Cyber Insurance
Cyber insurance is an insurance product that covers financial losses arising from cyberattacks, data breaches, ransomware incidents, online fraud, system outages, and related digital risks, and has emerged in India as a standalone product category regulated by IRDAI following the rapid digitisation of businesses and the rise of cybercrime targeting both corporate entities and individual consumers.
Cyber insurance in India was a relatively new product category that gained traction alongside the exponential increase in digitalisation driven by initiatives like Digital India, UPI adoption, and the post-COVID acceleration of remote work and digital commerce. IRDAI classified cyber insurance under the general insurance framework and permitted both general and standalone health insurers to offer cyber covers, with product filings subject to file-and-use approval.
For corporate policyholders, cyber insurance typically covered first-party and third-party losses. First-party coverage included business interruption losses from system downtime caused by a cyberattack, ransomware extortion costs (though ransomware payment coverage was increasingly scrutinised for moral hazard concerns), digital forensic investigation costs to determine the source and extent of a breach, data restoration costs, and crisis management expenses including PR and notification costs for affected customers. Third-party coverage addressed claims made by customers, vendors, or regulators against the insured company for failing to protect their data.
For retail individual customers, cyber insurance products in India covered incidents such as email spoofing and phishing-related financial fraud, social engineering scams (including fake customer care calls that induced OTP sharing), online banking fraud, unauthorised digital transactions, identity theft, and e-wallet fraud. Coverage limits for individuals ranged from Rs 50,000 to Rs 1 crore depending on the plan, with premiums in the range of Rs 500-5,000 per year for entry-level covers.
The regulatory framework for cyber insurance in India was shaped by multiple intersecting regulations. IRDAI product regulations governed the insurance product itself. The Information Technology (Amendment) Act 2008 and the associated IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 defined corporate obligations for data protection. The Digital Personal Data Protection Act 2023 (DPDPA), once fully operationalised, would impose significant compliance obligations and potential penalties on data fiduciaries, heightening the demand for cyber liability covers to manage DPDPA-related regulatory exposure.
Insurers faced unique challenges in underwriting cyber risk due to the aggregation problem — a single cyberattack on widely used software (such as the WannaCry ransomware in 2017 or the SolarWinds supply chain compromise) could simultaneously trigger claims across hundreds or thousands of policyholders, creating a correlated loss event unlike most other insured risks. This systemic nature of cyber risk led insurers to introduce sub-limits for specific attack types, exclusions for war-related cyberattacks (following geopolitical cyber incidents), and co-insurance requirements for large corporate buyers.
The Reserve Bank of India (RBI) had issued directives requiring banks and regulated financial entities to report cyber incidents and maintain business continuity plans, driving regulated financial entities to include cyber insurance as part of their risk management frameworks. SEBI similarly required listed companies and market infrastructure institutions to maintain cyber resilience standards, implicitly strengthening the demand for cyber insurance as a risk transfer mechanism alongside organisational controls.