annually.
  • Professional Indemnity at INR 100-300 crore: INR 60 lakh to INR 3 crore annually.
  • WC, Group PA, Group Health: INR 40 lakh to INR 2 crore annually.
  • Specialty covers including conduct and regulatory: INR 12 lakh to INR 50 lakh annually.
  • Property and BI: INR 8 lakh to INR 30 lakh annually.
  • Total: INR 2.6 crore to INR 13 crore annually.

Large neobank (Series D and beyond, 10+ lakh customers, or with banking licence):

  • Cyber Liability at INR 500-2,000 crore: INR 4 crore to INR 18 crore annually.
  • Crime at INR 250-1,000 crore: INR 2 crore to INR 8 crore annually.
  • D&O at INR 150-500 crore: INR 1.5 crore to INR 8 crore annually.
  • Professional Indemnity at INR 300-1,000 crore: INR 3 crore to INR 12 crore annually.
  • WC, Group PA, Group Health: INR 2 crore to INR 8 crore annually.
  • Specialty covers: INR 50 lakh to INR 3 crore annually.
  • Property, BI, and supporting covers: INR 30 lakh to INR 1.5 crore annually.
  • Total: INR 13 crore to INR 60 crore annually.

Capacity availability

Indian domestic cyber capacity has tightened through 2024-2026 with insurers reassessing fintech exposure. Limits above INR 250-500 crore typically require international placement. D&O capacity for material limits also draws on international markets. Indian brokers with international network access are the practical placement route for material programmes.

Outlook through 2027

Three trends will shape neobanking insurance through 2027:

First, regulatory tightening. The RBI is expected to continue refining the PA-PG framework, partner-bank governance, and customer-protection rules. CERT-In and DPDP Act implementation rules will continue to evolve. Operators should monitor regulatory developments and align insurance cover with new requirements.

Second, loss-data accumulation. The cyber and crime claims experience from 2022-2026 has been substantial, with major incidents producing claim amounts in the INR 50-500 crore range. Insurers are using this data to refine pricing and underwriting discipline. Operators with above-average claims experience face premium increases; operators with documented controls and below-average experience benefit from discipline-based discounts.

Third, product evolution. Indian insurers are expected to file neobank-specific cyber and crime products through 2026-2027 with cleaner wording specific to the partner-bank-dependency and BaaS model. Operators should review new product filings against bespoke programme alternatives.

To see how Sarvada's broker workflow supports neobanks and BaaS platforms across cyber, crime, D&O, conduct, professional indemnity, and workforce layers with international-market access and regulatory alignment, Request Access to our platform.

Frequently Asked Questions

Are neobanks classified as banks under Indian law for insurance purposes?
Typically no. Indian neobanks do not hold a banking licence under the Banking Regulation Act 1949. Their regulatory position depends on the specific services: payment services may be authorised as payment aggregators under the RBI PA-PG framework, PPI services under PPI master direction, banking services through business correspondent or technology-service-provider arrangements with partner banks, and credit services through partner NBFC arrangements or direct NBFC licences. The specific authorisations affect cover requirements including regulatory defence cover, KYC failure liability, and partner-bank-relationship cover. Some players (like Slice through its merger with North East Small Finance Bank) are progressing toward independent bank charters, which materially changes the regulatory and insurance profile.
How does the RBI's zero-liability framework for unauthorised electronic transactions affect insurance?
The RBI's framework (Circular DBR.No.Leg.BC.78/09.07.005/2017-18 of July 2017 and subsequent updates) establishes zero customer liability for unauthorised electronic transactions in specified circumstances, requiring banks to reimburse customers for fraud within prescribed timelines. For neobanks operating through partner banks, the reimbursement cost is typically allocated between neobank and partner bank under partnership agreements, creating specific insurable interest for the neobank. Crime cover with transaction-fraud-reimbursement extension responds to this exposure with typical sub-limits of INR 5-50 crore per occurrence and aggregate at INR 25-250 crore depending on scale. Wording should specifically include customer-claim cover and ATO-related fraud scenarios.
What are the CERT-In incident-reporting obligations for neobanks?
The CERT-In Cyber Security Directions issued April 2022 require reporting of specified cyber incidents within 6 hours of noticing. Specified incidents include unauthorised access attempts, ransomware, data breaches, and several other categories. Neobanks must maintain incident-response capability to meet the 6-hour timeline. The directions also require logs maintained for 180 days within Indian jurisdiction, KYC on cloud and VPN service providers for specified customers, and NTP synchronisation with specified Indian sources. Cyber insurance covers the cost of CERT-In reporting compliance including legal advisory, forensics, and notification preparation; the cover should be explicitly negotiated to capture CERT-In reporting cost.
How does the DPDP Act 2023 affect neobanking insurance?
Neobanks are clear-cut data fiduciaries under the DPDP Act 2023 processing significant personal data including financial information, identity documents, and transaction history. Obligations include lawful basis for processing, data principal rights administration (access, correction, erasure), breach notification to the Data Protection Board and data principals, possible Significant Data Fiduciary classification with enhanced obligations (DPO appointment, impact assessments), and penalty exposure up to INR 250 crore per breach. Cyber/privacy insurance should address DPDP Act regulatory penalty cover where insurable, data subject rights administration cost, breach response cost, and defence cost for regulatory inquiries. Wording should specifically include DPDP Act compliance support.
What is the typical insurance spend for a Series C Indian neobank?
A Series C neobank (1-10 lakh customers, USD 30-100M raised cumulatively) typically spends INR 2.6 crore to INR 13 crore annually on insurance, covering cyber liability, crime, D&O, professional indemnity, workforce protection, specialty covers including conduct and regulatory, and property/BI. The largest line item is cyber liability at INR 75 lakh to INR 4 crore. Capacity above INR 250-500 crore typically requires international-market participation through Lloyd's, Munich Re, and Swiss Re specialty units, placed through Indian brokers with international network access (Marsh, Aon, WTW, Gallagher, and India-focused specialists). Quarterly review against current operating metrics produces better outcomes than annual renewals.

Related Glossary Terms

Cyber Insurance
Directors Officers Liability
Professional Indemnity
Fidelity Guarantee
Policy Wording
Indemnity
Sum Insured
Claim

Related Insurance Types

Cyber Insurance
Directors Officers Liability
Professional Indemnity
Liability Insurance

Related Industries

It Services

Related Articles

Insurance for Open Banking and Account Aggregator Fintechs India
Account Aggregator Framework and Commercial Insurance Integration India
How Fintech Lenders Should Think About Borrower Insurance: Collateral Protection and Embedded Cover
Cyber Insurance for SaaS Companies and Digital Platforms Operating from India
Deepfake Payment Fraud in India: Where Crime Insurance Stops, Cyber Insurance Starts, and CFO Controls Fail
IRDAI Cyber Insurance Guidelines: What Commercial Buyers Need to Know
Insurance Premium Payment Trends in India: Instalments, Fintech Integration, and Float Economics

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform