India logged more than 2.2 million cybersecurity incidents between 2021 and mid-2025 — roughly 3,000 a day — and the country now ranks among the top five ransomware-victim geographies in the world. Worse, surveys suggest around 73% of organisations cannot say with confidence whether they have ever been breached. Against that backdrop, and with the DPDP Act now carrying penalties of up to ₹250 crore, Indian boards are finally treating cyber insurance as essential rather than optional. But the market has matured fast, and the policy you could buy on a tick-box form three years ago no longer exists. This guide explains what cover actually does, what it does not, who sells it in India, what drives the premium, and exactly what you need to put in place to qualify on good terms.
What cyber insurance actually covers
A cyber policy is built around two halves: first-party cover (losses to your own business) and third-party cover (your liability to others). Most standalone policies in India bundle both, but the limits, sub-limits and exclusions differ wildly between insurers — read the schedule, not the brochure.
| First-party (your own losses) | Third-party (liability to others) |
|---|---|
| Incident response & forensic investigation costs | Claims from customers/partners whose data you exposed |
| Business interruption from a cyberattack or outage | Regulatory defence costs and certain fines/penalties |
| Data restoration and system rebuild | Defamation, IP or privacy liability arising from your systems |
| Cyber extortion / ransomware negotiation & payment | Costs of notifying and managing affected data principals |
| Reputation/PR and crisis management | Legal liability from a breach of contract over data security |
What it does NOT cover
Exclusions are where claims die. Across the Indian market you should expect the following to be carved out or heavily limited:
- Prior or known incidents — anything you were aware of before the policy started.
- Poor security hygiene — unpatched, end-of-life or unsupported systems; missing controls you attested to having.
- Misrepresentation — if your application overstated your controls (e.g. “MFA everywhere” when it wasn’t), the insurer can rescind the policy or deny the claim outright. This is now the single most common reason claims fail.
- Insider/fraudulent fund transfer beyond stated sub-limits, and acts of war or nation-state attribution.
- Bodily injury, property damage, and most regulatory fines that are uninsurable by law.
The cyber insurance market in India
The Indian cyber insurance market is small but growing fast — analysts put it on a 25–30% annual growth trajectory off a base under USD 1 billion in 2025, driven by digitalisation, ransomware and DPDP. The main carriers offering cyber policies in India today include ICICI Lombard, HDFC ERGO, Bajaj Allianz, and Tata AIG, alongside other general insurers and global capacity placed through brokers. Standalone cyber policies (rather than add-ons) dominate, and large enterprises account for the bulk of premiums — though SME-specific products are now widely available.
One important regulatory shift: under the IRDAI’s Information and Cyber Security Guidelines, 2026 (which replaced the 2023 framework), insurers themselves must now run continuous cyber resilience programmes and report incidents to IRDAI and CERT-In within six hours. The practical effect for buyers is that the people underwriting your risk are themselves being audited harder — and they pass that rigour straight through to your application.
What drives the cost of a cyber policy
There is no honest “₹X per year” answer to cyber insurance cost in India — anyone quoting a fixed figure is guessing. Premium is a function of your risk, and underwriters price it on:
- Revenue and data volume — more turnover and more records (especially personal or financial data) means more exposure.
- Sector — healthcare, fintech, e-commerce and SaaS pay more than low-data manufacturing.
- Controls maturity — this is increasingly the biggest lever. A demonstrably well-defended business pays materially less, and may be the difference between getting cover and being refused.
- Limit and retention — a higher cover limit raises premium; a higher deductible (your self-insured retention) lowers it.
- Claims history — prior incidents push you toward the expensive end or out of the market entirely.
The headline trend: underwriting has quietly become a technical audit. Two businesses with identical revenue can be quoted very differently purely on the strength of their controls.
The security controls insurers now require
This is the heart of qualifying. The following controls have moved from “nice to have” to conditions of cover. Miss them and you face higher premiums, sub-limited ransomware cover, or outright declinature.
| Control | What underwriters expect |
|---|---|
| Multi-factor authentication (MFA) | Universal — every email, VPN, remote and privileged/admin login. Phishing-resistant MFA is increasingly preferred. |
| Endpoint detection & response (EDR) | Deployed on all in-scope endpoints with active response, ideally 24/7 monitored via a SOC/MDR. |
| Backups (3-2-1) | Three copies, two media, one offsite — with at least one immutable or air-gapped copy, and tested restores. |
| Patch management | Timely patching of critical vulnerabilities; no end-of-life or unsupported software in production. |
| VAPT / vulnerability testing | Regular penetration testing and vulnerability assessment, with remediation tracked. |
| Incident response plan | A documented, tested IR plan — many carriers now want proof it has actually been exercised. |
| Security awareness training | Regular staff training and phishing simulations, given how many breaches start with a click. |
Independent assurance is what turns these from claims on a form into evidence. A clean VAPT report and a recognised framework such as ISO 27001 are exactly the artefacts underwriters reward.
How a strong posture lowers premiums — and prevents claim denial
A mature security programme helps you twice. First, on price: the better and more verifiable your controls, the more leverage your broker has to negotiate down the premium and widen the cover. Second — and more important — it protects the claim itself. The most damaging cyber-insurance failures in recent years have not been about coverage gaps; they have been about material misrepresentation. If you attest to MFA everywhere but a breach later reveals an admin account with MFA quietly turned off “for convenience,” the insurer can void the entire claim. You are not certifying your controls on signing day — you are certifying that they hold every single day the policy is live. Continuous, evidenced control hygiene is therefore the real product you are buying.
The link to Indian regulation
Cyber insurance in India cannot be understood apart from two regimes that have sharpened risk dramatically:
- DPDP Act 2023 + DPDP Rules 2025 — notified on 13 November 2025, with phased enforcement (initial provisions from 14 November 2025, Consent Manager obligations from 14 November 2026, and full compliance by 13 May 2027). The Data Protection Board of India is now established, and certain breaches — notably a failure to protect personal data — can attract penalties of up to ₹250 crore. That single number is what moved cyber insurance onto Indian boardroom agendas. Our DPDP compliance hub breaks down the obligations in detail.
- CERT-In directions — you must report a covered cyber incident within 6 hours of becoming aware of it, retain ICT system logs for 180 days, and the directions list 20 reportable incident categories. Non-compliance can attract up to one year of imprisonment or a fine of ₹1 lakh. A good incident response plan — and a policy whose IR helpline you can call at 2 a.m. — is what makes that six-hour clock survivable.
How to qualify and get the best policy: a checklist
- Fix the non-negotiables first. Universal MFA, EDR on every endpoint, and tested 3-2-1 immutable backups. Without these, expect refusal or punitive pricing.
- Get independent assurance. Commission a VAPT and remediate the findings before you apply — a clean report is underwriting gold.
- Document a tested incident response plan. Run at least one tabletop exercise and keep the evidence.
- Map your data and DPDP exposure. Know what personal data you hold, where, and why — it drives both your premium and your statutory liability.
- Answer the application truthfully and precisely. Every overstatement is a future claim denial. If a control is partial, say so.
- Use a specialist broker and compare standalone cyber policies — read the exclusions, ransomware sub-limits, and incident-response retainer terms, not just the headline limit.
- Keep controls live and evidenced year-round so renewal — which is now an audit — is painless and your claim is defensible.
Frequently Asked Questions
Is cyber insurance mandatory in India?
No, there is no general legal mandate to buy cyber insurance in India. However, DPDP Act liability (up to ₹250 crore) and CERT-In’s six-hour reporting obligation make the financial and operational case compelling, and many contracts and tenders now require it.
How much does cyber insurance cost in India?
There is no fixed figure — premium depends on your revenue, sector, data volume, chosen limit and, above all, your security controls. A business with strong, verifiable MFA, EDR, backups and VAPT pays materially less than an otherwise identical business without them. Treat any “flat rate” quote with suspicion.
Can my claim be denied even if I have a policy?
Yes. The most common reason claims fail is material misrepresentation — attesting to controls (like MFA on all accounts) that a post-breach forensic review proves were not actually in place. Coverage is only as good as the accuracy of your application and the continuous reality of your controls.
What controls do insurers require to underwrite a cyber policy?
Universal MFA, EDR with active monitoring, 3-2-1 immutable and tested backups, timely patching with no end-of-life software, regular VAPT, a documented and tested incident response plan, and staff security-awareness training. These are now conditions of cover, not optional extras.
If you are about to apply for or renew cyber cover, the cheapest premium and the most defensible claim both start with a real picture of your controls. Get a security assessment from RingSafe and walk into your underwriting conversation with evidence, not assertions.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.