Web3, Blockchain, and Digital Asset Businesses in India: Working through Insurance in an Unregulated Frontier

India has the largest population of Web3 developers outside the United States, with over 15,000 active blockchain developers and approximately 1,000 Web3 companies as of 2025. The ecosystem spans decentralised finance (DeFi) protocols, non-fungible token (NFT) marketplaces, blockchain infrastructure providers, Layer 1 and Layer 2 protocol developers, crypto exchanges, digital asset custody services, and enterprise blockchain solutions. The sector has attracted over USD 2 billion in cumulative venture funding, despite the regulatory uncertainty that continues to define the Indian crypto environment.

Yet insurance penetration in Indian Web3 is close to zero. A 2025 industry survey by the Blockchain and Crypto Assets Council (BACC) found that fewer than 5% of Indian Web3 companies carried any form of commercial insurance beyond basic group health and office property cover. The reasons are both supply-side and demand-side. On the supply side, Indian insurers have been reluctant to underwrite Web3 risks due to the regulatory ambiguity, the novelty of the technology, and the absence of actuarial data. On the demand side, many Web3 founders view insurance as unnecessary, either because they believe decentralisation eliminates counterparty risk (a misconception) or because they prioritise spending on engineering and growth over risk transfer.

This insurance gap is becoming untenable as the sector matures. Institutional investors, including venture capital funds and sovereign wealth funds, are demanding that portfolio companies carry adequate insurance. Enterprise customers adopting blockchain solutions require their technology vendors to demonstrate professional indemnity and cyber cover. And the regulatory environment, while still uncertain, is generating enforcement actions that create personal liability for founders and directors.

The tax framework, specifically the 30% flat tax on virtual digital asset (VDA) income under Section 115BBH of the Income Tax Act, 1961, and the 1% TDS under Section 194S, has formalised the government's recognition of crypto activity. This formalisation, combined with SEBI's exploration of a regulatory framework for crypto assets and the RBI's ongoing concerns about financial stability, signals that regulation is coming. When it arrives, compliance obligations will follow, and insurance will shift from optional to essential.

This article maps the insurance needs of Indian Web3 companies, from smart contract liability and custodial risk to D&O cover for crypto founders, and identifies the domestic and international insurance options currently available.

For Web3 companies that develop, deploy, or audit smart contracts, the code itself is the product, and any bug, vulnerability, or unintended behaviour in the code is a potential liability event. Smart contract exploits have resulted in cumulative losses exceeding USD 7 billion globally since 2020. In 2024 alone, over USD 1.8 billion was stolen through smart contract vulnerabilities, bridge exploits, and flash loan attacks.

Indian Web3 companies are increasingly involved in smart contract development for global DeFi protocols, and the liability exposure is significant. If a smart contract developed by an Indian company contains a vulnerability that is exploited, the resulting financial loss to users of the protocol can run into millions or even billions of dollars. The users may bring claims against the development company, alleging professional negligence, breach of warranty, or defective product.

Professional indemnity insurance is the primary cover for smart contract liability. The policy should cover claims arising from errors, omissions, or negligent acts in the design, development, testing, auditing, or deployment of smart contracts. The professional services definition must explicitly include smart contract development and audit, as a standard IT professional indemnity policy may not cover this activity. Some insurers treat smart contract development as financial software development and apply additional exclusions or premium loadings.

A critical issue is the scope of liability. Smart contracts are typically open-source and permissionless, meaning that anyone can interact with them. If a vulnerability is exploited by a user in the United States and the contract was developed by an Indian company, the claim may be brought in a US court under US law. The professional indemnity policy must provide worldwide jurisdictional cover, including the US and Canada (which many policies exclude due to the high litigation costs in those jurisdictions). For Indian Web3 companies with global exposure, insisting on worldwide cover including US/Canada is essential.

Smart contract audit firms face a specific variant of professional liability. If an audit firm provides a clean audit report for a smart contract that is subsequently exploited through a vulnerability that the audit should have detected, the audit firm faces professional negligence claims from the protocol's users, the protocol's treasury, and potentially the protocol's investors. Audit firms should carry professional indemnity limits that bear a reasonable relationship to the value of assets at risk in the contracts they audit. For an audit firm that audits protocols managing USD 100 million in total value locked (TVL), professional indemnity limits of at least USD 5-10 million are advisable.

Premiums for smart contract professional indemnity are significantly higher than for conventional software development, reflecting the higher severity and frequency of claims. Indian companies should expect premiums of 2-5% of the insured limit, compared to 0.5-1.5% for conventional IT professional indemnity. A policy with a USD 5 million limit might cost INR 50 lakh to INR 1.25 crore per annum.

Indian crypto exchanges (WazirX, CoinDCX, CoinSwitch Kuber, ZebPay) and digital asset custody providers hold customer funds that are vulnerable to theft, hacking, insider fraud, and technical failure. The WazirX exploit of July 2024, which resulted in the theft of approximately USD 230 million from the exchange's multi-signature wallet, is the most prominent Indian example of custodial risk materialising into a catastrophic loss.

Insurance for custodial risk covers the loss of digital assets held on behalf of customers due to external hacking, internal theft or fraud, technical malfunction (including key management failures), and social engineering attacks (phishing, SIM swapping). This cover is often referred to as crypto custody insurance or digital asset specie insurance.

The market for custodial risk insurance is small and highly specialised globally. As of early 2026, the total global insurance capacity for crypto custody risk is estimated at USD 2-3 billion, provided by a handful of Lloyd's syndicates (Arch, Atrium, Chaucer, Canopius), Bermuda carriers, and a few US specialty insurers. No Indian insurer currently offers a standalone crypto custody insurance product.

Indian exchanges and custody providers must therefore access this cover through international markets via brokers with London and Bermuda placement capability. The placement process is rigorous and typically requires the following. First, a detailed security assessment, including independent penetration testing results, SOC 2 Type II attestation, and documentation of key management procedures (including multi-signature arrangements, cold storage ratios, and hardware security module usage). Second, a governance and operational review, including board composition, compliance frameworks, and employee background check procedures. Third, financial information, including audited financial statements, capital adequacy, and proof of reserves.

Coverage limits are typically a fraction of the total assets under custody. An exchange holding USD 500 million in customer assets might be able to obtain cover for USD 50-100 million (10-20% of assets), with the remainder treated as self-insured retention. This partial coverage reflects the limited market capacity and the high-severity, correlated nature of crypto custody losses.

Premiums for crypto custody insurance range from 1% to 5% of the insured limit per annum, depending on the security posture, the type of assets held (stablecoins are generally cheaper to insure than volatile tokens), and the cold-to-hot wallet ratio (higher cold storage percentages reduce premiums). A policy with a USD 50 million limit might cost USD 500,000 to USD 2.5 million per annum.

The WazirX incident has intensified underwriter scrutiny of Indian exchanges. Companies seeking custodial cover must demonstrate security standards that meet or exceed international benchmarks, including the Cryptocurrency Security Standard (CCSS) and SOC 2 Type II.

Directors and officers of Indian Web3 companies face an exceptionally high level of personal liability exposure, driven by the regulatory uncertainty, the volatility of digital assets, and the frequency of investor disputes in the sector.

The regulatory environment for crypto in India is characterised by a patchwork of indirect regulation. The RBI has expressed consistent opposition to private cryptocurrencies, and its 2018 circular banning banks from dealing with crypto entities, though struck down by the Supreme Court in Internet and Mobile Association of India v. Reserve Bank of India (2020), signalled the regulatory disposition. The Finance Act, 2022, introduced the 30% VDA tax and 1% TDS, which, while not banning crypto, imposed compliance obligations that create liability for directors who fail to ensure compliance. SEBI has been exploring a regulatory framework for crypto assets, and any future framework is likely to impose registration, reporting, and conduct requirements on exchanges and intermediaries.

D&O insurance for crypto founders should cover the following exposures. Securities and investor claims: if investors allege that the founders misrepresented the project's technology, tokenomics, or regulatory compliance status, the D&O policy covers defence costs and damages. Regulatory investigations: if the Enforcement Directorate (ED), the Income Tax Department, or any other government agency investigates the company's directors for potential violations, the D&O policy covers the costs of responding to the investigation, engaging legal counsel, and producing documents. Employment claims: as crypto companies scale and sometimes abruptly downsize, wrongful termination, discrimination, and wage claims from employees can target directors personally.

The challenge is obtaining D&O cover in the first place. Many Indian and international D&O insurers have blanket exclusions for companies involved in cryptocurrency, virtual assets, or blockchain-based financial services. These exclusions reflect the insurers' concerns about the regulatory risk, the volatility of the sector, and the potential for fraud. Companies seeking D&O cover must work with specialty brokers who know which insurers will consider Web3 risks and who can present the company's risk profile in the most favourable light.

Insurers that will consider Web3 D&O include certain Lloyd's syndicates, a few Bermuda and US carriers, and in India, select underwriters at ICICI Lombard and HDFC Ergo who have discretion to write non-standard risks on a case-by-case basis. The submission must demonstrate strong corporate governance, including an independent board, documented compliance procedures, regular legal opinions on regulatory matters, and transparent financial reporting.

Premiums for Web3 D&O insurance are substantially higher than for conventional technology companies. A crypto exchange might pay 5-10% of the insured limit per annum, compared to 1-2% for a comparable SaaS company. A policy with a limit of INR 5 crore might cost INR 25 lakh to INR 50 lakh per annum. Despite the cost, D&O cover is non-negotiable for any Web3 company that has raised institutional capital, as investors typically require it as a condition of funding.

Blockchain companies face cyber risks that are fundamentally different from those of traditional technology companies, and standard cyber insurance products often fail to address these differences.

The primary cyber risk for a blockchain company is not the theft of personal data (though this is also a concern for exchanges that hold KYC information) but the theft of digital assets through smart contract exploits, private key compromise, bridge vulnerabilities, and protocol-level attacks. A standard cyber insurance policy covers data breach response costs, regulatory fines, and third-party liability arising from the loss of personal data. It does not cover the loss of digital assets, which is classified as financial loss from theft of property rather than a cyber liability event.

To cover digital asset theft, blockchain companies need either crypto custody insurance (discussed earlier) or a cyber policy with a digital asset endorsement that explicitly extends cover to the theft of cryptocurrencies and tokens. Such endorsements are available from specialty markets but must be negotiated carefully. The endorsement should define digital assets broadly to include cryptocurrencies, stablecoins, tokens (including governance tokens and utility tokens), and NFTs. It should cover theft through external hacking, social engineering, insider fraud, and smart contract exploitation.

A second cyber risk specific to blockchain companies is protocol manipulation. If an attacker manipulates a DeFi protocol's price oracle, governance mechanism, or liquidity pool to extract value, the resulting loss may not be characterised as theft (the attacker used the protocol as designed, just in an unintended way). Standard cyber and crime policies may not cover this type of loss, as there is no unauthorised access in the traditional sense. Protocol manipulation cover is a nascent product, available from a handful of Lloyd's syndicates, that addresses this gap.

Third, blockchain companies face reputational risk from cyber incidents that is more severe than in other sectors because trust is the core value proposition. If a DeFi protocol is exploited, users may abandon the protocol permanently, and the total value locked can drop to zero within hours. Business interruption cover under a cyber policy can provide some protection for revenue loss, but it may not cover the long-term reputational damage that effectively ends the project.

Indian blockchain companies seeking cyber cover should prioritise the following policy features: digital asset theft cover (not just data breach), worldwide jurisdictional scope, coverage for both external and internal threats, protocol manipulation cover (for DeFi companies), and a broad definition of computer systems that includes smart contracts, decentralised applications, and blockchain nodes. Premiums for blockchain cyber insurance range from 3-8% of the insured limit, reflecting the higher risk profile. A policy with an INR 5 crore limit might cost INR 15 lakh to INR 40 lakh per annum.

The most distinctive feature of insuring Web3 companies in India is the regulatory uncertainty. Unlike healthtech (regulated by the Medical Council and CDSCO), edtech (supervised by the Education Ministry and UGC), or fintech (regulated by RBI and SEBI), the Web3 sector operates without a dedicated regulatory framework. This uncertainty affects insurance in several ways.

First, insurers are uncertain about the legality of the insured's activities. While the Supreme Court's 2020 decision in the Internet and Mobile Association case established that the RBI cannot prohibit crypto trading through a circular, the underlying legal status of crypto as property, currency, or security remains undetermined. If a future law or court decision classifies crypto trading as illegal, insurance policies covering crypto-related activities could become void for illegality under Section 23 of the Indian Contract Act, 1872. This risk, while considered unlikely given the government's decision to tax rather than ban crypto, is a factor that insurers weigh when pricing Web3 risks.

Second, the scope of regulatory enforcement is unpredictable. The Enforcement Directorate has investigated several Indian crypto exchanges under the Prevention of Money Laundering Act (PMLA), 2002. The ED's actions have resulted in attachment of assets, show-cause notices to directors, and in some cases, arrests. These enforcement actions create D&O claims, but the D&O policy may contain an exclusion for claims arising from criminal proceedings or PMLA investigations. Companies should negotiate to ensure that the D&O policy covers defence costs for PMLA proceedings, even if it cannot cover criminal fines or penalties.

Third, regulatory uncertainty makes it difficult to assess future compliance costs. If SEBI introduces a licensing framework for crypto exchanges, the compliance costs could include licensing fees, capital adequacy requirements, mandatory insurance covers, and ongoing reporting obligations. Companies that have not budgeted for these costs may face financial stress, which in turn affects their insurance profile. D&O and PI policies with broad regulatory investigation covers provide a financial buffer against unexpected compliance costs.

Fourth, the tax framework creates its own insurance implications. The 30% VDA tax applies to income from the transfer of virtual digital assets, with no offset for losses from other VDA transactions. If a company miscalculates its tax liability, whether due to the complexity of DeFi transactions (yield farming, liquidity provision, token swaps) or due to ambiguity in what constitutes a transfer, the resulting tax demand plus interest and penalties can be substantial. Tax liability insurance, while rare, is available from specialty markets and covers the financial impact of an adverse tax determination.

Indian Web3 companies should treat regulatory risk as their primary insurable exposure and structure their insurance programme accordingly. A combination of D&O with broad regulatory investigation cover, professional indemnity with regulatory defence costs, and cyber insurance with digital asset provisions creates a programme that can respond to the most likely loss scenarios in the current regulatory environment.

Because the Indian domestic insurance market offers limited capacity for Web3 risks, Indian companies must access international markets for most of their cover. Understanding the available options and the access mechanism is essential.

Lloyd's of London is the primary market for Web3 insurance globally. Several syndicates have developed crypto-specific products. Arch Insurance (Syndicate 2012) offers crypto custody, D&O, and professional indemnity covers. Atrium (Syndicate 609) and Canopius (Syndicate 4444) offer crime and custody covers. Chaucer (Syndicate 1084) offers bespoke cyber and technology E&O for blockchain companies. Beazley offers a combined technology E&O and cyber product that can be endorsed for blockchain risks.

Bermuda carriers, including Evertas (a specialty crypto insurer) and Relm Insurance (focused on digital assets), offer standalone custody and crime covers. US surplus lines carriers, accessible through brokers licenced in the US market, provide additional capacity.

Indian companies access these markets through one of two mechanisms. First, through an Indian broker with a correspondent or binding authority arrangement with a Lloyd's broker. The Indian broker handles the client relationship and the Indian regulatory requirements, while the Lloyd's broker places the risk in the London market. The policy is typically issued on an admitted basis through an Indian insurer that acts as a fronting carrier, with the actual risk being reinsured to the Lloyd's syndicate. This structure ensures that the policy complies with IRDAI regulations and that claims can be settled in Indian rupees through the fronting insurer.

Second, for companies with international operations (many Indian Web3 companies are incorporated in Singapore, the BVI, or the Cayman Islands with Indian development centres), the policy can be placed directly in the international market without Indian fronting. The policy is issued by the Lloyd's or Bermuda carrier directly to the international entity. This is simpler but does not provide cover for the Indian entity's direct liabilities.

The placement process typically takes 8-16 weeks from initial submission to policy binding, reflecting the detailed underwriting review required for Web3 risks. Companies should begin the process well in advance of any deadline (such as a fundraising closing that requires proof of insurance) and should be prepared to answer extensive underwriting questions about their technology, security, governance, and regulatory compliance.

Costs vary widely based on the company's risk profile. As a rough guide, a mid-size Indian crypto exchange or DeFi protocol developer should budget INR 50 lakh to INR 2 crore per annum for a programme covering D&O, professional indemnity, cyber, and custody (where applicable). This is a significant cost, but it is a fraction of the potential loss from a single major incident.

For Indian Web3 founders who have never engaged with commercial insurance, the complexity of the available options can be overwhelming. The following priority actions provide a structured starting point.

Priority one is D&O insurance. Regardless of the company's specific Web3 activity, if it has raised external capital (from angels, VCs, or token sales), the founders need D&O cover. The personal liability exposure from investor disputes, regulatory investigations, and employment claims is too significant to self-insure. Start with a limit of INR 2 crore to INR 5 crore and increase as the company grows and raises more capital. D&O is also the most readily available cover for Web3 companies, as some Indian insurers will write it on a case-by-case basis even if they decline other Web3 lines.

Priority two is professional indemnity if the company develops software, audits smart contracts, or provides any form of technology consulting. This is the cover that responds when a client alleges that the company's code or advice was deficient. Ensure the professional services definition includes blockchain development, smart contract audit, and protocol design. Request worldwide cover including the US and Canada.

Priority three is cyber insurance with a digital asset endorsement if the company handles cryptocurrencies, tokens, or NFTs in any capacity. Standard cyber cover is insufficient. The digital asset endorsement must cover theft through hacking, social engineering, insider fraud, and smart contract exploitation. For exchanges and custody providers, standalone crypto custody insurance should be explored in parallel.

Priority four is general liability and property insurance for the company's physical premises and operations. While this is less specific to Web3, it is a baseline cover that every business needs. A standard fire and burglary policy for the office premises and a CGL policy for visitor injuries and third-party property damage are straightforward to procure from any Indian insurer.

Priority five is group health and personal accident insurance for employees. The Indian Web3 sector competes for talent with well-funded IT companies and consulting firms, and a competitive benefits package including health insurance, personal accident cover, and potentially ESOPs with D&O protection is essential for hiring and retention.

Throughout this process, the choice of broker is determinative. A broker who understands Web3, has placed similar programmes for Indian blockchain companies, and has access to Lloyd's and specialty international markets will deliver a fundamentally different outcome than a generalist broker who treats the company as a standard IT firm. Ask potential brokers for references from other Web3 clients before engaging.

The Indian Web3 insurance market is at an inflection point. As regulation crystallises and institutional capital flows increase, insurance will become a standard requirement for operating in the sector. Companies that build their insurance programmes now will have a significant advantage over those that wait for a regulatory mandate, both in terms of premium rates (early movers get better terms in a hardening market) and in terms of investor and customer confidence.