Cyber Insurance in India: What It Covers and How to Qualify

Cyber insurance in India pays for the direct costs your business incurs after a breach, ransomware attack, or data-theft incident — legal defence, breach notification, system restoration, and business interruption losses. It does not replace a security programme; it finances recovery when that programme fails or is overwhelmed. Indian insurers now underwrite cyber risk far more rigorously than they did even three years ago, and the central question every SMB underwriter asks is: what security controls are actually in place? Without evidence of MFA, endpoint detection, tested backups, and a recent VAPT report, you will either be declined, quoted a prohibitive premium, or handed a policy riddled with exclusions that matter most at claim time.

This guide explains what Indian cyber policies cover, what they exclude, what controls insurers want to see, and how to build a posture that qualifies you for meaningful coverage.

What Cyber Insurance in India Actually Covers

Indian cyber insurance policies are typically structured around two liability pillars: first-party losses (your own costs) and third-party liability (claims made against you by customers, partners, or regulators).

First-Party Coverage

Breach response costs include forensic investigation, legal counsel, public relations, and mandatory breach notifications under frameworks like the DPDP Act 2023. When a breach triggers a legal obligation to notify data principals, your policy should pick up those costs.

Business interruption covers revenue loss and extra operating expenses during the period your systems are down or degraded. This coverage is time-limited, so the policy's definition of "restoration" — does it mean systems-back-online or full business-as-usual? — matters.

Ransomware and extortion covers ransom payments (where permitted by law), negotiation services, and the forensic work to confirm whether paying actually delivers a decryption key that works. CERT-In's 2024 guidance does not prohibit ransom payment but expects all incidents to be reported within six hours of detection.

Data restoration covers the cost of rebuilding corrupted or destroyed data from backups — assuming clean backups exist. If they do not, the policy pays for what is possible, not what you wish were possible.

Cyber fraud and social engineering covers financial transfer fraud triggered by a compromised email or an impersonation attack. Many SMBs discover this coverage gap only after a finance team member wires funds to a fraudulent account.

Third-Party Liability

Data breach liability covers settlements, judgments, and defence costs when affected individuals or organisations bring claims arising from your breach. Under the DPDP Act, Data Fiduciaries face significant obligations; a claim from a data principal or a regulatory action from the Data Protection Board would fall here.

Regulatory defence and penalties covers legal representation in front of regulators — CERT-In, SEBI for CSCRF-regulated entities, or the Data Protection Board — and, where insurable under Indian law, regulatory fines. Note: not all fines are insurable, and your policy wording controls this.

Network security liability covers third-party claims if your compromised systems were used to attack, infect, or disrupt another organisation's infrastructure.

48%Rise in ransomware incidents against Indian organisations (CERT-In Annual Report 2024)

74%Indian SMBs that have no formal incident response plan (DSCI Cyber Security Outlook 2024)

What Cyber Insurance Does Not Cover

Exclusions are where claims die. The most common exclusion clauses in Indian cyber policies:

Prior and known incidents: Any breach or vulnerability you knew about before the policy inception date is excluded. This is why a clean VAPT report — one that shows findings have been remediated — matters at renewal.
Infrastructure failure: Losses from power outages, hardware failures, or cloud-provider outages not caused by a cyber event are typically excluded.
Intellectual property disputes: Trade-secret theft or patent claims arising from a breach are often excluded.
Insider threats without controls: If an insider exfiltrates data and the insurer can demonstrate you had no access controls, logging, or segregation of duties, they may invoke an exclusion for negligent security practices.
War and nation-state attacks: Most policies now include a cyber-war exclusion, though the definitions are contested and some insurers are beginning to narrow the exclusion.
Non-compliance with security warranties: If your policy required you to maintain MFA and you deactivated it, and you suffer a credential-stuffing breach, expect a coverage dispute.

🚨

DANGER

Indian insurers increasingly include "security warranty" clauses that void coverage if named controls (MFA, patching cadence, EDR) are absent at the time of the incident. Read every warranty clause before signing — it is effectively a post-loss audit of your security posture.

Why Indian Insurers Now Demand Security Controls

Three years ago, Indian cyber insurance underwriting was largely based on revenue size, industry, and a short questionnaire. That era is over. Loss ratios worsened sharply as ransomware incidents proliferated and the average cost of an Indian data breach reached multi-crore levels. Insurers responded by demanding evidence of controls, not just attestations.

The controls that Indian insurers most commonly ask about today fall into four categories:

Control Category	Examples Insurers Verify	Why It Matters to Them
Identity & Access	MFA on email, VPN, admin consoles; privileged access management	Credential theft is the leading initial access vector
Endpoint Security	EDR/XDR deployed on all endpoints; regular patching within 30 days	Dwell time shrinks with detection; patches close known exploits
Backup & Recovery	Air-gapped or immutable backups tested quarterly; defined RTO/RPO	Determines whether ransomware results in payment or restoration
Vulnerability Management	Annual or semi-annual VAPT; tracked remediation of critical findings	Demonstrates proactive posture; evidence the risk is managed

Some larger insurers — particularly those underwriting high-value policies — now request the actual VAPT report or a letter from the testing firm confirming findings and remediation status. A report from a credible automated VAPT platform, delivered as a structured document, meets this requirement.

⚠️

WARNING

Completing a VAPT report and filing it away without remediating the findings is worse than useless at claim time. Insurers conducting post-loss audits will compare your pre-incident VAPT findings to the breach vector. If the breach exploited a vulnerability you already knew about, expect a coverage dispute.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

How a VAPT Report Lowers Your Premium and Strengthens Your Application

Cyber insurance premiums are risk-adjusted. An organisation that demonstrates a documented, tested, and maintained security posture is a materially lower risk than one with equivalent revenue but no controls evidence. In practice, a recent VAPT report with a clean or well-remediated findings profile does three things for your insurance application:

1. It signals proactive risk management. Most Indian SMBs applying for cyber insurance have no formal vulnerability testing programme. Arriving with a VAPT report immediately separates your application from the peer group.

2. It reduces the probability that a post-loss audit finds "known but unpatched" vulnerabilities. If the breach exploits something your VAPT would have flagged, and you cannot show the report or show remediation, your claim is at risk.

3. It gives the underwriter something to price against. Underwriters prefer knowable risk to unknown risk. A structured VAPT report — listing findings, severity ratings, and remediation status — gives them the data they need to offer competitive terms rather than defaulting to a conservative premium.

Running a free VAPT scan is a practical starting point. The report you receive documents your attack surface, classifies findings by severity, and provides remediation guidance. Once critical and high findings are addressed, that remediated report becomes evidence of good security hygiene — exactly what an underwriter wants to see.

The Claim Cycle: From Incident to Payout

Understanding the claim workflow helps you design your internal incident response to align with insurer requirements.

graph TD
    A[Incident Detected] --> B[Internal Triage]
    B --> C{Reportable under
CERT-In 6h rule?}
    C -- Yes --> D[Notify CERT-In
within 6 hours]
    C -- No --> E[Continue investigation]
    D --> E
    E --> F[Notify Insurer
per policy SLA]
    F --> G[Insurer assigns
Forensics Panel]
    G --> H{Coverage
dispute?}
    H -- No --> I[Claim approved
and paid]
    H -- Yes --> J[Legal review
of warranty clauses]
    J --> K{Resolved?}
    K -- Yes --> I
    K -- No --> L[Arbitration or
Court proceedings]
    I --> M[Post-incident
remediation required]

    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style I fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style J fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style L fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style M fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0

ℹ️

INFO

CERT-In's 2022 directive mandates reporting of cyber incidents — including ransomware, data breaches, and unauthorised access — within six hours of detection. Failing to report does not just risk regulatory action; many cyber policies require timely insurer notification as a condition of coverage. Your incident response runbook must align both obligations on a single timeline.

Controls Breakdown: What Insurers Require

pie title Security Controls Required by Indian Cyber Insurers
    "MFA and Identity" : 25
    "EDR and Endpoint Patching" : 22
    "Backup and Recovery" : 20
    "Vulnerability Management" : 18
    "Incident Response Plan" : 10
    "Security Awareness Training" : 5

Cyber Insurance Readiness Checklist for Indian SMBs

Before approaching insurers, work through this checklist. Each item either directly affects your eligibility or your premium band.

Control	Done	Notes
MFA on all admin consoles, email, and VPN		Required by most policies as a warranty
EDR deployed on all endpoints		Confirm coverage includes servers, not just desktops
Immutable or air-gapped backups tested in last 90 days		Test means restoring data, not just verifying backup jobs ran
Full VAPT conducted in last 12 months		Report with findings and remediation evidence
Critical and high VAPT findings remediated		Unpatched criticals create claim-time exposure
Incident response plan documented and tested		Tabletop exercise evidence is increasingly requested
Asset inventory current		Insurers ask what you are insuring; unknown assets = unknown risk
DPDP data mapping completed		Required for accurate breach notification cost modelling
Security awareness training completed in last 12 months		Some policies require annual training as a warranty
Cyber incident reported to CERT-In within 6 hours (last incident)		Demonstrates compliance posture to underwriter

💡

TIP

Approach your VAPT remediation in severity order before submitting your insurance application. Remediating all critical and high findings — and documenting that remediation — typically has more impact on your premium than any other single action. Insurers treat an outstanding critical vulnerability as a near-certain future claim.

🎯Key Takeaway

Cyber insurance in India is no longer an administrative checkbox — it is a financially meaningful risk transfer instrument that requires you to earn coverage by demonstrating real security controls. The VAPT report is the single most portable piece of evidence you can produce: it satisfies the insurer's due diligence requirement, documents your remediation discipline, and, if the insurer ever audits a claim, shows that known risks were managed. Build the posture first; the policy follows.

The Role of Regulatory Frameworks

India's Digital Personal Data Protection Act (DPDP Act 2023), SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) for regulated entities, and RBI's IT governance circulars for banks and NBFCs all create legal obligations that generate insurable liability. If your organisation falls under SEBI CSCRF — which covers brokers, depositories, mutual funds, and market infrastructure institutions — you are already required to conduct periodic VAPT and maintain documented security controls. That compliance work and your cyber insurance application are not separate streams of effort; the same documentation serves both purposes.

For DPDP compliance obligations, the /dpdp-compliance resource covers the Act's requirements in detail.

Bachao.AI, built by Dhisattva AI Pvt Ltd, automates the VAPT process so organisations can generate audit-grade vulnerability reports without maintaining an internal red team. VAPT is delivered through automated scanning; where CERT-In empanelment is required for a specific regulatory submission, that is delivered with a CERT-In empanelled partner.

Authoritative References

CERT-In Cyber Incident Reporting Guidelines: https://www.cert-in.org.in
DSCI Cyber Security Outlook 2024: https://www.dsci.in
MeitY DPDP Act 2023 resources: https://www.meity.gov.in
SEBI CSCRF Master Circular: https://www.sebi.gov.in
IBM Cost of a Data Breach Report 2024: https://www.ibm.com/reports/data-breach

Frequently Asked Questions

Is cyber insurance mandatory for Indian companies?

It is not universally mandatory, but specific regulatory frameworks require it or effectively mandate comparable controls. SEBI CSCRF-regulated entities and RBI-regulated financial institutions face cyber resilience requirements where cyber insurance is a risk management best practice. DPDP-regulated Data Fiduciaries face significant liability for data breaches, making insurance a financially prudent choice even without a legal mandate.

What does a cyber insurance claim investigation look like in India?

After you notify your insurer, they assign a forensic investigation panel — typically a qualified incident response firm — to determine root cause, scope, and whether the incident falls within policy coverage. They will review your security controls, logs, and, if you had a prior VAPT, that report. The investigation typically takes two to six weeks before a coverage determination is issued.

Can I get cyber insurance without a VAPT report?

Yes, but the terms will be less favourable. Insurers covering organisations with no documented VAPT typically apply higher premiums, lower sub-limits for ransomware, and stricter security warranty clauses. A VAPT report is not a legal prerequisite, but it is practically significant for the quality of coverage you can negotiate.

How often should I conduct VAPT to maintain good insurance standing?

Annual VAPT at minimum, with a follow-up assessment after any major infrastructure change, cloud migration, or new application deployment. Some insurers specify this cadence explicitly in their security warranties. More frequent scanning — quarterly automated scans supplementing an annual full assessment — demonstrates continuous security management, which is increasingly what underwriters prefer.

What happens if I suffer a breach and had not remediated a known VAPT finding?

This is the most common point of coverage dispute. If the breach vector corresponds to a vulnerability identified in your prior VAPT and you cannot show remediation evidence, the insurer may argue the loss resulted from known negligence rather than an unforeseen event. Outcomes depend on specific policy language, but the claim is at material risk. Always remediate and document.

Does cyber insurance cover DPDP Act penalties?

Coverage depends on policy wording and whether the specific penalty is insurable under Indian law. Most policies cover regulatory defence costs — legal representation before the Data Protection Board — and may cover some regulatory fines. However, fines resulting from wilful non-compliance are typically excluded. Discuss this explicitly with your broker before selecting a policy.

Cyber Insurance in India: What It Covers and How to Qualify

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.