India’s cyber risk paradox: High attack rates, low insurance preparedness

Cyber risk is often considered under the realm of the IT department, not a board-level balance sheet concern. 

Cyber risk is rising; insurance adoption is not.

The conversation often starts with the usual covers. A business owner walks in to discuss fire, health, or group medical renewal. The balance sheet of the company is reviewed, assets are listed and premium comparisons are negotiated.

Then comes a simple question: “What about cyber risk?”

In most cases, the response is the same, a polite smile, followed by reassurance: “Our vendor handles security.” The conversation quickly moves back to tangible covers such as property, employee benefits, or the liability cover.

And yet, many of these very businesses operate fully digitised payment systems, store customer data on cloud platforms, and rely on uninterrupted online operations to generate revenue.

This gap between digital dependence and insurance preparedness defines India’s cyber risk paradox.

According to industry statistics, approximately 60% of Indian enterprises have experienced one or more instances of cyber crimes, including phishing and ransomware schemes to payment fraud and data breaches.

However, there is still a significant gap between the level at which these companies experience cyber incidents versus their current use of cyber insurance, especially amongst smaller and mid-sized businesses (SMEs), which constitute a large portion of India’s economy.

India’s digital economy is expanding at an extraordinary speed. Unified Payments Interface (UPI) volumes are at record highs. SMEs are onboarding to e-commerce platforms. Hospitals are digitising patient records. Manufacturing firms are integrating cloud-based supply chain systems.

But whilst digital adoption has accelerated, financial risk transfer mechanisms have not evolved at the same pace. Cyber risk in India is often considered under the realm of the IT department, not a board-level balance sheet concern.

The invisible risk that feels distant
For many Indian promoters, cyber risk still feels abstract, until it becomes painfully real. Traditional business risks are tangible. A factory fire, a motor accident, or a health emergency can be visualised.

Cyber risk, by contrast, operates silently. There is no visible smoke, no broken machinery. The damage often unfolds in the background, data exfiltration, fraudulent transfers, and reputational erosion.

In conversations with business owners across the spectrum, a common sentiment emerges, and the usual answer is: “We are too small to be targeted.”

Ironically, attackers increasingly prefer smaller firms. They often have weaker cyber hygiene, but still process significant monetary transactions and client data. In many ransomware cases globally, SMEs account for a large share of victims.

Yet insurance adoption remains limited. One reason is perception. Cyber insurance is often seen as a product meant for large IT companies or multinational corporations, not for regional exporters, logistics firms, hospitals, or educational institutions.

When prevention is not enough
Indian businesses have gradually strengthened their IT controls. Firewalls, endpoint detection, and employee training are more common today than five years ago. But cybersecurity is not a guarantee of immunity.

Even globally sophisticated organisations have suffered breaches. The lesson is clear that prevention reduces probability, but it does not eliminate risk.

Cyber insurance is a financial safety net that can help you secure your data. The insurance policy will restore your data, loss of income due to business interruption, legal costs to defend yourself, and in certain instances, provide funds for ransom payments.

For a mid-range company, where you have very thin margins, a single week of downed systems can take a serious toll on cash flow. Insurance can help cushion the blow.

Unfortunately, many Indian firms evaluate cyber insurance only after an incident, when underwriting becomes more stringent and premiums rise.

The awareness and design gap
There is also a product understanding gap.

Many promoters assume cyber policies are complex, expensive, and filled with exclusions. But insurers in India have evolved offerings that are modular and scalable. Policies can be customised based on turnover, data sensitivity, and exposure.

Another challenge is distribution. Unlike fire or motor insurance, cyber risk does not always sit clearly within a traditional insurance buying decision. It requires a conversation between IT heads, finance teams, and risk managers. In smaller firms, that cross-functional dialogue often does not happen.

A shift in mindset
In many cases, businesses do recover from cyber incidents. Systems are restored. External forensic experts step in. Financial losses are partially mitigated. Operations resume.

But what changes most profoundly after such an event is not the firewall, it is the boardroom conversation.

Cyber preparedness moves from being an IT checklist item to a recurring agenda point. Risk committees begin asking sharper questions. Insurance is evaluated not as an optional add-on, but as part of a wider resilience support.

That shift in mindset is what India now requires at scale.

Cyber risk is no longer only a back-end technological issue, it is a balance-sheet exposure. In an economy that values digital innovation, from finance platforms to e-commerce ecosystems to SME digitisation, failing to protect against cyber shocks creates structural risk.

But, when disruption strikes, will the impact be temporary and manageable, or will it fundamentally destabilise the organisation?

In a digital-first economy, preparedness is not only about building stronger walls. It is about ensuring that when those walls are tested, the enterprise remains standing.