Cyber Insurance in India: A Legal Necessity for Digital Businesses

• Ransomware attacks like AIIMS 2022 show businesses face critical operational and financial risks.

• Cyber insurance mitigates losses, covering first-party, third-party costs, and regulatory penalties efficiently.

• India’s digital laws and DPDPA make cyber risk protection essential for companies.

The servers of AIIMS, New Delhi, went dark in late 2022. It was a sophisticated ransomware attack rather than a power outage. For almost two weeks, one of the most prominent medical institutions in India had its patient records, appointments and administrative systems locked. This ransomware attack had a significant impact on the delivery of healthcare services.

While this poses a crisis for a public institution in addressing patient well-being, cyber threats can bring most companies to their knees by crippling operations and inflicting heavy financial damage in today’s digital age. From Zivame, an e-commerce company that primarily sells women’s sleepwear, to BSNL to Hyundai Motor India, such attacks do not discriminate by industry or scale.

These incidents are more than news headlines and serve to highlight the potential of cyberthreats to disrupt business continuity. According to the State of Ransomware in India 2025 report by Sophos, Indian companies have paid nearly ₹4 crore to extricate themselves from such cyber-attacks. Furthermore, in an economy where UPI drives everyday commerce and the Digital India mission is transforming every industry, cyber negligence is particularly risky.

The Flip Side of India’s Digital Boom

India is adopting digital technology at a rapid pace. The scale is astounding, with over 800 mn people using the internet and the digital payments market expected to reach $10trn by 2026. Hyper-connectivity, however, increases the attack surface. Malicious actors could enter through any connected device, customer database or payment gateway.

The numbers speak for themselves. India's Computer Emergency Response Team (CERT-In) received reports of more than 1.3mn cybersecurity incidents in 2022. Juspay's hack exposed millions of card details. The personal data of 180mn Domino's India customers was exposed online. These are not just IT mistakes. These are commercial catastrophes that directly result in financial loss and damage customer confidence.

For businesses with a digital footprint, the question is not whether they will be targeted but when and how they can protect themselves.

The Legal Hammer: DPDPA and Beyond

India's data protection laws were inconsistent for many years. The Information Technology Act of 2000 established some general requirements, but there were few penalties and little enforcement.

The Digital Personal Data Protection Act of 2023 (DPDPA) marked the end of that era. This law significantly alters how companies handle digital personal data. It applies to everyone, from large fintech firms to small e-commerce start-ups and lays out requirements for consent, data minimisation and purpose limitation.

The biggest change is the financial one. The recently established Data Protection Board of India has the authority to fine non-compliance, including breaches brought on by insufficient safeguards, up to ₹250 crore. That is a death sentence for the majority of small and medium-sized businesses (SMEs), not just a fine.

On top of this, CERT-In’s 2022 directive requires companies to report all cyber incidents within six hours. That demands an expensive, always-ready response apparatus: forensic experts, legal teams and crisis communication specialists. Failing to report on time is itself a violation.

In short, India’s digital laws have teeth now. And they bite hard.

Cyber Insurance Essential

At this point, cyber insurance becomes a necessity rather than a luxury. Modern cyber insurance is intended to assist businesses in surviving an attack in real time, as opposed to traditional policies that merely write a cheque after a loss.

Two fronts are typically covered. First-party costs include data recovery, system restoration, business interruption losses, crisis communication, forensic investigation and, in certain situations, ransomware payments. Third-party costs are crucial now that DPDPA is in effect. Legal defence, regulatory actions and monetary obligations resulting from fines and consumer litigation are all covered by insurance.

Take the example of a medium-sized internet retailer with headquarters in Mumbai. One hundred thousand customers' data is exposed due to a breach. The business is fighting on three fronts without insurance: paying for system repairs out of pocket, losing money every day the site is unavailable and being hit with a multi-crore DPDPA penalty. A strong cyber policy allows the insurer to cushion the financial impact and send in a pre-approved crisis team. That distinction might mean the difference between life and death.

Cyber Risk Management

The claim that insurance encourages complacency among businesses is common. However, the opposite is true in reality. Underwriting standards are now strictly enforced by insurers. To even qualify for a policy, businesses must show that they have robust controls in place, such as data encryption, multi-factor authentication, regular vulnerability assessments and incident response plans.

In actuality, it is the insurance security process that persuades businesses to improve their cyber hygiene. A policy is a sign that the fundamentals of digital security have been taken seriously, not a licence for negligence.

Navigating the Cyber Insurance Market

The practical question for companies that have been persuaded of the necessity is how to purchase cyber insurance in India. This is not an off-the-shelf purchase like health or auto insurance.

Who provides it: In addition to Indian insurers like ICICI Lombard, HDFC ERGO, Bajaj Allianz and Tata AIG, international players such as AIG, Chubb and Allianz also offer specialised cyber products. Large brokers create unique coverages for start-ups and SMEs.

Covered topics: The majority of policies cover third-party liabilities, including lawsuits, regulatory fines and customer compensation, as well as first-party losses such as data recovery, system repair, ransomware payouts and downtime expenses. Many also offer crisis management assistance, which includes legal counsel, PR specialists and forensic investigators. Noteworthy exclusions include acts of war, insider fraud and breaches brought on by egregious negligence. Companies must carefully read the fine print.

Factors affecting pricing: Industry, size, income and the company's cyber hygiene all affect premiums. A small professional services firm pays much less than a fintech platform that processes millions of transactions.

Preparation is necessary: Before underwriting, insurers usually request security documentation, such as encryption protocols, penetration test findings and incident response frameworks. Although the procedure may seem taxing, it compels companies to elevate their security posture to a professional level. Resilience is the prize when, not if, a breach happens.

The Bigger Picture: Digital India at a Crossroads

India's digital economy is now essential to its growth rather than merely a supporting sector. It is anticipated to account for a fifth of the country's GDP by 2025. However, this reliance also puts the economy at systemic risk. A widespread attack on a well-known consumer internet service or a major payments platform may have significant repercussions.

Therefore, cyber insurance is about more than just a company's ability to survive. It contributes to the development of national resilience in the era of digitalisation. Indian businesses have little leeway as regulators tighten regulations and attackers become more skilled.

The Bottom Line

Businesses in India are now legally liable for cyber-attacks, as the DPDPA has made clear. There is no hiding thanks to CERT-In's timelines. The financial penalties are harsh enough to cause businesses to fail overnight. In light of this, purchasing cyber insurance is no longer optional. Similar to statutory audits or GST compliance, it is an essential

component of business continuity planning. For Indian companies, the decision is straightforward. They can gamble on never being attacked and disregard cyber insurance as a needless expense. Or they can acknowledge that risk is unavoidable in a digital economy and that protection is no longer negotiable.

The views expressed in this article are solely those of the author.