For years, the cyber threat landscape operated on a familiar timetable. Attackers needed time to scan for vulnerabilities, craft convincing phishing emails, write exploit code, and move laterally through a compromised network. Defenders had windows, sometimes days, to detect and contain an intrusion before it became a crisis.
Generative AI has collapsed that timeline. As CERT-In noted in its May 2026 blueprint, AI now automates scanning for weak points in an organization's systems, writes exploit code, and launches attacks, compressing what previously took attackers days or weeks into hours. AI generates personalized emails, deepfake voice calls, and fake videos that mimic real people convincingly enough to bypass employee training designed for an older threat environment.
For Indian businesses, the threat is both external and structural. According to Proofpoint CEO Sumit Dhawan, India has become one of the top countries for threat actors, with botnets being set up in India and AI-generated attacks being launched from Indian infrastructure targeting not just Indian companies but organizations globally. The Indian government is actively considering a dedicated AI law in response to growing concerns over deepfakes and cyber crime, IT Secretary S. Krishnan confirmed at a cybersecurity event in Delhi in early 2026.
Stronger cybersecurity defenses are necessary. But when defenses fail, as they increasingly do against AI-assisted attacks, financial protection becomes the other half of risk management. This is where cyber insurance becomes essential.
Why AI-based cyber attacks are increasing
AI has not just improved cyberattacks. It has industrialized them. Previously, a convincing phishing email required a human to research the target, craft a plausible scenario, and write in the target's language. Generative AI now does all of this automatically, at scale, across thousands of targets simultaneously. A Business Email Compromise scam that once required a skilled operator now requires a prompt. The most significant AI-driven attack types businesses face today include:
- AI-generated phishing and spear phishing: Large language models generate highly personalized phishing emails using publicly available information about the target, their organization, their role, and their recent activity. According to VIPRE Security Group, 40% of all Business Email Compromise emails are now AI-generated. These emails are grammatically perfect, contextually accurate, and bypass the detection signals that employees are trained to spot.
- Deepfake impersonation: AI-generated voice calls and video clips convincingly mimic executives, finance officers, and senior staff. CERT-In's May 2026 blueprint specifically identifies deepfake-based impersonation as a priority threat that Indian organizations must actively prepare for.
- Automated ransomware: AI assists in identifying high-value targets, selecting entry points, moving laterally through networks, and timing encryption to maximize damage before detection. India's average breach lifecycle of 263 days, cited by Qualys in the context of CERT-In's blueprint, is structurally misaligned with the speed at which AI-assisted ransomware now operates.
- Business Email Compromise: AI-assisted BEC attacks are faster, more convincing, and harder to detect than human-executed versions. CERT-In flags BEC and social engineering as among the most financially damaging categories of AI-enabled attack for Indian enterprises.
- AI-enabled vulnerability exploitation: As CERT-In's blueprint states, threat actors are leveraging AI to automate reconnaissance, identify software vulnerabilities, generate exploits, conduct large-scale phishing campaigns, and accelerate cyberattacks against conventional applications, APIs, cloud environments, and interconnected digital systems.
AI cybersecurity in India: what businesses should know
CERT-In's blueprint for AI-assisted cyber threats
On May 25, 2026, the Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology (MeitY), released its Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure. The 38-page framework covers nine areas across 14 detailed sections and represents the most comprehensive national guidance India has produced on AI-enabled threats. Key requirements from the blueprint include:
- Known exploited vulnerabilities on internet-facing systems must be patched within 12 hours
- Critical externally exposed vulnerabilities must be addressed within one day
- High severity vulnerabilities must be remediated within five days
- All cyber incidents must be reported to CERT-In within six hours of detection
- Organizations must maintain AI asset inventories and monitor for shadow AI tools used without IT authorization
Although the blueprint is advisory rather than mandatory, Khaitan and Co notes in its legal analysis that it should be treated as an indicator of evolving regulatory expectations, particularly given CERT-In's repeated emphasis on continuous governance, continuous monitoring, and operational readiness. Failure to meet these standards could affect insurer coverage decisions at the point of a claim.
India's AI regulatory direction
IT Secretary S. Krishnan confirmed in early 2026 that the Indian government is actively considering the introduction of a dedicated AI law as concerns grow over deepfakes, cyber threats, and the limits of the existing framework. India's updated Information Technology Rules already introduce a three-hour takedown mandate for deepfake content after a valid complaint and mandatory AI labelling for AI-generated content on platforms. For businesses, this regulatory direction means compliance expectations around AI governance and cybersecurity incident response are tightening, and organizations that wait for mandatory rules before acting are building exposure in the interim.
Examples of AI-powered cyber threats
This is not a single incident. It is the aggregate cost of AI-enabled fraud across India in a single year. According to government data reported through India's National Cyber Crime Reporting Portal and cited by Kaval Research in March 2026, Indians lost at least Rs. 22,495 crore to cyber fraud in 2025. That is only the reported figure. According to the same report, 51% of UPI fraud victims never reported the incident at all. AI-generated phishing, deepfake impersonation, and automated social engineering drove a significant share of this loss.
On November 23, 2022, AIIMS New Delhi was hit by a ransomware attack that shut down its entire digital infrastructure for six consecutive days. The LockBit ransomware gang allegedly demanded approximately Rs. 200 crore in cryptocurrency. Five of 100 physical servers were breached, approximately 1.3 terabytes of data were encrypted, and the medical records of an estimated 40 million patients were exposed. AIIMS was forced to revert entirely to manual operations for admissions, discharges, diagnostics, billing, and appointments. The Delhi Police invoked Section 66(F) of the IT Amendment Act, identifying it as cyber terrorism. The AIIMS attack made one thing unambiguous: ransomware does not discriminate by sector, and the operational consequences of an uninsured attack on critical systems are immediate and severe.
More than 92,000 deepfake digital arrest cases have been recorded in India since January 2024, according to figures reported by The Indian Express and verified by law enforcement authorities. In this pattern, victims receive video calls from individuals using AI-generated faces and voices impersonating police officers, judges, or CBI officials. The victim is told they are under investigation, isolated from family and colleagues, and pressured to transfer money to avoid arrest. Indian authorities have traced approximately 40% of these operations to Southeast Asia, where coordinated networks use generative AI to scale impersonation fraud across thousands of simultaneous targets.
In 2024, a finance worker at Arup, an international engineering firm, attended what appeared to be a video conference with the company's CFO and several senior colleagues. Every participant on the call was an AI-generated deepfake. The voices matched. The faces were familiar. The instructions were clear: authorize an urgent confidential payment before a deal closed. The employee complied, transferring approximately US $25 million to offshore accounts before the deception was uncovered. This case is now cited globally as the definitive example of deepfake-enabled Business Email Compromise. Critically, no technical breach of Arup's systems occurred. The employee acted voluntarily on false instructions, which is precisely why most standard cyber insurance policies would not respond without a specific social engineering endorsement.
Organized fraud networks have used AI-generated deepfake videos of Finance Minister Nirmala Sitharaman and Google CEO Sundar Pichai to promote fraudulent investment platforms and fake cryptocurrency schemes, distributed through WhatsApp, Telegram, and social media. According to a 2025 analysis cited by Pi-Labs and BW Businessworld, deepfake cases in India have surged 550% since 2019. A 2025 analysis of AI scams in India found that 47% of Indian adults have either been victims of, or know someone who has been a victim of, an AI voice-cloning or deepfake scam, nearly double the global average of 25%. The same report found that 83% of Indian victims of AI voice scams suffered monetary loss, with almost half losing more than Rs. 50,000. These are not edge cases. They represent a structural shift in how financial fraud operates in India.
What kind of cyber insurance do you need?
Cyber insurance is not a single product. It is a category covering multiple coverage types that address different points of failure. In the context of AI-based cyber attacks, the following are the most relevant.
- Cyber liability insurance: The foundational coverage. A cyber liability insurance policy covers the legal, regulatory, and financial consequences when a cyber incident results in harm to third parties, including customers, partners, and regulators. For AI-related incidents involving data theft or privacy violations, this is typically the primary coverage layer.
- First-party cyber insurance: Covers the direct losses the organization suffers: investigation costs, data recovery, system restoration, ransomware payments where applicable, and crisis communication. This is where the immediate financial impact of an AI-enabled breach lands.
- Social engineering and deepfake fraud coverage: Addresses financial losses from fraudulent instructions, including AI-generated voice calls and email impersonation of executives. Given the rise of deepfake-enabled financial fraud, this has moved from a niche add-on to an increasingly essential inclusion. Most standard policies do not include it by default, as the Arup case demonstrates.
- Ransomware and cyber extortion coverage: Covers ransom payments, negotiation costs, and related expenses when an attacker encrypts systems or threatens to release stolen data. AI has dramatically accelerated ransomware deployment timelines, making this coverage more urgent than ever.
- Business interruption coverage: Compensates for revenue loss and additional operating costs when a cyber incident disrupts normal business operations. The AIIMS attack, which took the hospital offline for six days, illustrates what uninsured business interruption looks like at scale.
- Data breach response coverage: Covers the cost of notifying affected individuals, providing credit monitoring, managing regulatory investigations, and handling legal defense, all triggered by a data breach regardless of whether it was AI-assisted.
- Media and privacy liability coverage: Covers claims arising from unauthorized collection or use of personal data, content liability, and privacy violations, relevant for organizations operating customer-facing digital platforms.
Essential features your cyber insurance policy should include
| Feature |
Why It Matters |
| Social Engineering and Deepfake Fraud Endorsement |
AI-generated voice and video impersonation is now a primary BEC vector, and most standard policies exclude it. |
| No Requirement to Prove the Attack Was AI-Enabled |
Policies that require proof of the attack method create coverage disputes. |
| Business Interruption with Short Waiting Periods |
AI-enabled attacks can disrupt operations within hours. |
| First-Party and Third-Party Coverage |
Most AI attacks produce both direct losses and third-party liability. |
| Regulatory Fines and Penalties Coverage |
CERT-In's six-hour incident reporting requirement creates regulatory exposure in cases of non-compliance. |
| Incident Response and Forensics Costs |
Identifying what happened in an AI-assisted breach is expensive and highly specialized. |
| Ransomware Negotiation and Payment Coverage |
Covers both payment and non-payment scenarios. |
| Cloud and SaaS Environment Breach Coverage |
AI attacks frequently target cloud infrastructure and APIs. |
Does cyber insurance cover AI-based cyber attacks?
This is the most important question any business should ask before buying, and the honest answer is: it depends entirely on the policy wording.
Most modern cyber liability insurance policies may cover losses resulting from AI-generated phishing, ransomware, Business Email Compromise, and data breaches, but only to the extent that these events fall within the defined coverage triggers and are not excluded by specific policy terms. Most policies do not specifically enumerate AI as a covered or excluded cause. Coverage is determined by the nature of the event, a data breach, a fraud loss, a business interruption, not by whether AI was used to execute it.
Social engineering and deepfake fraud are the critical exceptions. Many standard cyber insurance policies exclude voluntary financial transfers made on the basis of fraudulent instructions unless a specific social engineering endorsement is included. The Arup case is the clearest real-world illustration: US $25 million was transferred voluntarily, no system was hacked, and the question of whether a standard policy responds hinges entirely on whether social engineering is covered.
Businesses should review the following policy elements before assuming AI-related incidents are covered: the definition of a covered event, social engineering endorsement status, exclusions related to voluntary acts or wire transfer fraud, and how the policy handles losses from the organization's own AI systems being compromised or manipulated.
What AI risks may not be covered?
- Known unpatched vulnerabilities: If an AI-assisted attack exploits a vulnerability that was publicly disclosed and the organization had not patched within a reasonable timeframe, the insurer may reduce or deny coverage on the basis of inadequate security maintenance. CERT-In's 12-hour patching requirement for known exploited vulnerabilities on internet-facing systems makes this a particularly live risk for Indian organizations.
- Poor cybersecurity practices: Policies typically require the insured to maintain specified security controls. If an AI attack succeeds because basic controls like multi-factor authentication, endpoint protection, or network segmentation were absent, coverage may be contested.
- Insider threats and employee misconduct: Losses caused by an employee's intentional misconduct, even where AI tools were misused, are typically excluded unless the policy includes a specific insider threat endorsement.
- Shadow AI exposure: If employees are using AI tools without IT authorization and sensitive data is exposed through those tools, the insurer may argue the loss resulted from an unmanaged, unauthorized activity outside the policy's intended scope.
- Losses from the organization's own AI systems: If the organization's own AI system makes an erroneous decision, is manipulated through prompt injection, or produces outputs that cause financial harm, this is unlikely to be covered under a standard cyber insurance policy without specific AI liability coverage.
- Contractual disputes: If a client disputes payment or claims damages arising from an AI-related incident as a contractual matter, standard cyber insurance typically does not respond.
Questions to ask before buying cyber insurance
- Does this policy include a social engineering and deepfake fraud endorsement, and what is the sub-limit?
- How does the policy define a covered cyber event, and does that definition accommodate AI-generated attacks?
- What security controls are required for coverage to apply, and are we currently meeting all of them?
- How does the policy respond if AI tools we have deployed internally are compromised or manipulated?
- What is the insurer's claims process for AI-assisted incidents, and how do they evaluate coverage?
- Does business interruption coverage activate immediately, or is there a waiting period?
- Are regulatory fines and CERT-In non-compliance penalties covered?
- What incident response and forensics support does the insurer provide directly?
How Pazcare helps organizations evaluate cyber insurance as part of their risk strategy
Cybersecurity defenses reduce the likelihood of an attack succeeding. Cyber insurance manages the financial consequences when one does. For most organizations, the harder problem is not deciding whether to buy cyber insurance but understanding what a policy actually covers, where the gaps are, and whether the terms they are being offered are competitive.
Pazcare is an IRDAI-licensed insurance broker that works with organizations across India to evaluate, structure, and manage insurance programs, including cyber insurance alongside employee health, personal accident, and life insurance. For HR leaders, CFOs, and founders building a complete organizational risk framework, Pazcare helps bridge the gap between cybersecurity posture and insurance coverage by providing multi-insurer comparison, policy wording review, and claims support across the policy year.
Given the coverage gaps this blog outlines, particularly around social engineering endorsements, deepfake fraud, and the implications of CERT-In's six-hour incident reporting requirement, having a licensed broker review your existing or prospective cyber insurance policy before an incident occurs is significantly more valuable than discovering a gap after one.
Is your organization's cyber insurance structured to cover AI-powered attacks, or are there gaps you have not yet identified?
Talk to a Pazcare insurance expert to review your current coverage and compare cyber insurance options across insurers, or download the Employee Health Matters 2026 guide to see how Indian organizations are building complete risk and benefits strategies for 2026.