India's 'Cyber Risk Paradox' Analyzed
India is facing a "cyber risk paradox" with high rates of cyber attacks but very low cyber insurance penetration, according to an analysis by Insurance Asia. The situation points to a significant global market opportunity for InsurTechs that can provide accessible, data-driven cyber policies. U.S. insurers are watching such international trends for lessons in product design and workflow automation.
The scale of India's cyber threat is staggering, with financial losses from cybercrime surging 206% to ₹22,845 crore (over $2.7 billion) in 2024. The number of reported cybersecurity incidents more than doubled in two years, climbing from 1.02 million in 2022 to over 2.26 million in 2024. This explosion in risk underpins a massive market opportunity. India's cyber insurance market was valued at approximately $752.6 million in 2025 and is projected to skyrocket to nearly $7 billion by 2034, driven by a compound annual growth rate of over 28%. Growth is being accelerated by new regulations like the Digital Personal Data Protection Act of 2023. While the act does not explicitly mandate cyber insurance, its stringent compliance standards and penalties for data breaches are pushing organizations to seek policies to mitigate financial and legal exposure. A new wave of domestic InsurTechs is rising to meet this demand. Acko, India's first fully digital insurer, and Digit Insurance focus on simplifying policies through technology, while aggregators like PolicyBazaar create marketplaces for comparison. These companies leverage AI-driven underwriting and API integrations to make coverage more accessible. In the U.S. market, insurers are aggressively automating underwriting workflows to handle the complexity of cyber risk. AI and machine learning algorithms are used to rapidly process vast amounts of data from security reports and questionnaires, enabling real-time decision-making and more accurate risk pricing. This automation is changing product design, with carriers tightening underwriting standards as a prerequisite for coverage. Insurers now routinely require evidence of strong security controls like multi-factor authentication (MFA), endpoint detection and response (EDR), and privileged access management. The underwriting process itself is becoming a data-intensive workflow. Automated systems analyze specific documents including security assessment reports, incident response plans, and network diagrams to validate a company's security posture against its stated policies and appetite for risk. Carriers are increasingly bundling pre-breach services as a key differentiator, offering clients managed detection and response (MDR), phishing simulations, and IT consultations. This shifts the model from pure risk transfer to proactive risk mitigation, a lesson for any InsurTech entering a high-risk market.
