What was once a risk limited to IT companies is now a national concern. While cyber insurance has existed for years, the industry now finds itself grappling with an evolving scale of risk. In recent years, cyber warfare has moved from the shadows to the centre of global conflict. As the lines blur between conventional warfare and cyberattacks, the role of cyber insurance has become more critical.
With the digital age redrawing the battlefield, data breaches are no longer confined to private corporations; they have taken the form of cyber-attacks threatening to cripple even the public infrastructure.
In fact, given the escalating war risks around the world, cyber risk has become a major consequence of a geo-political conflict as well. For instance, the long-standing conflict between Iran and Israel is accompanied by a “shadow war” in cyberspace, where sensitive sectors are prone to risks. Similarly, following the recent military escalations between India and Pakistan, there has been a documented surge in cyberattacks.
Incidents like the NotPetya malware attack, which initially targeted the Ukrainian systems but quickly started affecting businesses across the globe, illustrate how cyber warfare can spread far and wide. The SolarWinds breach, uncovered in the US, showed how a compromise of software systems can have global security implications.
Currently, cybersecurity maturity in India is highly uneven across sectors. This is especially risky in critical sectors like BFSI, healthcare, and energy. Unlike traditional warfare, its costs are not always visible immediately. They often emerge in the form of long-term data exposure, legal liability, reputational loss or operational paralysis. For business leaders, these events are not distant, but a direct and escalating threat, which needs to be recognised and tackled as such.
The Growing Intensity of Cyber Risks
As India’s digital economy grows, so does the risk. The country is now the second-most targeted in Asia for ransomware attacks, according to global cybersecurity reports. The average cost of a data breach in India stood at ₹18.9 crore in 2023, the highest ever recorded locally.
With increasing integration into global supply chains, Indian businesses are exposed to cascading risks originating anywhere in the world. According to the Ministry of Home Affairs, cyber fraud losses are projected to surpass ₹1.2 lakh crore in 2025.
In recent months, Indian institutions, including government departments, oil majors, and even AIIMS Delhi, have experienced targeted ransomware and espionage campaigns. CERT-In reported over 1.3 million cyber incidents in 2023 alone.
This is a direct drain on the economy. The government has also reported that losses from financial cyber fraud more than doubled in the last fiscal year alone. It’s no longer uncommon to see high-profile attacks targeting critical sectors, including the BFSI sector. These events are soon becoming a fundamental cost of doing business in a digitised world.
Where Do We Stand in Terms of Protection?
The Indian cyber insurance market is also evolving in response to this growing threat. While the market is growing at a robust 25-30% annually, its penetration remains alarmingly low, with less than 1% of Indian businesses currently holding a policy.
This gap represents a significant systemic risk. For example, in the insurance industry, the Insurance Regulatory and Development Authority of India (IRDAI) has also mandated that insurers must report cyber incidents within six hours to increase transparency and response speed. At the same time, insurers are also becoming more stringent.
Underwriting standards now require demonstrable cyber hygiene, including endpoint detection, disaster recovery plans, employee training and vendor risk assessment. A company’s insurability is becoming a reflection of its cyber maturity.
At the same time, the industry also needs to factor in the complexity of ‘war exclusion’ clauses within policies. Historically, insurance contracts have excluded war-related losses. But when cyberattacks are linked to geopolitical tensions, do they fall within this definition?
This ambiguity came to light in the Merck case, where a claim of $1.4 billion was initially denied for NotPetya-related losses, citing the war exclusion clause. Merck went on to successfully challenge the decision in court, arguing that the attack was not part of a formally declared war.
So, defining the line between a criminal act and an act of war in cyberspace is a nuanced issue. The path forward for the Indian cyber insurance market involves developing a clearer path to address cyber warfare.
The Road Ahead: Building a Collective Resilience
There is also a growing imperative to bridge the gaps between public and private efforts. In this context, public-private cooperation becomes essential, not only in terms of intelligence sharing but also in defining norms, coordinating responses, and setting security baselines. Another challenge is data.
The industry lacks consistent, long-term actuarial data on cyber threats, making it difficult to model risk with precision. Unlike life or health, cyber risks mutate in real-time, and there’s still not enough historical data to clearly define or predict the next wave of risks.
India does not yet have a centralised cyber loss registry, like some of the developed countries that aggregate anonymised breach data for policy, research, and actuarial modeling.
So, securing this new, digital India calls for dynamic, forward-looking collaboration between insurers, enterprises and the state. Right from sharing intelligence to jointly shaping the frameworks that define risk, response and recovery is the way forward. In a world where digital conflict is now a constant, resilience must be systemic and built into the very fabric of our digital future.
(Disclaimer: The views expressed in this article are personal and do not necessarily reflect the views of Outlook Business. The article is authored by Sarbvir Singh, Joint Group CEO, PB Fintech.)
