Cyber Risk Aggregation and Correlation in Commercial Underwriting India

In every other commercial insurance line, the geographic separation of risks is a natural diversification mechanism. A catastrophic flood in Odisha does not simultaneously destroy factories in Gujarat. A fire at a pharmaceutical facility in Hyderabad does not ignite a plant in Pune. Physical separation is the underwriter's primary tool for managing correlation between risks in a portfolio.

Cyber risk has no geography constraint. A single vulnerability in a widely-deployed software library, a single ransomware strain propagating through shared IT infrastructure, or a single outage at a cloud provider's availability zone can simultaneously affect hundreds or thousands of policyholders across every state in India, every industry sector, and every revenue band. This is cyber aggregation: the phenomenon where multiple policyholders experience losses from the same underlying event at the same time, transforming what appears to be a book of independent risks into a set of perfectly correlated exposures.

The economic consequence of this correlation is not merely theoretical. The WannaCry ransomware attack of May 2017 affected an estimated 200,000 systems across 150 countries in a single weekend. The NotPetya attack of June 2017 generated estimated global losses of USD 10 billion. A comparable event striking India's interconnected IT and industrial infrastructure today, where cloud adoption has grown dramatically since 2017, would generate correlated losses far exceeding the total cyber insurance capacity currently deployed in the Indian market.

For underwriters, the challenge is that the standard actuarial tools do not directly apply to cyber aggregation. Property catastrophe models rely on geographic footprints and physical vulnerability functions. Life catastrophe models rely on mortality tables and epidemic spread parameters. Cyber aggregation requires a different framework: one that models the connectivity between systems, the prevalence of shared software components, the concentration of hosting infrastructure, and the propagation characteristics of different attack types. Indian insurers currently lack the data and the models to do this with precision, which is why cyber aggregation has become the primary source of underwriting uncertainty in the Indian market.

The ransomware attack on All India Institute of Medical Sciences (AIIMS) Delhi in November 2022 is the most instructive Indian case study for cyber aggregation risk, even though it involved a single large institution rather than multiple policyholders.

The attack disabled AIIMS Delhi's hospital information system, impacting patient data, appointment scheduling, lab result processing, and medical records for approximately 1.3 crore patients. For nearly two weeks, the hospital reverted to manual processes for patient registration, billing, and clinical records. The attack was attributed to a Chinese threat actor group and used a combination of ransomware and data exfiltration techniques that exploited unpatched vulnerabilities in the hospital's network infrastructure.

From an aggregation perspective, the AIIMS attack demonstrated several mechanisms that make healthcare the most immediately threatening sector for Indian cyber aggregation. First, Indian public healthcare institutions, including AIIMS's 25 campuses across the country and hundreds of affiliated hospitals and medical colleges, frequently share IT infrastructure, procurement contracts, and software systems from common vendors. A vulnerability that affects AIIMS Delhi may exist in the same software version deployed at AIIMS Bhopal, AIIMS Rishikesh, and their affiliated institutions. Second, hospital information system vendors serving the Indian public healthcare sector are concentrated among a small number of domestic and international providers; a vendor-level compromise affects all their hospital clients simultaneously. Third, the AIIMS attack illustrated the business interruption consequence for healthcare: even without a direct financial loss, the operational disruption measured in delayed surgeries, diverted emergency patients, and manual processing costs was severe.

For insurers with cyber policies across multiple healthcare clients in India, a coordinated attack on shared infrastructure could generate simultaneous business interruption claims from dozens of insured hospitals. At an average business interruption loss of INR 2 to 5 crore per institution for a major disruption, a single event affecting 50 healthcare institutions represents a INR 100 to 250 crore aggregated loss for the insurance market, concentrated in a single event and a single loss period.

The AIIMS incident also highlighted the data breach component. Under India's Digital Personal Data Protection Act, 2023 (DPDPA), health data is classified as sensitive personal data. A breach affecting 1.3 crore patient records would, if the DPDPA's penalty provisions are fully operational, potentially expose the data fiduciary to penalties of up to INR 250 crore per breach. The aggregation of regulatory penalty exposure across multiple simultaneously breached healthcare institutions would represent a new and largely unmodelled liability category for Indian cyber underwriters.

India's cloud infrastructure is concentrated among three global hyperscalers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Each operates multiple availability zones within India, with AWS operating the Mumbai region (ap-south-1) since 2016 and the Hyderabad region (ap-south-2) since 2022. Azure operates India Central (Pune), India West (Mumbai), and India South (Chennai) regions. GCP operates the Mumbai region (asia-south1).

The concentration of Indian enterprise cloud workloads in these few geographic availability zones creates a specific cyber aggregation scenario: a prolonged outage in the AWS Mumbai region or the Azure India West region would simultaneously affect hundreds of Indian cloud-native companies, SaaS platforms, fintech applications, and enterprise systems. AWS itself acknowledges this risk through its shared responsibility model, but the commercial consequence of a major cloud provider outage for insurance purposes has received relatively little attention from Indian underwriters.

The scale of the exposure is measurable. As of early 2026, over 60% of Indian enterprise cloud spending is concentrated in AWS and Azure. Indian fintech unicorns, listed banks, insurance platforms, and e-commerce companies that run critical production workloads on these platforms would face material business interruption losses from an extended outage. At an average business interruption exposure of INR 5 to 20 crore per day for a large fintech or e-commerce platform, a 48-hour outage at AWS Mumbai could generate INR 10 to 40 crore in business interruption loss per major insured, and hundreds of smaller losses from SMEs using cloud services.

The underwriting complication is that most cloud outages are not caused by cyber attacks: they arise from configuration errors, software bugs, hardware failures, or power issues at data centre level. Standard cyber policies typically cover outage losses caused by a malicious attack but exclude losses caused by cloud provider system failures without an underlying security event. The distinction can be unclear when an outage results from a combination of a security incident and a system failure, as has occurred in several AWS partial outages globally.

For Indian cyber underwriters managing portfolio aggregation, the key metric is the total insured cloud business interruption exposure concentrated in each cloud provider and each availability zone. If 40 insured companies run critical production workloads in AWS Mumbai, and each has a daily BI exposure of INR 5 crore, the aggregate AWS Mumbai concentration is INR 200 crore per day. An underwriter with this concentration should either price for it explicitly, sub-limit cloud BI coverage, or purchase catastrophe reinsurance structured around cloud provider outage scenarios.

India's IT services giants, Infosys and Tata Consultancy Services (TCS), each provide IT infrastructure management, application development, and business process outsourcing to hundreds of large corporations globally, including Indian banks, insurers, manufacturers, and government agencies. This creates a specific cyber aggregation pathway: a security compromise at Infosys or TCS could simultaneously expose the data, systems, and operations of hundreds of their enterprise clients.

This scenario is not hypothetical. In November 2023, Infosys BPO (operating as Infosys McCamish Systems in the US) suffered a ransomware attack that disrupted services to Bank of America, Fidelity Investments, and several other financial services clients. The attack was contained to Infosys's US BPO operations, but it illustrated the dependency pathway: a security failure at an IT services provider directly affects the service continuity and data security of all their clients within the affected system scope.

For Indian cyber underwriters, the TCS and Infosys supply chain correlation manifests in two ways. First, technology vendor risk: an Indian bank or insurer that outsources its core banking system administration or insurance policy administration to an IT services firm is dependent on that firm's security posture. A ransomware attack that encrypts the IT services firm's managed service environment simultaneously encrypts the bank's or insurer's system. Second, shared personnel risk: IT services firms frequently deploy the same team members or the same configuration playbooks across multiple client engagements, meaning that a compromised credential or a misconfigured system deployed by an IT services engineer could create identical vulnerabilities across all client environments where that engineer has worked.

The underwriting implication is that an insurer must understand not only its direct policyholder's cyber security posture but also the security posture of the IT services providers who manage the policyholder's critical systems. IRDAI's Guidelines on Information and Cyber Security for Insurers (2023) require insurance companies to conduct third-party vendor cyber security assessments, and the same discipline applies to underwriting cyber risks in IT-services-dependent industries. An underwriter writing cyber coverage for five Indian banks that all use the same IT services provider for core banking infrastructure is writing correlated risk across those five policies, regardless of what the individual bank risk profiles suggest.

The RBI's IT outsourcing guidelines for banks and the IRDAI's cybersecurity circular for insurers both require regulated entities to ensure that their IT service providers meet specified security standards, but compliance verification is inconsistent. Underwriters can negotiate a warranty in the cyber policy requiring the insured to disclose all material IT outsourcing arrangements to third parties who have access to core systems, and to confirm that those providers have been assessed against ISO 27001 or equivalent standards.

Indian non-life insurers writing cyber policies are at an early stage of aggregate management, lagging behind the Lloyd's market by approximately five to seven years in terms of modelling sophistication. The approaches currently being applied in India range from simple exposure management rules to more structured accumulation monitoring.

The simplest approach is a per-insurer sector cap: the underwriter sets a maximum aggregate limit of cyber coverage in force for any single sector, for example INR 500 crore total limit across all IT services clients or INR 300 crore across all healthcare clients. When the sector cap is reached, no new cyber policies in that sector are written until existing policies expire. This approach is administratively simple but economically crude: it does not account for the correlation within a sector, which varies by specific technology dependencies, or the correlation across sectors caused by shared infrastructure.

A more sophisticated approach uses scenario-based accumulation monitoring. The underwriter defines a set of aggregation scenarios, such as an AWS Mumbai outage, a major Indian IT services provider compromise, or a critical banking sector malware outbreak, and estimates the maximum loss to the insured portfolio under each scenario. The portfolio is monitored against these scenario limits, and new policies are accepted only if they do not cause any scenario limit to be exceeded. This approach requires the underwriter to maintain a detailed portfolio database mapping each insured to its cloud providers, IT service providers, and critical software dependencies. Few Indian insurers have the portfolio data infrastructure to support this approach currently.

IRDAI's revised cyber insurance guidelines, issued in 2023, require insurers offering cyber covers to maintain an exposure management framework and to report aggregate cyber exposure in their annual returns. However, the guidelines do not specify a quantitative accumulation limit or a modelling methodology, leaving the risk management framework to the insurer's discretion. Given IRDAI's current focus on solvency and capital adequacy under the risk-based capital (RBC) framework being developed, it is likely that specific cyber aggregation capital requirements will be introduced in the next two to three years.

Reinsurance treaty cyber exclusions are adding pressure on the domestic market to manage aggregation more actively. Since 2022, Lloyd's has required all syndicates to exclude cyber war losses from policies and to sub-limit non-war cyber aggregation exposure under all classes of property and liability business. This means that domestic Indian insurers relying on proportional or excess of loss property reinsurance treaties for their cyber exposure may find that their treaty reinsurance does not respond to a large cyber aggregation event. Those insurers must either purchase standalone cyber catastrophe reinsurance or retain the aggregation risk entirely.

Lloyd's of London's Bulletin LM 21/015 of 2021, followed by mandatory market exclusion clauses effective from January 2023, requires all Lloyd's syndicates to exclude state-sponsored or state-attributed cyber war losses from all insurance policies across all classes of business. This requirement flows down into Indian insurance and reinsurance placements supported by Lloyd's capacity, which includes a significant proportion of India's large corporate and specialty line placements.

The four prescribed Lloyd's cyber war exclusion clauses (LMA 5566, LMA 5567, LMA 5568, and LMA 5569) take different approaches to defining excluded cyber war losses. LMA 5566 applies to policies where cyber is the primary coverage (standalone cyber policies), and excludes losses arising from cyber operations authorised by a nation-state against another state's critical infrastructure. LMA 5567 and LMA 5568 apply to property and liability policies respectively, and exclude cyber losses that, absent the digital cause, would constitute a war loss under the policy's existing war exclusion. LMA 5569 covers all other cases with a broader war exclusion.

For India specifically, the applicability of these exclusions is complicated by the geopolitical context. India's border conflicts with Pakistan and China, both nuclear-armed states with documented state-sponsored cyber capabilities, mean that Indian critical infrastructure sits within the plausible target set for state-sponsored cyber operations. The AIIMS attack has been attributed by Indian intelligence to a Chinese state-sponsored group. If a major cyber attack on Indian infrastructure is attributed to a state actor, the Lloyd's cyber war exclusions could potentially be triggered on policies supported by Lloyd's reinsurance capacity, including both standalone cyber policies written by Indian insurers with Lloyd's reinsurance support and Lloyd's-backed property policies that include cyber extensions.

The attribution problem is central to the applicability of the war exclusion. Attribution of a cyber attack to a state actor requires public declaration by a national government agency, which is a political decision as much as a technical one. Indian government agencies, including CERT-In (Indian Computer Emergency Response Team) and the National Cyber Security Coordinator's office, have attributed specific attacks to state actors in some cases but not in others, and the attribution is sometimes made months or years after the incident. This delayed attribution creates a period of uncertainty during which the insurer and reinsurer may dispute coverage applicability.

For Indian risk managers buying cyber policies from insurers who rely on Lloyd's capacity, the practical implication is to scrutinise the war exclusion wording in the policy and specifically ask the broker whether state-sponsored cyber attack losses are excluded and, if so, under which attribution standard. Some underwriters offer state-sponsored exclusion carve-backs for non-critical infrastructure clients (companies that are not essential services, financial institutions, or critical national infrastructure), recognising that the risk of attribution to a state actor is lower for, say, a consumer goods manufacturer than for a bank or a power utility.

The silent cyber problem refers to the exposure that insurers carry on property, liability, and other non-cyber policies without explicitly underwriting it or pricing for it. When a fire or motor policy covers a loss that has a cyber trigger, including a fire caused by a cyberattack on an industrial control system, or property damage from a hacked crane control system, the insurer may be paying a cyber loss without having collected a cyber premium. This unpriced, unacknowledged cyber exposure is what the market calls silent cyber.

Indian property reinsurance treaties have historically contained silent cyber exposure because the treaty terms did not explicitly include or exclude cyber losses. Property damage caused by a cyberattack might fall under a standard fire policy's property damage trigger, with the reinsurance treaty responding on the same basis. As international reinsurers have moved to require affirmative cyber exclusions from property treaties since 2020 to 2022, Indian ceding companies have been forced to address this exposure explicitly. GIC Re, which accepts obligatory cessions from all Indian non-life insurers and provides most of their reinsurance treaty capacity, has progressively tightened its cyber exclusion requirements in treaty terms from the 2023 renewal onwards.

The practical effect for Indian insurers is that property losses with a cyber trigger, or losses that are ambiguous between cyber and physical cause, may now fall outside treaty reinsurance coverage. An Indian manufacturer whose industrial control system was hacked, causing a boiler to overheat and explode, may file a claim under its machinery breakdown and fire policy. The insurer may accept the claim as a physical property loss. But when the insurer files for reinsurance recovery, the treaty may decline on the basis that the loss had a cyber origination that falls within the treaty's cyber exclusion.

For Indian corporate risk managers, the silent cyber issue means that property policies should be reviewed specifically for affirmative cyber inclusion or exclusion. A property policy that is silent on cyber offers ambiguous cover: the insurer may argue in litigation that cyber losses are excluded under the policy's general exclusions for electronic or computer-generated losses, while the policyholder argues that property damage is property damage regardless of its cause. Indian courts have not yet developed a substantial body of case law on silent cyber disputes, meaning the outcome of such a case would be unpredictable.

The resolution for both insurers and policyholders is to make the cyber position explicit. For insurers, this means either issuing affirmative cyber endorsements to property policies (confirming coverage for cyber-triggered physical losses, for a separately rated premium) or issuing affirmative exclusion endorsements (removing ambiguity by explicitly excluding cyber-triggered losses from the property policy, and directing the insured to a standalone cyber policy for this coverage). For corporate risk managers, purchasing a coordinated programme that includes both a property policy with an affirmative cyber position and a standalone cyber policy with clear non-overlap wording is the only way to eliminate the silent cyber gap.