Does Your Company Require Cyber Insurance to Comply with India’s DPDP Law?

Posted by Written by Archana Rao Reading Time: 6 minutes

The Digital Personal Data Protection (DPDP) Act, 2023, became operational following the notification of the DPDP Rules in November 2025, with phased implementation expected through 2027. India now has a dedicated legal framework governing digital personal data protection, imposing compliance obligations across sectors handling personal data.

Companies are switching over from “privacy as choice” to “privacy as a necessity.” This shift comes with the financial penalties prescribed under the DPDP Act for data breaches.

Find Business Support
Assess your DPDP compliance exposure and readiness with guidance from our India regulatory advisory professionals.

In the DPDP Act, Chapter VIII, titled “Penalties and Adjudication,” India has laid down some of the world’s most stringent data protection financial penalty regimes. This makes it necessary for businesses, especially those offering goods and services while gathering and maintaining a virtual client database, to be more hands-on with following compliance obligations. 

Overview of the penalty regime under DPDP Act

Under Chapter VIII of the DPDP Act, Sections 33 and 34 set out the framework governing liability for personal data breaches, the inquiry process to be followed by the Board, and the penalties that may be imposed upon a finding of non-compliance.

The “Board” refers to the Data Protection Board of India (DPBI), a statutory authority responsible for enforcing the DPDP framework.Established under Section 18 of the DPDP Act, the Board has powers to investigate personal data breaches, hear complaints and compliance disputes, conduct inquiries against data fiduciaries, and
impose financial penalties for non-compliance.

Section 33 provides that, upon concluding an inquiry into a personal data breach and after giving the data fiduciary an opportunity to be heard, the Board may determine the quantum of financial penalty to be imposed under subsection (1). In assessing the appropriate penalty, the Board may take into account the following factors:

  1. The nature, gravity, and duration of the breach;
  2. The type and nature of personal data affected;
  3. Whether the breach involves repeated instances of non-compliance;
  4. Any gains realized or losses avoided as a result of the violation;
  5. Any mitigating measures, remedial actions, or corrective steps taken after notification of the breach; and
  6. Any other relevant factors the Board considers appropriate.

As India’s DPDP framework becomes operational, businesses are increasingly turning to cyber insurance to mitigate regulatory and operational risk. Our experts help companies assess DPDP exposure, evaluate cyber insurance coverage, and strengthen data protection and cybersecurity compliance frameworks.

For tailored guidance on India’s digital data protection regime, contact our advisory team at: India@dezshira.com

Penalty amount based on the degree of violation

Violations

Penalty amount

Violation of provisions of sections 4 to 12 and section 14

Up to INR 2 billion (US$21.24 million)

Failure to take reasonable security safeguards under section 8(5)

Up to INR 2 billion (US$21.24 million)

Failure to intimate the Board and affected Data Principals about personal data breach under section 8(6)

Up to INR 2 billion (US$21.24 million)

Failure to appoint Data Protection Officer and publish contact information under section 10

Up to INR 100 million (US$1.06 million)

Failure to publish business contact information under section 9(1)(c)

Up to INR 100 million (US$1.06 million)

Failure to undertake Data Protection Impact Assessment or Data Protection Audit under section 10(1)(b) or (c)

Up to INR 500 million (US$5.31 million)

Failure to provide information to the Board under section 32(2)

Up to INR 100 million (US$1.06 million)

Failure to comply with the directions issued by the Board under section 34

Up to INR 2.5 billion (US$26.55 million)

Source: Schedule, Chapter VIII, DPDP Act, 2023

Companies must also take into account maximum penalties that can be imposed:

  1. Upto INR 5 billion (US$53.11 million) – Highest possible
  2. INR 2.5 billion (US$26.55 million) – Failing to comply with Board directions
  3. INR 2 billion (US$21.24 million) – Violating core rights (Sections 4-12)
  4. INR 500 million (US$5.31 million) – Failing DPIA/Audit (SDFs)
  5. INR 100 million (US$1.06 million) – Administrative failures

CLICK HERE: DPDP Rules 2025: India Notifies Digital Privacy Law

Comparing India’s DPDP law with global standards

Global comparison of data protection penalties

This means that the financial penalty is a bigger threat for companies with smaller turnover in comparison to large multinationals. The act specifies that there is no discount for entities that are unable to pay the imposed fine.

Degree of impact on businesses based on operational nature

A detailed assessment of the DPDP Act, 2023, indicates that the extent of compliance exposure for businesses will largely depend on the nature of their operations, scale of data processing activities, and frequency of interaction with consumers. Companies operating in consumer-facing sectors are expected to face heightened regulatory scrutiny due to the increased likelihood of procedural lapses in consent management, data processing, and grievance handling.

Find Business Support
Dezan Shira & Associates’ business intelligence solutions equip decision-makers with the insights needed to evaluate risk.

As a result, businesses operating in the B2C (business-to-consumer) segment are likely to face greater compliance obligations and enforcement risk. This includes sectors such as fintech, banking, financial services and insurance (BFSI), e-commerce platforms, edtech providers, gaming platforms, and other digital consumer services that process significant volumes of personal data on a recurring basis.

At the same time, businesses operating under a B2B (business-to-business) model are not insulated from liability under the Act. Where a personal data breach arises due to the actions or omissions of a third-party data processor or service provider, the primary data fiduciary may still remain accountable under the statutory framework, while separately pursuing contractual remedies or indemnification claims against the processor responsible for the breach.

In particular, organizations that process children’s data, maintain large-scale consumer datasets, handle sensitive digital ecosystems, or operate through decentralized or inadequately governed “shadow IT” systems are expected to face elevated compliance and enforcement exposure under the DPDP regime.

Cyber insurance to safeguard your business

Business operations in India are actively adopting digital tools to keep pace with the latest market demands and global trends. This has also made several companies and business operations vulnerable to cyberattacks and data leaks. As per the central government, in 2025, India’s Computer Emergency Response Team (CERT-In) handled over 2.94 million cyber incidents in the country, issuing 1,530 alerts, 390 vulnerability notes, and 65 advisories, reflecting large-scale national cyber response capability.

It must be noted that not all cyber-frauds come under the purview of the DPDP Act. 

Types of cybercrime incidents

Reported to CERT-In?

Under DPDP purview?

Why?

Distributed Denial-of-Service (DDoS) attack

Yes

No (usually)

Only disrupts service; doesn’t usually leak personal data.

Ransomware

Yes

Yes

Personal data is “processed” (encrypted/accessed) without authorization.

Phishing / spoofing

Yes

Yes

Often involves unauthorized use of contact lists or identity theft.

Defacement

Yes

No

Changes a website’s look but may not touch the user database.

Data leak / breach

Yes

Strictly yes

The core focus of the DPDP Act.

Cyber insurance: High-risk sectors under India’s data protection regime

Find Business Support
We offer advisory services to help businesses navigate complex digital compliance requirements across Asia. Find out more.

Commercial cyber insurance in India typically covers a broad range of financial losses, legal liabilities, and operational disruptions arising from cyberattacks, data breaches, ransomware incidents, and other digital security events. These policies generally operate through a two-tier coverage structure:

  1. First-party coverage: Where a company suffers a direct cyber incident, the policy may cover expenses related to forensic investigations, incident response, business interruption, customer notification requirements, data recovery, and credit monitoring services for affected individuals.
  2. Third-party liability coverage: Cyber insurance may also cover liabilities arising from claims by customers, vendors, or other third parties affected by a data breach or cybersecurity failure. This can include legal defense costs, settlement expenses, compensation claims, and, where permitted under applicable law and policy terms, certain regulatory penalties and compliance-related costs.

Indicative Sectoral Cyber Insurance Priorities Under the DPDP Regime

Sector

Primary risk exposure

Insurance priority

EdTech & Online Gaming

Children’s data and consent violations

Very high

BFSI & Fintech

Financial fraud and identity theft

Very high

E-commerce & D2C

Large-scale customer data breaches

High

Healthcare

Sensitive medical data and ransomware

High

SaaS & Technology Providers

Contractual liability and processor exposure

Moderate to high

Professional Services

Confidential client information

Moderate

Manufacturing

Operational disruption and ransomware

Moderate to low

Government Bodies

Statutory exemptions and sovereign functions

Low

Micro-enterprises

Limited personal data exposure

Low

FAQ: Cyber insurance considerations for DPDP risk management

Q. Can cyber insurance directly cover DPDP penalties?

Ans: This depends on the structure of the policy and the nature of the violation.

In practice, insurers may provide:

  • defense cost coverage during regulatory proceedings;
  • investigation and response expenses;
  • settlement-related costs;
  • limited regulatory fine coverage where legally permissible.

However, not all DPDP-related penalties may be insurable under Indian public policy principles. Businesses should, therefore, carefully evaluate the following:

  • whether regulatory fines are expressly covered;
  • exclusions relating to intentional misconduct or gross negligence;
  • conditions tied to cybersecurity compliance obligations.

Merely purchasing cyber insurance does not eliminate statutory liability under the DPDP framework.

Q. Should businesses conduct a cyber risk assessment before purchasing coverage?

Ans: Insurers increasingly assess an organization’s cybersecurity maturity before underwriting cyber insurance policies.

Businesses should therefore evaluate

  • the volume of personal data processed;
  • whether children’s or sensitive personal data is handled;
  • existing cybersecurity controls;
  • breach response preparedness;
  • third-party vendor exposure;
  • cross-border data processing activities.

A comprehensive cyber risk assessment helps organizations determine appropriate coverage limits, identify operational vulnerabilities, and negotiate policies aligned with their actual DPDP exposure.

Q. Should businesses rely solely on cyber insurance for DPDP compliance?

Ans: No. Cyber insurance should function as a financial risk mitigation layer rather than a substitute for DPDP compliance.

Businesses must still establish lawful consent mechanisms, data governance frameworks, breach response procedures, vendor oversight controls, employee training systems, and cybersecurity safeguards.

Insurance may help reduce the financial impact of a breach, but regulatory accountability under the DPDP framework remains with the data fiduciary.

Q. Why should DPDP-related cyber insurance policies be reviewed periodically?

Ans: Cyber risks, regulatory expectations, and data processing practices evolve rapidly. Businesses should periodically reassess whether their cyber insurance policies adequately address evolving DPDP compliance obligations, increased data processing activities and new business models or digital services. Businesses must also review revised insurer exclusions or underwriting standards.

Regular review helps ensure that insurance coverage remains commercially and legally aligned with the organization’s changing data protection risk profile.

(US$1 = INR 94.15)

About Us

India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Vietnam, Indonesia, Singapore, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to India Briefing’s content products, please click here. For support with establishing a business in India or for assistance in analyzing and entering markets, please contact the firm at india@dezshira.com or visit our website at www.dezshira.com.