Home > > > How to Choose the Right Cyber Insurance Policy for Your Business in India?

How to Choose the Right Cyber Insurance Policy for Your Business in India?

Author : Alex Maxwell | Published On : 01 May 2026

Cyber insurance is a policy that protects a business from the financial consequences of cyberattacks, data breaches, and digital fraud. It covers direct losses your business suffers as well as legal liabilities to customers, partners, and regulators when their data is compromised.

According to a Carnegie India report, India's cyberspace is now the second-most-targeted in the world, facing ransomware, phishing, supply chain attacks, and AI-powered threats. Between 2019 and 2023, cyberattacks on Indian organisations increased by 138%. And in the first nine months of 2024 alone, cyber fraud losses across India totalled ₹11,333 crore, according to the Indian Cyber Crime Coordination Centre (I4C).

It is critical to not just know but understand that the resulting financial exposure of a data breach or hack is significant at a business level. In fact, according to IBM's annual Cost of a Data Breach Report, the average cost of a data breach in India reached an all-time high of ₹19.5 crore in 2024. 

For small and medium businesses, even a fraction of that cost, estimated at ₹35–50 lakh per incident, including operational losses, regulatory fines, and reputational damage, can be catastrophic without a financial backstop in place.

Did You Know? Bajaj General Insurance was the first Indian insurer to launch a cyber insurance product, establishing a benchmark for cyber risk coverage in the Indian market.

What Are the Two Core Types of Cyber Insurance Coverage?

Before comparing policies, it is essential to understand what the two structural categories of cyber insurance cover:

First-Party Coverage protects your business directly for losses it suffers:

  • Forensic investigation costs to determine how a breach occurred

  • Data restoration and system recovery expenses

  • Business interruption losses due to downtime

  • Ransomware payments and negotiation costs (where legally permissible under Indian law)

  • Customer notification and credit monitoring costs

  • Crisis management and public relations expenses

Third-Party Coverage protects your business from claims made by others:

  • Legal defence costs if customers or partners sue following a data breach

  • Regulatory penalties and fines (where legally permissible)

  • Privacy liability for exposing personally identifiable information

  • Media liability for content published online that causes harm

A comprehensive cyber insurance policy for a business in India should include both. First-party-only policies leave your business exposed to the legal costs that often dwarf the technical recovery expenses.

How Do You Assess Your Business's Cyber Risk Before Buying?

Choosing the right cyber insurance policy begins with understanding what you are actually protecting. Assess the following before approaching any insurer:

1. What data do you store? 

While the businesses storing only internal operational data face lower exposure, companies that keep user’s personal information such as Aadhaar numbers, PAN details, medical records, credit card information, or banking credentials can carry significantly higher risk and will pay proportionately higher premiums. Businesses storing only internal operational data face lower exposure.

2. What is your sector? 

Like any other type of insurance, cyber insurance also considers the risk associated and industries such as Healthcare, financial services, e-commerce, IT, and telecom which are the most frequently targeted sectors in India, the risk is higher. Each of these industries face specific regulatory obligations alongside cyber risk. If you operate in any of these sectors, your policy must address both operational loss and regulatory liability.

3. How many employees and customers does your business have? 

India has approximately 63 million MSMEs, most of which are digitising rapidly. The scale of your data processing determines the scale of your breach exposure. A business with 500 customers and a business with 500,000 customers face fundamentally different third-party liability risks.

4. Do you rely on third-party vendors or cloud platforms? 

If you rely on any third party vendors or online platforms such as cloud services, there is also an established threat with relation to such supply chain attacks. If a vendor's systems are compromised and your customer data is exposed as a result, your business may still be liable. So it is critical to verify whether your cyber insurance policy extends to third-party vendor incidents.

What Should a Cyber Insurance Policy Cover for Indian Businesses?

Use the following as a minimum coverage checklist when evaluating any cyber insurance policy:

  • Data breach response costs: Investigation, legal counsel, customer notification

  • Business interruption: Revenue lost during operational downtime following an attack

  • Ransomware and cyber extortion: Costs to resolve the threat, including ransom (where legal)

  • Data restoration: Costs to recover or reconstruct compromised systems and data

  • Third-party legal liability: Defence and settlement costs if clients sue

  • Regulatory fines and penalties: Where permissible under Indian law

  • Social engineering fraud: Losses caused when employees are deceived into transferring funds

  • Reputational damage management: Public relations and communication costs post-breach

Bajaj General Insurance's cyber insurance policy covers phishing, identity theft, email spoofing, cyberstalking, malware attacks, social media fraud, cyber extortion, and data breaches, as well as legal and defence costs, reimbursement of financial losses, and counselling services for psychological distress resulting from cyberstalking.

What Are the Most Common Exclusions in Cyber Insurance Policies?

Exclusions are the most overlooked part of any cyber insurance policy and the most likely reason a claim is denied. Review these carefully before signing:

  • Pre-existing incidents: Any breach that began before the policy start date is not covered

  • Failure to maintain security controls: If your business does not maintain updated antivirus software, firewalls, or a written data protection policy, the insurer may deny the claim

  • Employee fraud or insider threats: Deliberate acts by your own employees may fall outside standard coverage unless explicitly included

  • Intellectual property theft: Loss of patents, trademarks, or copyrights is typically excluded

  • Physical damage: Damage to tangible property resulting from a cyber event is generally not covered

  • Late notice of an incident: Delayed reporting may result in a claim being rejected. Bajaj General Insurance requires written notice within 7 days of the discovery of an incident

  • Uninsured activity: If the company has not deleted access credentials for former employees, and a breach occurs through those credentials, the claim may not be approved

Step-by-Step: How to Choose the Right Cyber Insurance Policy

  1. Identify what data you store to illustrate the risk exposure, how many customers are affected if it is breached, and what operational systems depend on the live digital infrastructure.

  2. Decide between individual and business-grade coverage. Individual plans cover personal digital risks; business cyber insurance policies cover operational, legal, and third-party liabilities at a commercial scale.

  3. Verify first-party and third-party coverage, and confirm the policy covers both your direct losses and liability to customers and regulators.

  4. Read the exclusions in full.

  5. Check sub-limits, ensure individual coverage caps for legal costs, data recovery, and notification expenses are adequate for your business size.

  6. Confirm the claims process, understand how incidents must be reported, within what timeframe, and what documentation is required.

  7. Review annually, Cyber risks and business operations change. Review your coverage at each renewal to ensure your sum insured and coverage scope still match your risk profile.

The Bottom Line

For companies, cyber insurance is not a substitute for cybersecurity, its an additional investment to ensure that in a situation where they face a cybersecurity risk, they have a financial backstop. So when security controls fail, which, given current threat volumes in India, is a matter of when rather than if, choosing the right cyber insurance policy is important to cater to the specific needs based on your actual risk exposure, relevant first-party and third-party liabilities are included, understanding the policy exclusions carefully, and setting a sum insured that reflects realistic breach costs.