In 2024, India recorded over 13.91 lakh cyber security incidents — making it the third most targeted country globally, according to CERT-In's annual report. A mid-sized Bengaluru IT firm lost ₹3.2 crore to a ransomware attack that encrypted its client databases. A Mumbai e-commerce startup faced ₹1.1 crore in customer notification costs after a data breach compromised 80,000 payment records. A Pune manufacturing company suffered 11 days of operational shutdown when hackers shut down its ERP system.
What these businesses had in common: no cyber insurance. The financial, legal and reputational damage was entirely borne by their owners, directors and shareholders.
Cyber insurance — formally known as cyber liability insurance or cyber risk insurance — is a specialised financial protection product that covers the direct costs and third-party liabilities that arise when a business suffers a cyber attack, data breach or system compromise. In India, it is governed by the Insurance Regulatory and Development Authority of India (IRDAI) and sold by specialist insurers including New India Assurance, ICICI Lombard, Bajaj Allianz and others.
What is Cyber Insurance?
Cyber insurance is a policy that transfers the financial risk of cyber incidents from your business to an insurer. It covers both first-party losses (direct costs your business incurs) and third-party liability (claims from customers, partners and regulators arising from a breach that affects them).
Unlike general commercial insurance policies that explicitly exclude "cyber events," cyber insurance is purpose-built for the digital threat environment — and critically, it covers the cost of the response, not just the eventual settlement.
Think of it as a combination of financial coverage, legal defence and operational emergency support — all activated from a single policy the moment your systems are compromised.
Key Coverage Areas Explained
1. Data Breach Response
When customer PII (personally identifiable information), payment data or medical records are stolen or exposed, Indian law under the Digital Personal Data Protection Act 2023 (DPDP Act) requires organisations to notify affected individuals promptly. The costs of forensic investigation, legal advice, customer communication, credit monitoring services and public relations management can run into crores for even a mid-sized company. Cyber insurance covers all of these first-party breach response costs.
2. Ransomware and Extortion Cover
Ransomware groups — including sophisticated actors like LockBit and ALPHV that have targeted Indian firms — encrypt business data and demand payment for the decryption key. Cyber insurance covers the ransom payment (where legally permissible), the cost of professional negotiators, and the forensic work needed to safely restore systems. It also covers parallel losses such as business interruption during system downtime.
3. Business Interruption
A successful ransomware attack or DDoS (Distributed Denial of Service) assault can take your systems offline for days or weeks. During that period, revenue stops but overheads continue. Cyber insurance compensates for lost gross profit during the interruption period and covers extraordinary expenses incurred to restore operations faster — such as emergency IT contractor fees or temporary infrastructure costs.
4. Third-Party Liability
If your company's data breach compromises customer or partner data, those affected parties can sue you for damages. Under the DPDP Act 2023, data principals (your customers) have enforceable rights, and data fiduciaries (your business) face civil and regulatory consequences for failing to protect their information. Cyber insurance covers defence costs and settlement payments arising from such third-party claims.
5. Regulatory Fines and CERT-In Compliance
CERT-In's April 2022 directives require all Indian organisations to report cyber incidents within 6 hours of detection. The DPDP Act 2023 empowers the Data Protection Board to levy penalties of up to ₹250 crore for non-compliance. Some cyber policies cover the cost of regulatory investigations and, where permitted by law, certain regulatory fines. All policies cover the cost of legal counsel during regulatory proceedings.
6. Cyber Fraud and Business Email Compromise
Business Email Compromise (BEC) is one of the fastest-growing cyber crimes in India — attackers impersonate a CEO or CFO to trick finance staff into wiring funds to fraudulent accounts. In 2023, Indian businesses lost an estimated ₹1,800 crore to BEC and social engineering fraud. Cyber insurance with a social engineering extension covers these direct financial losses.
The India Cyber Threat Landscape
India's rapid digital transformation has created an enormous attack surface. The scale of the threat is not theoretical:
₹19.5 crore — the average total cost of a data breach in India in 2024, per IBM's Cost of a Data Breach Report
13.91 lakh incidents — cyber incidents logged by CERT-In in calendar year 2024
42% of incidents involved phishing and Business Email Compromise
DPDP Act 2023 — India's landmark data protection law, with penalties up to ₹250 crore for serious breaches
RBI mandates cyber resilience frameworks for all banks and NBFCs; SEBI has issued similar directives for brokers and exchanges
India's UPI ecosystem processed ₹200 lakh crore in transactions in FY2024 — making fintech a prime target for cyber criminals
Sectors most exposed include BFSI (banking, financial services and insurance), healthcare, e-commerce, IT/ITES, manufacturing and government-linked enterprises.
Who Needs Cyber Insurance in India?
Virtually any organisation that uses computers, stores customer data or processes digital transactions has meaningful cyber exposure. However, certain categories face the highest risk and regulatory scrutiny:
Banks and NBFCs — RBI's IT Framework and Cyber Security Policy require robust cyber resilience; personal liability extends to senior management under the RBI Act
E-commerce and retail — stores payment card data and PII at scale; DPDP Act compliance is mandatory
IT/ITES companies — process client data under contracts that typically require cyber insurance; supply chain breach liability is a major risk
Healthcare and hospital groups — electronic health records, telemedicine platforms and medical device networks create multiple attack vectors
Manufacturing — OT (operational technology) and SCADA systems increasingly connected to the internet; ransomware can halt production lines
Startups and SMEs — often underprotected yet heavily penalised under DPDP Act; PE/VC investors increasingly require cyber insurance at Series A and beyond
How Cyber Insurance Works: The Incident Response Journey
The real value of cyber insurance is not just the eventual claim payment — it is the insurer-activated incident response that begins within hours of notification. Leading cyber policies in India provide access to a dedicated 24/7 incident response hotline. The moment you notify your insurer, forensic experts, legal counsel and PR specialists are deployed on your behalf.
The journey runs from detection (Hour 0), through containment and CERT-In notification (within 6 hours), to claims payment covering ransom, lost revenue and third-party liabilities (within 30 days for documented claims), and finally full systems restoration and post-event hardening review. Throughout, you are not navigating a regulatory and financial crisis alone.
The DPDP Act 2023 and Why It Changes Everything
India's Digital Personal Data Protection Act 2023 is a watershed moment for cyber risk. For the first time, Indian law explicitly defines the obligations of businesses that process personal data (called "Data Fiduciaries") and the rights of individuals whose data is processed (called "Data Principals").
Under the DPDP Act, failure to implement adequate security safeguards, failure to notify the Data Protection Board and affected individuals of a breach, and failure to delete data when its purpose is fulfilled — all carry financial penalties. The Data Protection Board can levy fines of up to ₹250 crore for significant violations. For listed companies, there is the additional risk of stock price impact and SEBI scrutiny if a material breach is not disclosed promptly.
Cyber insurance bridges this regulatory gap: it covers the legal costs of navigating DPDP compliance, the cost of mandatory notifications, and where permitted, certain regulatory penalties.
What Cyber Insurance Does NOT Cover
Understanding exclusions is as important as understanding coverage. Standard cyber policies in India typically exclude:
Intentional or fraudulent acts by the insured organisation's senior management
Pre-existing breaches or incidents that occurred before the policy inception date
Physical damage to hardware (covered under property/equipment policies)
Cyber terrorism or state-sponsored attacks (may require a specialist endorsement)
Losses arising from failure to maintain industry-standard security practices (e.g., unpatched systems left exposed for months)
Intellectual property theft in certain policy wordings
Understanding these exclusions is essential when structuring a policy — an experienced broker like TropoGo can ensure your policy wording matches your actual risk profile.
Choosing the Right Cyber Insurance Policy
Not all cyber policies are equal. Key factors to evaluate when buying cyber insurance in India include the sublimit structure (some policies cap individual cover heads like ransomware or BEC at low sublimits), the quality of the incident response panel (who are the forensic and legal firms?), the retroactive date (does it cover incidents that began before policy inception?), and the claims trigger (is it a "discovery" trigger or an "occurrence" trigger?).
Working with a specialist commercial insurance broker ensures your policy is structured for your sector's specific risk profile — whether you are a fintech startup with heavy UPI exposure or a manufacturing company with OT/SCADA systems.
TropoGo Specialist Cover
Your Business Faces Real Cyber Risk. A Policy Takes Minutes to Get.
What is cyber insurance and who needs it in India?
Cyber insurance is a specialist policy that covers the direct financial costs and third-party liabilities arising from cyber attacks, data breaches and system compromises. In India, any organisation that stores customer data, processes digital payments or operates connected systems needs it — especially given CERT-In's mandatory 6-hour reporting requirement and DPDP Act 2023 penalties of up to ₹250 crore for serious data protection failures.
Does cyber insurance cover ransomware payments?
Yes, most cyber insurance policies in India cover ransomware extortion payments where legally permissible, along with the cost of professional ransom negotiators, forensic experts to safely restore systems, and business interruption losses during downtime. The insurer's incident response team is typically deployed before any payment decision is made.
How does the DPDP Act 2023 affect my cyber insurance needs?
The Digital Personal Data Protection Act 2023 creates statutory obligations for all businesses that process personal data of Indian citizens — including mandatory breach notification, data security obligations and potential penalties up to ₹250 crore. Cyber insurance covers the legal costs of navigating DPDP compliance, mandatory notification expenses, and where permitted by law, certain regulatory penalties arising from a data breach.
What is Business Email Compromise (BEC) and does cyber insurance cover it?
Business Email Compromise is a social engineering attack where cybercriminals impersonate a CEO, CFO or trusted supplier to trick employees into wiring funds to fraudulent accounts. It is one of the costliest cyber crimes for Indian businesses, with losses estimated at ₹1,800 crore in 2023. Cyber policies with a social engineering extension cover direct financial losses from BEC attacks.
How quickly does cyber insurance respond after an attack?
Leading cyber policies include a 24/7 incident response hotline. Once notified, the insurer deploys forensic experts, legal counsel and PR specialists — typically within 2 hours. This is critical given CERT-In's mandatory 6-hour reporting window. The claims payment process for documented first-party losses typically completes within 30 days of submission.
How do I get cyber insurance for my business through TropoGo?
TropoGo offers IRDAI-regulated cyber insurance tailored to Indian businesses — from IT startups and e-commerce platforms to manufacturers and healthcare providers. You can get a quote online in minutes. Our advisors help structure your policy to match your sector's risk profile, including DPDP Act compliance, CERT-In reporting obligations and any contractual cyber insurance requirements from clients or investors. Explore cyber cover options here →
Cyber threats are not a future risk for Indian businesses — they are a present reality. Whether you are a two-person fintech startup or a 5,000-employee manufacturer, the question is not if you will face a cyber incident, but when — and whether you will be financially protected when it happens. The average cost of a breach in India is ₹19.5 crore. The cost of a well-structured cyber policy is a fraction of that.
