Cyber Insurance Underwriting Challenges in India

Indian cyber insurance gross written premium crossed INR 1,300 crore in 2025, growing at a compounded 38% over the past four years, but capacity has not expanded at the same pace. Most Indian general insurers retain only modest cyber retentions on their books and cede the rest to global reinsurers, whose appetite for Indian cyber risk is sensitive to global loss experience and to India-specific concerns around data quality.

The demand surge has multiple drivers. The Digital Personal Data Protection Act, 2023, with penalties up to INR 250 crore, has pushed cyber from an IT concern to a board concern. The IRDAI Cyber Insurance Handbook, 2023 standardised product structure and made the line easier for brokers to explain. CERT-In's 2022 Directions on incident reporting, including the 6-hour notification window, gave Indian businesses a tangible obligation that an insurance product can support. Each of these is good for demand and difficult for underwriters who lack the long historical loss data needed to price India risk with confidence.

Cyber underwriting depends on three data sources: the insured's self-assessment, third-party risk-scoring vendors, and historical claims data. All three are weak in the Indian context.

Self-assessment questionnaires from Indian businesses are often filled by the broker rather than the IT team, and answers are aspirational rather than evidential. The questionnaire asks whether MFA is enabled across the estate; the answer is usually "yes" without distinguishing privileged accounts, VPN users, contractors, and legacy systems. Third-party risk-scoring vendors (BitSight, SecurityScorecard, RiskRecon) provide external attack-surface views but their visibility into Indian SME networks is patchy. Historical claims data is the biggest gap. Indian cyber claims volumes are still too low to produce statistically meaningful frequency and severity tables, particularly for sectors outside IT/ITES and BFSI.

Underwriters are responding by leaning on global benchmarks, India-specific overlays, and tighter pre-bind verification. Expect to see more requests for vulnerability scans, EDR coverage attestations, and backup-immutability evidence before quotes are firmed up.

Ransomware remains the dominant loss driver in the Indian cyber book. Indian ransomware events typically involve smaller initial demands than US comparables but longer business-interruption tails, partly because Indian victims more often refuse to pay and rebuild from backups, and partly because backup hygiene in mid-market India is weaker.

Underwriters have responded with three structural shifts:

• Sub-limits on ransom payments that cap insurer participation, often at 25 to 50% of the cyber policy limit
• Sub-limits on business interruption with longer waiting periods, often 12 to 24 hours instead of the historical 8
• Co-insurance clauses on extortion costs requiring the insured to share 10 to 20% of the loss

Underwriters are also tightening on operational technology (OT) cyber, particularly for manufacturing, power, and ports. OT cyber exposure has been historically under-priced because losses were rare; the Mumbai grid outage of 2020, attributed by some analysts to cyber intrusion, sharpened underwriter attention to interdependent OT-IT risk.

Silent cyber, where coverage for cyber-triggered loss may be implicit in non-cyber policies like property, marine, or liability, was a major global concern after NotPetya in 2017 and led to mandatory affirmative or exclusionary wordings in many markets. India has lagged. Many Indian property and engineering policies do not yet clearly affirm or exclude cyber peril, leaving insurers exposed to ambiguous claims and insureds exposed to gap risk.

Underwriters and reinsurers are now pushing affirmative cyber clauses or CL380-style cyber exclusions into non-cyber policies, often at renewal. Brokers and policyholders should expect:

• explicit cyber exclusions in fire, engineering, and marine policies, with possible carve-backs for limited resulting damage
• affirmative cyber endorsements only available with additional premium
• aggregation clauses in cyber policies that combine multiple insureds affected by a common event

The accumulation challenge is significant. A cloud-provider outage or a supply-chain compromise (think the SolarWinds 2020 event or MOVEit 2023) could trigger correlated claims across the entire Indian portfolio. Reinsurers are pricing this systemic risk explicitly and pushing primary insurers to model their accumulation exposure quarterly.

The Digital Personal Data Protection Act, 2023, once the Data Protection Board is operational, will reshape Indian cyber liability. Three underwriting questions are now standard:

• Does the policy cover regulatory fines and penalties, and are they enforceable as insurance? Indian public-policy doctrine, following Vellama Achari v. Krishnaswami (1973), has held that penalties imposed for breach of law are not insurable as a matter of policy. Many cyber policies cover defence costs and investigation costs but exclude the penalty itself.
• Does the policy cover statutory consent breaches even where no breach of confidentiality occurred? DPDP Act violations may be triggered by purpose-limitation or consent failures, not just data theft.
• Does the policy cover third-party data controllers for whom the insured acts as a data processor? Indian BPOs and IT services firms processing offshore client data face concentrated DPDP risk; clarity on whether the policy covers this fiduciary capacity is essential.

Underwriters are differentiating coverage by sector. Healthcare, financial services, and IT/ITES firms increasingly face mandatory vendor risk assessment requirements before binding, where the underwriter reviews the insured's contracts with its top data customers.

Cyber loss in India is increasingly transmitted through vendors, not direct attack. The MOVEit Transfer breach (2023) and the Snowflake-related compromises (2024) demonstrated that even firms with strong internal cyber hygiene can be exposed through a SaaS provider. Indian underwriters are now asking, for any non-trivial cyber risk, about:

• the top 10 IT vendors by data sensitivity, with the nature of data shared
• whether those vendors carry their own cyber cover and at what limits
• contractual indemnity provisions and whether subrogation is preserved
• the insured's incident-response readiness when the cause sits in a vendor estate

For large insureds, underwriters may require a third-party risk management programme as a condition of binding. SMEs that cannot demonstrate vendor governance are seeing pricing premia of 30 to 60% over comparable better-controlled risks.

Three shifts will define the next 18 to 24 months in Indian cyber underwriting.

First, the IRDAI is expected to issue a more prescriptive cyber regulation building on the 2023 Handbook, likely covering minimum policy disclosures, fair-claims standards, and sub-limit transparency. Brokers should prepare insureds for clearer product comparability and possibly mandatory affirmative/exclusionary cyber wordings on non-cyber policies.

Second, parametric cyber products are emerging from the reinsurance side, paying out on objective triggers (downtime hours of a named cloud provider, public CVE disclosure) rather than indemnity. These products bypass the data-quality problem by paying on event, not loss, and could fill the SME gap that traditional underwriting struggles to serve profitably.

Third, the Bima Sugam platform, once cyber-enabled, may drive standardised product variants that simplify SME purchase but compress broker margins. Brokers serving SMEs should plan for a thinner-margin, higher-volume cyber book and invest in advisory services around incident response and DPDP compliance that the platform cannot easily commoditise.