In an era where digital transformation is reshaping the business landscape across sectors, cyber threats have emerged as one of the most pressing challenges for Indian enterprises. In this exclusive interview, Neha Anand, Vice President and Head of Cyber at Prudent Insurance Brokers, delves into the evolving role of cyber insurance in India. She highlights how it contributes to proactive risk management, the importance of tailored coverage for diverse industries, and the critical need for collaboration between brokers, insurtech firms, and regulators. With deep insights into the intersection of technology, regulation, and enterprise resilience, Anand provides a comprehensive view of how businesses can future-proof themselves in a rapidly digitising world.
How does cyber insurance contribute to proactive risk management strategies for businesses in India?
All companies irrespective of the industry that they’re operating in, are highly dependent on technology for their business operations. And this is across, whether it is manufacturing or hospitality, aviation, you name it, and they are reliant on technology to run their businesses. So, with this paradigm shift, the efficiency has increased substantially the way businesses conduct their operations. But at the same time, the downside has been the increasing number of cybercriminal activities. So, while now companies are heavily invested on cybersecurity solutions, and there are many sophisticated tools available as well, yet unfortunately, none of them can qualify to be 100 % secure.
If we were to talk to any source, whose prime responsibility is to protect the company against any such attacks, they can say that they are secure, but they can never say that they are impenetrable. And that is where cyber insurance plays a very significant role and by means of which companies can transfer this residual risk. We can never negate the importance of having a very robust cybersecurity in place, but the unfortunate part is companies can be attacked and if there is a risk transfer solution available by way of this insurance where any loss to the company or any liability coming on to the company because of a cyber incident can be taken care of. So, this is a risk transfer solution that qualifies from a risk management standpoint, whereas the security solutions would be identifying the risk, managing the risk, mitigating the risk. When it comes to transferring the risk, that is where the insurance comes into play.
In what ways can cyber insurance be customised to suit the diverse needs of India’s varied business landscape?
It is important to understand the different natures of business. For example, as far as the manufacturing segment is concerned, they have two major components- IT component and the OT. In the event of a cyber incident that impacts the IT systems, many manufacturing companies, as a risk containment measure, proactively shut down their OT systems as well. This is done to prevent any potential malware or virus from spreading from the IT environment to the OT side. This practice falls under what is referred to in insurance terminology as a voluntary shutdown. Any business interruption resulting from such a voluntary shutdown would ideally need to be covered under a cyber insurance policy. However, this is not standard coverage and must be specifically included. As risk consultants, these are the nuances we must consider when designing insurance solutions. Such coverage may not be equally relevant across all sectors, but for manufacturing businesses—where IT and OT operate as distinct yet interdependent domains—it becomes particularly critical.
From a manufacturing standpoint, because there are two different classifications, as consultants, we need to think about the kind of coverage that will suit their requirement. Similarly, what would be important and will be adopted is that if because of a cyber event there is damage, say property damage or the hardware or the machinery gets damaged. As of now, these are coverages which are not very commonly available. Given the way these threats are developing, this is something that we also foresee. This is what will be required to be included under the coverage. Now, if we draw a comparison and talk about fintech companies and their data, because these are data intensive companies, cyber frauds, payment frauds, are more prone to their businesses. On the contrary, for manufacturing, we will not be too worried, let’s say on the data or the payment force, it is an exposure, but not to the extent when it comes to a fintech company. So, this is where we need to ensure that adequacy of cover is available.
India’s growing startup ecosystem further underscores the need for customised insurance solutions. Startups, which vary significantly in business models, growth stages, and digital presence, cannot be served through a one-size-fits-all approach. Some may operate primarily online, while others may be B2C ventures addressing diverse market problems. While there are core coverages that serve as a foundation, we must advocate that cyber insurance solutions should not follow a cookie-cutter model. Instead, they must be aligned with the organisation’s cybersecurity framework and operational realities.
The same applies to exclusions in a policy. Policies often include broad exclusions, but it is vital to assess which of these could be particularly detrimental to a given company and ensure that such exclusions are either removed or appropriately modified. To summarise, providing the right cyber insurance coverage requires a deep understanding of the business, its risk landscape, and its cybersecurity infrastructure. Tailoring policies to fit the unique needs of each business sector is essential for effective risk management.
What are the primary benefits of collaborations between insurtech companies, brokers, and regulators in enhancing the effectiveness of cyber insurance offerings?
All three stakeholders must work in close coordination, beginning with the management of risk exposure. This starts with conducting thorough risk assessments. Before proposing any solution to an enterprise, a comprehensive risk assessment must be undertaken. Currently, assessments often reflect a point-in-time view of a company’s cyber posture. However, cyber risks are highly dynamic. It is therefore essential that we move toward a continuous, ongoing understanding of risk exposure, rather than treating it as a one-time activity.
Secondly, attention must be given to the adequacy and relevance of coverage offerings. Most importantly, we need a robust mechanism to manage incidents after they occur. In this context, regulators have a critical role to play—not only insurance regulators, but also institutions such as CERT-IN. Their ongoing efforts to acknowledge cyber incidents and educate organisations on mitigation and prevention measures are commendable. It is imperative that all stakeholders collaborate proactively to confront this growing threat. We must move away from a fragmented approach and work toward establishing a comprehensive ecosystem that supports enterprises in managing cyber incidents. For instance, in the event of a ransomware attack, the response should be coordinated rather than leaving the enterprise to manage it in isolation. Regulators, risk consultants, and brokers must come together to design an integrated response framework. While individual efforts have been made, much of the work is still being done in silos. To effectively support enterprises, greater collaboration and shared responsibility are essential. Although progress has been made in providing solutions, there remains significant scope for enhanced collaboration to truly address the needs of businesses facing cyber threats.
How can regulatory frameworks in India be adapted to better support the growth and adoption of cyber insurance?
I believe once the DPDPA fully comes into effect, it will significantly alter how companies approach data protection. Many enterprises are already making efforts to manage their exposure, but despite their best intentions, they can still fall victim to breaches. We anticipate that the implementation of DPDPA will likely lead to an increase in the uptake of cyber insurance. This is because the Act clearly outlines that companies may face penalties in the event of a data breach originating from their environment. Since cyber insurance policies often include coverage for fines and penalties, this will become an increasingly important risk-transfer tool. In comparison, countries like Australia have already made cyber insurance mandatory for businesses under certain regulatory frameworks. Moreover, given the current geopolitical uncertainties, the risk posed by sophisticated threat actors—including nation-state actors—has become more pronounced. These actors may not always be financially motivated; sometimes their objective is to spread fear or disrupt systems. This further underscores the need for robust risk mitigation strategies.
From a regulatory standpoint, it is crucial that there is a comprehensive framework to ensure companies are adequately transferring cyber risk. This is essential not only to safeguard balance sheets but also to protect the interests of various stakeholders and shareholders. Cyberattacks can result in hefty financial losses—highlighting the financial impact such breaches can have.
At present, regulators across different industry sectors are issuing cybersecurity guidelines. However, there is a pressing need to go beyond that by raising awareness about cyber insurance as a viable solution. Surprisingly, in many industry forums and conversations with CISOs, we find that there is still limited awareness of cyber insurance products. It is imperative that regulators take the initiative to promote awareness and guide companies on the availability and benefits of cyber insurance as part of their overall risk management strategy.
What role do emerging technologies play in shaping the future of cyber insurance in India?
When we look at how technology is transforming the risk assessment landscape, significant developments are underway. Previously, conducting a risk assessment involved lengthy questionnaires and manual inputs. Today, much of this process has moved online, leveraging a range of technologies to evaluate a company’s risk profile. This evolution goes beyond traditional risk dialogue and brings a more structured and data-driven approach to quantifying risk—something that has proven to be a game-changer. One of the key advancements is the concept of exposure risk quantification. A few years ago, if an organisation needed to determine appropriate insurance limits, the typical approach was to benchmark against peers—for example, a bank or a manufacturing company would ask, “What are others in my industry doing?” However, this method is fundamentally flawed, as no two organisations are identical in terms of their security frameworks, operational models, or risk exposures.
The critical question has always been: how can we accurately quantify risk exposure? Specifically, if a certain event were to occur, what would be the financial impact? Today, there are advanced tools and probabilistic models available that allow organisations to answer this question with greater precision. Scenario analyses can now be conducted to simulate potential events and estimate the resulting financial impact. This, in turn, helps enterprises determine the appropriate level of insurance coverage, making the process far more data-driven and objective. Post-incident technology also plays a crucial role in forensic analysis. When an incident occurs, the immediate focus is on containment. However, conducting a thorough root cause analysis is equally important, as it not only aids in preventing future incidents but also helps minimise the financial outflow under insurance coverage. This aspect of post-event analysis has become an essential part of the overall risk management strategy.
How can businesses in India navigate the complexities of cyber insurance coverage amidst evolving digital threats and regulatory changes?
It is an ongoing process. Unlike traditional insurance products, cyber insurance is not static—it is evolving with technological advancements, adoption patterns, emerging threats, and regulatory changes. Consequently, coverage frameworks must adapt continuously. For instance, the enactment of the DPDPA marks a significant shift. Previously, the absence of a dedicated privacy law in India led to a relatively relaxed approach by companies toward data breaches. With the introduction of DPDPA, there is now a legal obligation to treat data liability with seriousness and accountability.
The adoption of artificial intelligence is another factor that is reshaping the cyber risk landscape. As exposures become more complex, the adequacy of policy coverage and the evolution of policy wordings to reflect these changes have become critical responsibilities for brokers like us. This is where our role becomes increasingly vital. We must proactively educate organisations about these evolving risks and ensure their insurance coverage aligns with the changing environment. As members of the insurance community, it is our duty to demystify these complexities. I don’t consider cyber insurance inherently complex; rather, it demands constant vigilance and a commitment to clarity. Personally, I advocate for simplicity and transparency in all client interactions. It is our responsibility to make cyber insurance accessible and understandable for our clients, guiding them effectively through this dynamic landscape.