The recent revelation of the world’s largest-ever data breach, exposing 16 billion passwords tied to tech giants like Apple, Facebook, and Google, has amplified concerns about cyber vulnerabilities for businesses, particularly in the insurance sector, which is already under scrutiny for the sensitive data it safeguards.
This breach also comes at a time when the Indian insurance industry has witnessed some of its most significant cyberattacks in FY25.
“Insurance companies have long been under the radar because of the sensitive data they are custodians of,” said Neha Anand, Vice President and Head of Cyber at Prudent Insurance Brokers. “It is extremely essential that insurers are proactive with respect to the storage, processing, hosting, and outsourcing of data.”
The scale and sophistication of the breach have forced insurers to confront the reality that preparedness cannot remain a work in progress, she said.
According to Anand, it is now imperative for insurance providers to have a robust Incident Response (IR) mechanism in place.
An IR mechanism refers to the structured approach that organisations use to detect, respond to, and recover from cybersecurity breaches or threats. This includes the pre-alignment of forensics experts, legal advisors, and PR professionals as part of a comprehensive crisis management framework.
Anand also stressed the importance of regular simulations and breach drills, which many insurers are yet to institutionalise.
Moneycontrol had earlier reported that FY25 recorded the highest number of cyberattacks on the insurance sector, marking it as the most targeted year for the industry.
“There is nothing I fear for the company more than a cyber breach right now,” said the CEO of a leading general insurance company, choosing to stay anonymous.
The nature of data insurance companies deal with is high-risk and sensitive, and “it is scary because once the data is out, there is nothing we can do,” he said.
“If companies like Meta and Apple can be vulnerable to it, anybody can be,” he added.
The Insurance Regulatory and Development Authority of India (IRDAI) has mandated several cybersecurity compliances in recent years, including the appointment of a designated Incident Response Manager and the implementation of IR plans. But experts believe more is needed.
“The regulator should also set up a support mechanism to help companies respond if breaches occur, ensuring that the personal data of individuals is not misused,” Anand added, as preventative mechanisms in cyber breaches are often beyond anyone’s control.
Evaa Saiwal, Head of Liability & Cyber Insurance at Policybazaar for Business, echoed similar concerns.
“This unprecedented leak isn’t just a wake-up call for individuals, it’s a red flag for businesses and insurers alike. The volume of exposed data signals a deepening systemic vulnerability, and it’s reshaping how cyber risk is assessed and underwritten.”
Insurers must mandate strong security audits, multi-factor authentication, endpoint protection, and dark-web monitoring as prerequisites for coverage, she said.
“In today’s environment, robust cyber hygiene is essential not just for protection, but to secure coverage and manage premium risk. Cyber resilience is no longer optional, it’s a business imperative,” Saiwal said.
Experts are also calling for more collaborative frameworks between insurers, regulators, and cybersecurity firms to develop sector-specific threat intelligence platforms.
“The insurance industry should invest in shared cyber risk databases to better track vulnerabilities and response strategies across companies,” said a cybersecurity consultant working with multiple BFSI clients.
With more insurance companies digitising their customer interfaces and expanding into health-tech and wellness integrations, the consultant said, the attack surface will only widen unless cyber resilience is embedded into core business models, not treated as a one-time compliance activity.
As the country gears up for stricter data protection norms under the Digital Personal Data Protection Act (DPDPA), which experts are anticipating later this year, insurance companies now face the dual challenge of avoiding regulatory penalties and preserving consumer trust.
Moneycontrol had earlier reported that a large-scale data breach at a standalone health insurer could potentially attract a penalty of up to Rs 250 crore under the provisions of the DPDPA.
“The real risk is reputational. A single breach can take years to recover from, not just operationally, but in terms of public confidence,” Anand added.
The urgency around cybersecurity is even more pronounced as insurers become increasingly AI-driven and digitally integrated.
Reports indicate that large players like HDFC Life, ICICI Lombard, and Bajaj Allianz have been investing heavily in AI-based systems to automate claims processing and detect fraud. “These systems rely on vast volumes of personal and behavioural data, making the need for robust cybersecurity and encryption frameworks even more critical,” the cybersecurity consultant said.
The sector has also seen the rise of digital-first and tech-native insurance startups such as Acko, Digit Insurance, and even health-focused players like Plum and Onsurity.
According to the websites of these companies, they operate entirely on cloud infrastructure with no legacy systems, offering fast and paperless onboarding, app-based claims processing, and real-time policy issuance.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
