Cyber insurance

Cyber insurance in India: From breach recovery to business resilience

Photographic portrait of Kartik Shinde
Kartik Shinde

Partner, Cybersecurity Consulting, EY India

4 minute read 13 Aug 2025
Related topics
Cybersecurity
Technology
Digital
Insurance

India faced over 2.04 million cyber security incidents in 2024. It is time for businesses to treat cyber insurance as a strategic tool, not just a safety net.

In brief

  • Today, it is a growing priority across industries. India's rapid digital transformation, cloud migration and fintech expansion have made cybersecurity a board-level issue.
  • The Digital Personal Data Protection Act, 2023. An act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
  • Yet, coverage gaps persist. Many policies still focus narrowly on data breaches, even as threat vectors expand. Forward-looking businesses are re-evaluating their insurance needs in light of evolving risk exposure and compliance expectations.
  • This point is not present in the article. Should ideally be first mentioned in the article body and then here.

As cyber threats become more frequent, sophisticated and costly, insurers are rethinking how they underwrite, price and structure cyber coverage. India, in particular, has emerged as both a high-risk market and a hub for cyber innovation. According to a recent report by CERT-In, 2.04 million cybersecurity incidents were reported in India, underlining the scale of the risk. With regulatory changes, AI-enabled attacks and a growing dependence on third-party ecosystems, the traditional playbook for cyber insurance is fast becoming obsolete. In this evolving environment, understanding emerging risks is the first step toward building more resilient risk models and informed coverage strategies.

Insurers are recalibrating their risk models as the attack surface widens. Here are six key threats reshaping the landscape.

Emerging risk

What it is

Why it matters

Ransomware attacks

Data is encrypted and held hostage for payment — often via crypto

India ranked second in ransomware volume globally. Average downtime: 21 days

Supply chain vulnerabilities

Attacks on software vendors or service providers that impact multiple clients

61% of breaches in 2023 were linked to third-party vendors. Policies must cover cascading impacts

Insider threats

Negligence or sabotage from within the organization

Insider-caused incidents cost significantly more than when not detected early

IoT vulnerabilities

Connected devices without robust security protocols.

India will have two billion IoT devices by 2025 — a massive unmanaged risk surface

Regulatory changes

Compliance obligations under laws like India’s Digital Personal Data Protection Act, 2023

Non-compliance can lead to penalties of up to INR250 crore. Policies must keep pace with new laws

AI-related risks

Misuse of AI tools for phishing, deepfakes, or automated attacks; model vulnerabilities

AI-driven threats are evolving rapidly. Insurers must assess risks from generative AI and model misuse

Transforming data privacy: 
DPDP Rules, 2025

India’s DPDP Rules, 2025, aim to enhance privacy and data protection, but ambiguities like consent and third-party risks need addressing.

Know more

The role of technology in cyber insurance

Technology is transforming how cyber insurance is priced, managed and delivered. Some of the use cases include:


AI and machine learning in risk assessment

Insurers now use AI to analyze telemetry from clients' IT environments — including endpoint security, patching cadence, and user behavior. This allows for dynamic risk profiling and tailored coverage. Companies with stronger controls may receive lower premiums.


Automation in claims processing

Digital-first insurers are deploying automated claim systems that shorten the payout cycle. For example, some US-based cyber insurers now resolve low-severity claims in a shorter timeframe - a model increasingly expected by global clients.


Cybersecurity scoring systems

Emerging cybersecurity tools are being integrated into underwriting. Indian businesses seeking better premiums may benefit from improving their cyber hygiene scores — much like maintaining a strong credit rating.

The future landscape of cyber insurance

Several key trends are shaping what cyber insurance will look like in the next few years:

  • Rising premiums and tighter underwriting: Due to growing losses, cyber insurance premiums rose by 50% in 2023. Insurers are now more selective, often requiring proof of cybersecurity maturity before issuing policies.

  • Policy customization: Standardised policies are fading. Industry-specific risks — like IP theft in pharma, or system outages in manufacturing — are leading to more tailored policy frameworks.

  • More active collaboration: Regulators, insurers and CISOs are sharing threat intelligence and response models. Platforms like India’s National Cyber Coordination Centre (NCCC) are facilitating real-time data exchange — which may soon influence underwriting.

  • Global regulatory pressure: With India’s DPDP Act in effect and frameworks like ISO 27001 being widely adopted, compliance will become a prerequisite to obtain or renew policies in the coming years.

  • AI-related exclusions and policy clauses: With the rise of generative AI and autonomous systems, insurers are introducing specific clauses to address AI-related risks — such as liability for AI-generated content, deepfake attacks or model misuse. Expect future policies to include AI-specific exclusions or require compliance with standards like ISO/IEC 42001.

To stay ahead of cyber risk — and sifting insurance market dynamics —businesses must move from reactive to strategic. This means conducting annual cyber risk assessments aligned with business impact, mapping and monitoring third-party digital dependencies, and aligning cybersecurity investments with both regulatory frameworks and insurer expectations. Most importantly, cyber insurance should be treated not as a fallback but as a strategic lever in enterprise risk management.

Summary

Cyber insurance is no longer just about recovering from a data breach - it is about enabling operational continuity in an increasingly hostile digital landscape. As ransomware, supply chain attacks, insider threats and artificial intelligence-driven cyber-attacks become more damaging and expensive, insurers are pushing for stronger cybersecurity controls, artificial intelligence-driven assessments and tailored policy designs. Indian businesses, especially mid-market and enterprise-level organizations, have an opportunity to treat cyber insurance not merely as a financial backstop but as a strategic tool for long-term resilience and trust.

GenAI was used to develop an iteration of this article. In accordance with EY editorial guidelines, the end product was reviewed and edited by EY professionals before publication.

How EY can help

Related articles

Impact of draft Digital Personal Rules on e-commerce sector

Explore the Draft Digital Personal Data Protection Rules 2025 & their impact on e-commerce, focusing on compliance gaps, data retention, and privacy risks.

Sujay Maskara

What fintech and payments firms must know to ensure data privacy 

DPDP Act & Draft Rules 2025: Learn how fintech and payments firms can strengthen data security, ensure privacy compliance, and secure customer trust.

Aniket Bhosle

Redefining global privacy: The critical role of India’s GCCs

Explore the growing need for Privacy Centers of Excellence in India's GCCs, leveraging top talent, cost-effective operations, and robust data protection laws. Learn more.

Mubin Shaikh

    About this article

    Photographic portrait of Kartik Shinde
    Kartik Shinde
    Partner, Cybersecurity Consulting, EY India
    Kartik has over 20 years of experience and is a leading voice for cyber in the financial services segment.
    Related topics
    Cybersecurity
    Technology
    Digital
    Insurance

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.