Why are enterprises looking at cyber insurance for risk strategy management?

As cyber threats grow in scale and sophistication, enterprises are beginning to accept a hard truth that no security framework is completely foolproof. While investments in cybersecurity continue to rise, organisations are increasingly looking at cyber insurance not as a backup but as an integral part of their overall risk strategy.

In an interaction with Express Computer, Anand Agarwal, Chief Technology Officer, Probus, shares how cyber insurance is evolving in India, the gaps enterprises still overlook, and why it is fast becoming a necessity in a digital-first economy.

Cyber insurance from an add-on to strategic necessity
The perception of cyber insurance in India has undergone a clear shift over the past few years. What was once seen as an optional safeguard is now being viewed through the lens of business continuity.

Agarwal points out that this shift is driven by lived experiences rather than theoretical risks. “Earlier, cyber insurance was seen as something optional, almost like an add-on. Now, after seeing frequent ransomware attacks and data leaks, many realise that even strong IT systems are not foolproof.”

The reality of operational disruption has brought urgency to the conversation. “One breach can disrupt operations for days. Cyber insurance fills that gap, not instead of security but as a backup plan if something goes awry.”

Interestingly, insurers themselves are influencing better security practices. “Insurers are progressively encouraging clients to enhance their own environments prior to granting them coverage, so in a manner of speaking, the landscape of Indian corporate consideration of overall risk has been altered due to the impact of cyber insurance,” he explains.

Smarter underwriting, sharper scrutiny
As threats evolve, so do cyber insurance products. The shift is particularly visible in how policies are designed and underwritten. A few years ago, cyber insurance policies in India were fairly standard and broad. Today, that’s no longer the case.

Enterprises are now being evaluated far more rigorously. “Insurers are asking sharper questions, such as ‘Do you have multi-factor authentication?’ ‘How often are backups taken?’ ‘How secure are your endpoints?’.”

This has direct implications for both pricing and coverage. At the same time, policies are becoming more practical and aligned with real-world scenarios. “They now include aspects like ransomware support, fraud coverage, and even help during a crisis,” says Agarwal.

This shift towards contextual and customised coverage reflects a broader maturity in the market. Overall, cyber insurance is becoming more customised, reflecting the reality that no two companies face the same risks.

The complexity of assessing cyber risk
Quantifying cyber risk remains one of the most challenging aspects for organisations, especially in a diverse and evolving IT landscape like India’s. “In India, it’s not easy to assess cyber risk. Many of us are running a mix of old and new systems; there are big gaps, and then there’s the human factor,” points out Agarwal.

Human behaviour continues to be one of the weakest links. “People clicking on phishing emails is still one of the biggest risks,” he adds.

Beyond internal vulnerabilities, external dependencies add further complexity. “Most organisations handle lots of sensitive data, especially in the banking and healthcare sectors. Add in the increasing reliance on vendors and third-party platforms and it gets worse.”

Agarwal emphasises that cyber risk is no longer just a technology issue. “It’s not just technology; it’s people, and it’s processes, and it’s the whole ecosystem.”

 Bridging awareness gaps in cyber insurance
Despite growing adoption, there are still significant misconceptions about what cyber insurance actually covers.

“One of the most common misunderstandings is that cyber insurance will cover everything after an attack. Not so.”

Policy conditions and compliance requirements play a crucial role in claim outcomes. There are conditions in policies, and if basic protections are absent, claims can be tricky.

There is also confusion around the scope of coverage.

“There’s misunderstanding about what even is covered by cyber insurance—how much fraud, how much reputational loss,” he reminds. 

Smaller businesses, in particular, often underestimate their exposure.

Agarwal suggests a more balanced and informed approach. “Better to be practical and treat cyber insurance as part of your protection and spend equal time familiarising yourself with that policy as well as fortifying the insides of your company.”

The road from niche to mainstream
India’s rapid digitisation is expected to further accelerate the relevance of cyber insurance across sectors. With fast digitisation, online payments, and data-driven businesses, cyber risk is only going to grow.

This growth is already expanding the market beyond large enterprises. “Right now, it’s mostly large companies that are buying these covers, but that is slowly changing. Mid-sized firms are also beginning to take notice.”

At the same time, the nature of threats is evolving. AI-led frauds and deepfakes are already emerging risks. This will require continuous innovation from insurers.

Looking ahead, Agarwal believes cyber insurance will become a standard business requirement. “Over the next few years, cyber insurance could move from being a niche product to something much more mainstream in India’s business landscape.”

 Conclusion
As enterprises navigate an increasingly volatile threat landscape, the conversation is about integrating both into a cohesive risk strategy and not about choosing between security and insurance.

Cyber insurance is emerging not as a substitute for cybersecurity but as its natural complement, ensuring that when defences fail, businesses can recover faster, with greater resilience and confidence.