There's a well-worn pattern. The CIO, prompted by a vendor, asks for a cyber insurance quote. Procurement runs three options. The cheapest is bound. Renewal next year. The CFO never reads the wording. The board never reviews the limits. And then — eventually — there's an incident.
The incident is rarely the part most companies imagine. It is not, usually, a sophisticated nation-state attack. It is a phishing email opened by a junior accounts associate, an unpatched device, an old SaaS credential reused on a personal account that turned up in a credential dump. The financial consequences are forensic costs, business interruption, customer notification under DPDP, regulator engagement, and — increasingly — third-party claims from corporate customers whose data flowed through your systems.
These are not IT-budget items. They are board-level liability and capital decisions. Treating cyber insurance as a procurement exercise driven by the CIO understates limits, misses critical extensions (regulatory defence costs, contingent BI from cloud providers, social engineering fraud), and accepts wordings that look clean but exclude the modal claim scenario.
We work with CFOs and audit committees to anchor cyber programmes against three questions: what is the realistic maximum loss; what are the regulatory defence and notification cost ranges under DPDP; what is the contractual liability flowing in from major customers. The answers calibrate limits, retentions, and tower structure. The wording exercise comes after — and it gets done with the seriousness this risk deserves.
A cheap cyber policy is the most expensive insurance you can buy. We've seen the cleanup bills.
