Cyber Insurance for DPDPA..Be warned of the “Uberrimae fidei” contracts

Posted on March 25, 2025 by Vijayashankar Na

Naavi has been in discussion with some Insurance Companies about the need for DPDPA Risk Insurance. I am not sure if any of the leading Insurance Companies have introduced specific insurance policies to cover the DPDPA Risks while some are extending their liability policies to respond to enquiries if any.

I would like to draw the attention of the viewers to many of the discussions on Cyber Insurance in this website in which we have highlighted that in India, Insurance contracts are considered “Contracts of Good Faith” or “Uberrimae Fidei” contracts. What this means is that at the time of underwriting a Cyber Insurance Contract, it is for the insured to provide a good faith disclosure of risks and if any of these disclosures are found to be wrong, the insurance claim may be disallowed later.

Data Fiduciaries should therefore think twice and check the proposals made along with the disclosures carefully before placing their reliance on the coverage they may obtain from the policies.

Ideally the following Risks need to be covered by a Data Fiduciary as “DPDPA Non Compliance Risk”

  1. Penalties to be imposed by the Data Protection Board when an inquiry is conducted and the organization is found non compliant.
  2. Expenses incurred for Data Breach investigation, Forensic and legal consultancy in case of suspected and actual data breaches
  3. Third party liability to data principals arising out of data breach.

Data Fiduciaries need to ensure if all these risks are covered or only the expenses related to the data breach investigation and defence of liabilities are covered.

The third party liabilities are difficult to estimate since it depends on the claims that can be made by data principals. The penalties could be large and may extend upto Rs 250 crores.

The actual extent of penalty may also depend on the security measures that an organization may have implemented.

Hence estimating the value of the Insurance Policy required by an organization and setting a fair premium is a challenge.

At the same time, a Pre-Underwriting audit and Post Claim submission audit becomes important steps that both the insured and the insurer should consider before fixing the premium as well as settling a claim.

We look forward to a response from the Insurance Companies in India if they are ready to provide the DPDPA Risk Insurance.

Considering the “Good Faith” nature of Insurance Contracts and disputes that may arise regarding “Proximate cause of loss” , Insurers are advised to be careful and seek advise from experts before finalizing the contracts. They should not expect that the “Insurance Brokers” provide the necessary guidance since they have their own vested interests. Hence it is preferable for the Data Fiduciaries to seek independent consultants to assist them in choosing a DPDPA Insurance policy.

Reference Articles

DPDPA Insurance and Insurability Assessment

A Golden era for Insurance Industry ushered in through Personal Data Protection Act of India

Should there be Insurance for DPDPA Fine?

Cyber Insurance and Data breach Liabilityhttps://www.naavi.org/wp/cyber-insurance-and-data-breach-liability/

Other articles

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.