Cyber insurance premium in India surged 65% in FY26 to reach Rs 2,840 crore, driven by a combination of high-profile ransomware attacks that caused significant business disruptions for Indian companies, increasing awareness of the financial liabilities arising from data breaches under the Digital Personal Data Protection Act 2023, and the growing sophistication of cyber attackers who are increasingly targeting mid-market Indian companies that have improved their digital infrastructure but lag in cybersecurity investment. Key incidents during FY26 including a ransomware attack that paralysed a major NBFC's operations for 12 days and caused Rs 450 crore of estimated losses, and a data breach at an e-commerce company exposing 8 crore customer records, served as powerful real-world demonstrations of the financial cost of inadequate cyber protection.
The DPDP Act's penalty regime has been the regulatory catalyst most directly driving cyber insurance demand among large and mid-size enterprises. The Act provides for penalties of up to Rs 250 crore for significant data breaches involving sensitive personal data, with additional penalties for failure to notify affected individuals, report breaches to the Data Protection Board, or maintain adequate security safeguards. For companies with customer bases of millions — banks, e-commerce players, healthcare providers, telecom operators — the potential regulatory penalty liability alone justifies purchasing cyber insurance, quite apart from the direct financial losses from operational disruption, incident response costs and reputational damage that are also covered. IRDAI's recent guidelines defining standard cyber insurance policy terms have reduced coverage ambiguity, making products easier to understand and buy.
The cyber insurance underwriting process has evolved significantly as insurers have built dedicated cyber risk assessment capabilities. Where simple online questionnaires once sufficed for policy issuance, leading cyber insurers now require a technical security assessment — either a questionnaire-based security scan or an active penetration test by an approved security firm — before providing coverage above Rs 10 crore sum insured. The assessment evaluates factors including patch management practices, multi-factor authentication deployment, endpoint detection and response coverage, backup frequency and offline backup retention, employee security awareness training completion rates and identity and access management maturity. Companies with strong security practices receive lower premiums and broader coverage, while those with significant security gaps may be required to remediate specific issues before coverage is offered or may face exclusions for known vulnerabilities.
The claims experience in Indian cyber insurance is beginning to provide insurers with domestic data to improve pricing and product design. The most frequent claims in FY26 were ransomware-related business interruption (accounting for 48% of total cyber claims by value), social engineering fraud and business email compromise (28%), and third-party data breach liability (16%). Ransomware claims have particularly tested the policies' incident response provisions, with insurers paying for forensic investigators, legal counsel, crisis communications agencies and business interruption losses over multi-week recovery periods. The involvement of international reinsurers who bring global cyber claims expertise has been crucial in handling the more complex claims, as India-based teams are still building the deep cyber forensics and claims management experience that is abundant in Lloyd's London Market and among US and European specialist cyber insurers.
The long-term trajectory of the Indian cyber insurance market is one of sustained strong growth, with the market projected to reach Rs 15,000-20,000 crore in premium by 2030 as awareness increases, regulatory requirements tighten and cyber risk continues to grow with India's expanding digital footprint. The primary constraint on faster growth is the limited actuarial data on Indian cyber losses — the market is too young for statistically reliable loss triangles that underpin confident pricing — and the concern about silent cyber exposure in traditional property and liability policies where cyber-triggered losses may be covered inadvertently. IRDAI's industry working group on cyber insurance is addressing both issues through a mandatory loss data collection programme for cyber claims and a policy wording standardisation initiative that will reduce silent cyber ambiguity in non-cyber policies — both of which will improve the sustainability and reliability of the Indian cyber insurance market over the medium term.
