In July 2024, a significant stockbroking firm in Mumbai, Angel One, experienced a data breach, which resulted in the personal information of 7.9 million customers being leaked. Compromised data included names, addresses, phone numbers, and bank information. The hacker claimed access to customers’ stock holdings and profit and loss statements, indicating a severe breach of sensitive financial data. This event would serve as a telling example of the growing cyber threats that Indian enterprises are encountering. It consequently underlines how a strong cybersecurity posture and comprehensive cyber insurance are the need of the hour to deal with potential financial and reputational losses that might be caused by any such breach.
Companies are increasingly utilizing cyber insurance as a management tool to mitigate these risks. However, what are the insurance cost factors for a cyber insurance policy? Cyber insurance premiums in India depend on a wide range of factors, including industry, company size, cybersecurity capability, history of claims or lack of claims, and compliance with regulations. Identifying these factors can aid Indian enterprises in gearing up for the upcoming shocks and reducing their insurance premiums.
Understanding Cyber Insurance
Cyber insurance is an emerging yet rapidly developing sector in India that protects companies against financial losses arising from cyber incidents. With the rise of the digital economy in India following the outbreak of COVID-19, the occurrences of cybernetic attacks against Indian industries have dramatically increased. Cyber insurance policies in India typically cover:
- Data Breach Costs include, for example, the costs of customer notification, litigation management, and data recovery.
- Ransomware Payments and Negotiation Costs: Cyber insurance can be used to repay ransom requests, which is complicated by regulatory questions (e.g., telecommunications grapple, Dartmouth WOMAC).
- Business Interruption: In case of a cyber incident that stops business operations, policies may include compensation for the financial loss caused by the downtime.
- Reputational Damage Control: Crisis management and public relations support are not infrequently provided and may be drawn upon by companies to restore trust in the aftermath of an incident.
Indian companies, from small and medium enterprises (SMEs) to large enterprises, are responding to the demand for cyber insurance. However, it is also necessary to learn how premiums are set so that companies can make informed decisions and avoid paying exorbitant insurance premiums.
Quick Read: Cyber Insurance: Terms and Conditions.
Key Factors Driving Cyber Insurance Premiums
1. Industry Type: High-Risk Sectors Pay Higher Premiums
Certain industries require a premium due to the risk and sensitivity of the data involved. Cybercriminals are focusing on India’s financial, healthcare, retail, and manufacturing sectors as their main prey. According to a 2023 CERT-In (Indian Computer Emergency Response Team) report, over 12000 cyber security incidents originated from the financial sector, a rise of 30% from the previous year.
- Finance: Indian banks and financial institutions frequently suffer due to the nature of customers { and the amount of financesâ{ being involved. In this sector, the breach cost is exceptionally high because payment for the loss of its customers and the possibility of a regulatory fine could be applicable.
- Healthcare: There has also been a surge in cyber attacks in the Indian healthcare sector, in part thanks to the widespread digitization of patient data. In 2023, the Indian Ministry of Health announced a significant incident involving a ransomware attack on a large hospital network affecting more than 500,000 patient records.
- Retail and E-Commerce: As e-commerce shopping in India becomes increasingly dominant, e-retailers face cybercrime—ubiquitous at the highest e-commerce sales times. A data breach at a major shop in 2024 exposed more than 200,000 credit card information, leading to financial and legal issues for the shop operator.
For instance, due to these industry-related factors, certain areas of insurance can be more costly to insure. Insurers calculate and estimate the premiums using the likelihood and potential severity of events in each sector, and different premiums are assigned to the sectors.
2. Company Size and Revenue: Big or Small, Cyber Risk Affects All
In cyber insurance, deep digital legacy companies are often considered high-risk clients due to their high amount of data and more closed-loop architecture. Nevertheless, small and medium-sized enterprises (SMEs) are not immune to severe risks, especially as they usually lack the advanced cybersecurity technology used by big organizations.
- Larger Enterprises: Cyber insurance policies for large Indian enterprises with annual revenues greater than ₹500 crore may cost ₹20 lakh to ₹50 lakh per year. Companies of this type tend to carry higher premiums as they represent a larger scale of potential exposure.
- SMEs: Smaller companies with fewer resources should expect a lower premium; however, they are more vulnerable to cyberattacks. In 2024, SMEs in India were increasingly compromised due to weaker defenses, and annual premiums ranging from ₹1 lakh to ₹5 lakh were imposed, depending on their business type.
Both business scale and business turnover are very influential on premiums. Large firms have higher attack costs, and small firms possibly lack good defensive capability, so they are easily targeted, which means they are under attack time and are easy victims.
3. Cybersecurity Posture: The Impact of Proactive Measures
The company’s cyber security control level has a major impact on determining the cyber insurance premium. Insurers examine an organization’s security posture and security controls, such as the strength of firewalls, employee training, two-factor authentication, and the ability to respond to a security incident. Companies with robust cybersecurity postures are considered to have lower risk and, therefore, lower premiums.
- Firewalls and Intrusion Detection Systems: Indian insurers now seem keen to activate these leverages, as a prerequisite of the underwriting process is taking precedence to a much greater extent. A 2024 survey by NASSCOM found that companies with proactive cybersecurity measures were 30% less likely to experience a successful breach.
- Employee Training: Cyber insurance insurers repeatedly recognize human error as a critical flaw in cyber security. Companies with continuing education programs have lower premium costs because they have demonstrated low risk.
- Incident Response Plans: The ability to react to an attack is just as important regarding premium calculation determinants. Therefore, companies that have run incident response tests can better contain developing threats, ultimately reducing their overall consequence.
Not only will companies using cybersecurity protect themselves against breaches, but they will also be able to reduce their insurance premiums, a win-win for both entities.
4. Claims History and Incident Frequency
A firm’s track record of claims and the volume of cyber incidents are direct predictors of the insurance premium charged by the insurer. Insurers treat companies with a large number of claims as high-risk clients and can, therefore, increase premiums.
Repeated Breaches: Companies with a history of more than one cyber incident tend to pay higher premiums. According to a Deloitte India report 2024, companies with more than one claim in the last two years experienced a 25% increase in their insurance premiums.
Severity of Past Incidents: The financial impact of previous breaches also matters. For example, a company that suffered from a ransomware exfiltration that needed a ransom should expect to pay even higher premiums, as insurers are weighing the risk of the same event reoccurring.
5. Regulatory Compliance
In India, the government has bolstered data protection laws, including the enactment of the Digital Personal Data Protection (DPDP) Act 2023. Companies complying with such regulations enjoy lower premium rates, as compliance demonstrates a capacity to protect such a valuable confidential data set.
- DPDP Act Requirements: According to this regulation, corporations are required to lay down data security measures and report data breaches, etc. Non-complying companies have the risk of retribution, further increasing their golden price.
- Sector-Specific Compliance: About specific industries, e.g., finance and health care, with increased regulatory scrutiny, non-compliance can result in significant premium increases. Policy discount policies are becoming more and more widespread to companies in Indian insurers that improve beyond the minimum regulatory requirements.
How Cyber Insurance Pricing Works in India
Cyber insurance pricing in India is a combination of actuarial calculation, real-time risk assessment, and tailored aspects of the coverage. In contrast to conventional insurance products that rely on complete historical data, cyber insurance comes with its own challenges because it is in a dynamic environment. Here’s how insurers calculate these premiums:
Risk Assessment Models
In risk assessment in the Indian insurance market, the quantitative method is typically used, based on historical data, benchmarks in the sector, and simulation of event occurrence. Because of the limited availability of Indian cyber incident data, some insurance companies use global data patterns and adjust them to the local market.
Actuaries’ methods and predictive modeling are also applied to determine financial risk, allowing insurers to know what risk level they are comfortable assuming without exposing them to a risk of loss. There has been an increasing upward trend in Indian insurers entering into partnerships with cybersecurity companies to gain a deeper understanding of novel attack surfaces.
Data Points Considered in Pricing
Premiums are determined by several factors, such as average breach cost, time to restore, industry-specific risks, and the breadth and depth of a company’s security infrastructure. Based on 2024 data, Indian organizations operating in the fields of finance and healthcare may face an average breach cost of between 150 thousand rupees and more than 2 million rupees per incident.
To properly adjust for emerging threats, insurers are increasingly incorporating intelligence-provided information on current threats. For instance, if an attack at a particular time sharply increases in some industry, premiums are processed at first as a response to the increase in risk.
Premium Calculation Process
After evaluating the risk factors, an insurer creates a base premium estimate, which is subsequently adjusted according to company needs. For example, corporations with global operations or subsidiaries may opt for extended global coverage, leading to cost increases.
Flexibility is one of the main aspects of the Indian cyber insurance pricing model. Insurers add cover, such as ransomware-specific, regulatory penalty, and crisis management cover, so that enterprises can buy packages that cover the events they are prepared to defend against.
Customizable Coverage Options
Indian insurers today offer cheap, bespoke policies, and businesses can configure coverage according to their risk appetite and affordability requirements. For example, a large technology company may be concerned with third-party liability coverage, whereas a small retailer should be concerned with customer data protection coverage.
This adaptability is critical to avoid ballooning SMEs with unsolicited costs and ensuring suitable protection against serious threats.
Case Studies of Cyber Incidents in India (Real-Life Examples)
For proof of its operability and cost to the provision of cyber insurance, as showcased in this study, the following are two typical cases reported from the Indian market:
Challenges in Cyber Insurance Pricing in India
Although cyber insurance is a rapidly expanding industry, accurately pricing it is still a challenge in India for the following reasons:
1. Data Limitations
Since cyber insurance is a new product in India, historical data on breaches and financial losses is limited for insurers to create predictive models. The lack of a typical cyber incident database complicates the risk assessment process.
2. Systemic Risks in Interconnected Networks
Indian companies are increasingly networked throughout the supply chain and with third-party providers. This connectivity suggests that a failure in one link could lead to a series of failures (cascade effects) with systemic risks that are difficult to foresee and insure against.
3. Underinsurance and Awareness Issues
There is a lot of underinsurance across the market, and in the case of many businesses, not least small and medium enterprises (SMEs), some need to learn the extent to which there are cyber risks. Insurers have been implementing awareness drives to inform the market; however, insurers’ adoption continues to be slow compared to mature markets.
Future of Cyber Insurance in India
The cyber insurance market in India is on the verge of explosive growth due to digitalization and the increasing incidence of cyber-attacks. Here are a few key trends:
1. Increased Adoption and Market Growth
- According to industry experts, the Indian cyber insurance market will grow at over 20% per annum until 2025 as more companies understand the necessity of global cyber security provision.
- Rising regulatory requirements and digitization moves across all industry segments will surely lead to the market for cyber insurance, with businesses trying to comply with the requirements under the DPDP Act.
2. Enhanced Customization for Indian SMEs
Indian Small and Medium Enterprises (SMEs) are essential to the Indian economy. Hence, insurance companies are actively committed to providing customized, cheap policies at the trim enterprise level. This shift is expected to increase accessibility for companies that might not have considered cyber insurance previously.
3. New Cyber Insurance Products
Starting insurers design products that are becoming increasingly designed to cover emerging threats, such as social engineering fraud or reputational damage from the spread of false news, and also adjust policies in response to the changing risk landscape. It is predicted that these policies will be more interested in areas with a web presence, namely, e-commerce and media.
4. Regulatory Developments Impacting Premiums
Compliant pricing, as regulated by the DPDP Act and other statutes, insurers will adhere to also and price this accordingly. Companies that comply with regulations may be able to realize reductions in premiums.
Conclusion: Securing Your Business with Mitigata
Considering the dynamic behavior of cyberattacks, Indian enterprises should not be passive about digital security. Cyber insurance provides financial protection, allowing companies to deal with events, costs, and reputational implications, including data breaches, ransomware attacks, and system outages. Nonetheless, detox is complex to understand, and how to optimally get the maximum out of coverage can be challenging, even in a dynamic Indian context.
With Mitigata, experts in the field can evaluate and recommend the enterprise’s cyber risk and decide upon the best possible insurance to protect it from cybercrime. End-to-end services from Mitigata are available to companies who want to protect their enterprise at an affordable price by using the latest cyber risk assessment tools and working with leading insurance companies. Our solutions are tailored to the unique needs of Indian businesses, whether you’re a growing SME or a large enterprise.
For an overview of the available cyber insurance options and professional advice on coverage selection, see Mitigata./div>. Don’t let cybercrime catch you; partner with Mitigata to stay a step ahead of the game and protect your company from the latest digital risks that are always on the horizon.
Also Read: Cost of Cyber Insurance: Factors and Pricing Models.