Skip to main content
Marsh logo

Article

The DPDP Act 2023 & Rules, 2025: Insurance implications

DPDPA and DPDP Rules notified, the actual implementation of the same is now in force.

29/12/2025 · 4 minute read

With the DPDP Act, 2023 and the DPDP Rules, 2025 now notified, we are finally seeing India’s data protection framework move from interpretation to implementation. From a claims and cyber response perspective, the Rules bring much-needed clarity—but also tighter timelines and sharper scrutiny.

What stands out most is not just the scale of potential penalties, but the way compliance, consent management, breach response, and retention failures can now directly influence regulatory outcomes and insurance response. Shorter notification timelines, mandatory reporting to the Board, and defined security safeguards will inevitably increase pressure during live cyber incidents—exactly when decisions matter most. Through this advisory, we’ve tried to capture how these changes play out in practice; what organizations should expect during a cyber event, how insurers are likely to assess compliance under DPDP, and where coverage debates—particularly around penalties—may emerge. While judicial interpretation on insurability will evolve over time, the ability to demonstrate good faith, due diligence, and reasonable security controls will remain central to any defensible claim.

This advisory is intended to provide a practical cyber risk perspective, focused on how DPDP obligations will operate in real-world data incidents, governance decisions, and insurance assessments. 

What’s new in the final rules?

With the Digital Personal Data Protection (DPDP) Act and Digital Personal Data Protection (DPDP) Rules notified, their implementation is now underway. While the overall framework remains the same, a few important refinements have been introduced that will directly impact how clients treat, access, store, and process personal data.

  1. A uniform baseline retention requirement – one year retention for personal data logs, followed by mandatory deletion unless another law demands longer retention.
  2. Defined grievance timelines – Mandatory resolution timelines now capped at 90 days.
  3. New defined terms bringing clarity: Includes “account address”, “unauthorised entity”, “user account”, enabling more straightforward interpretation of obligations.
  4. A staggered rollout: Board-related provisions kick in immediately. At the same time, consent manager and complete data fiduciary obligations, such as consent and data subject rights, will phase in over the next 12 to 18 months.
  5. Retention and inactivity rules - Retains the 3 years inactivity trigger for certain classes, with mandatory 48-hour pre-deletion notice.
  6. Breach reporting clarity – Confirms the two-step model – immediate intimation + detailed report within 72 hours.

Key Provisions

The DPDP Act & Rules, 2025 introduce a formalised framework for personal data treatment in India. Key obligations include:

  1. Mandatory explicit and verifiable consent for all personal data processing activities.
  2. Clear, transparent notices describing data collection purpose and withdrawal mechanisms.
  3. Mandatory breach notifications to affected individuals and to the Data Protection Board (“Board”).
  4. Implementation of prescribed security safeguards, including encryption, access controls and minimum log-retention requirements.
  5. Mandatory data deletion upon completion of purpose, with 48-hour prior notice to the data principal.
  6. Cross-border data transfers permitted, unless specifically restricted through Government notification.
  7. Time-bound regulatory processes, with breach-related inquiries expected to conclude within six months.

Cyber Insurance Impact

The Rules bring several implications for cyber risk, exposure and insurability:

  1. Shorter notification timelines may increase incident-response pressure and compliance costs.
  2. More frequent regulatory reporting to the Board may trigger additional inquiries, affecting defence cost utilisation.
  3. Greater scrutiny of prescribed controls (encryption, access management, log retention) could affect claim defensibility where non-compliance is identified.
  4. Increased exposure from consent failures, vendor lapses and retention failures may drive third-party liability claims.
  5. Clients may need to reassess cyber insurance limits, especially for forensics, PR, legal advisory and notification costs.

Insurability of Penalties under the DPDP Act

3.1 Nature of penalties

Penalties for significant non-compliance can reach INR250 crore (approximately US$30 million).

Unlike the General Data Protection Regulation (GDPR), which caps fines, the DPDP Act allows cumulative penalties for multiple provisions breached. The Act places full compliance responsibility on data fiduciaries, not the data processors acting on their behalf. Processors are not directly liable; however, fiduciaries must ensure that contractual controls are in place for compliance.

3.2 Indemnity Limitations & Insurability Considerations

While fiduciaries may contractually transfer obligations to processors, contractual indemnity does not resolve insurability challenges. For insurers, clear benchmarks are needed to assess:

  • Whether consent was free, specific, informed and unambiguous
  • Whether personal data was processed only for the defined purpose
  • Whether prescribed technical and organisational safeguards were in place
  • Whether reasonable security controls were maintained to prevent a breach

Given the Act’s recent enactment, the implementation of many activities and obligations is now more structured, and many provisions may remain open to industry practice and legal interpretation until judicial precedent emerges.

Where organisations can evidence good-faith efforts and due-diligence, inadvertent non-compliance may remain defensible within the policy structure.

3.3 Global perspective

EU practice shows divergence — some jurisdictions treat punitive fines as uninsurable, while others allow coverage depending on:

  • Circumstances of breach
  • Conduct of the insured
  • Specific wording of the insurance policy

Indian regulatory interpretation is likely to evolve in a similar manner.

Conclusion

Cyber insurance policies in India do provide a cover for regulatory fines and penalties (where insurable by law). By way of extension, some carriers may also provide cover for “punitive and exemplary damages” as well. Notwithstanding these considerations, however, a cyber insurance policy may still comprehensively cover other associated costs in relation to a cyber breach incident, including but not limited to the following:

  • Costs associated with cyber incident management or crisis management;
  • Notification costs;
  • Credit monitoring costs;
  • Public relations;
  • Data restoration/recovery; and
  • Defence costs in relation to any third-party disclosure liability, failure to prevent unauthorized access, failure of system security to prevent a cyber-attack, regulatory response costs, etc.

While clarity on insurability of DPDP Act fines from an enforcement standpoint remains to be witnessed, insurance providers can play a vital role in managing risks and supporting businesses in their efforts to comply with data protection regulations. As the judicial stance becomes clearer, insurance policies can be tailored to address the specific needs and challenges of DPDP Act breaches, providing organisations with the necessary protection and peace of mind. By balancing the need for financial stability and compliance incentives, insurers and regulators can work together to enhance the effectiveness of data protection regulations and to safeguard personal data.

Leadership

Bhishma Maheshwari

Chief Client Officer, Senior Vice President, Communications, Media and Technology Leader, Marsh India 

  

Ritesh Thosani

Cyber Practice Leader, Marsh India

Akshara Sharma

Executive Vice President, Claims Advocacy, FINPRO/Cyber

Debashree Pusti

Assistant Vice President, Claims Advocacy, Cyber

Harshit Saini

Senior Manager, Cyber Practice

Speak to your Marsh contact if you have any questions about your cyber insurance.

Contact us

Marsh India Insurance Brokers Pvt Ltd is a subsidiary of Marsh McLennan. This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy.

Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any modelling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Insurance is the subject matter of the solicitation. For more details on risk factors, terms and conditions please read the sales brochure carefully before concluding the sale.

Prohibition of Rebates - Section 41 of the Insurance Act, 1938; as amended from time to time: No person shall allow or offer to allow, either directly or indirectly, as an inducement to any person to take or renew or continue insurance in respect of any kind of risk relating to lives or property in India, any rebate of the whole or part of the commission payable or any rebate of the premium shown on the policy, nor shall any person taking out or renewing or continuing a policy accept any rebate, except such rebate as may be allowed in accordance with the published prospectuses or tables of the insurer. Any person making default in complying with the provisions of this section shall be punishable with a fine which may extend to ten lakh rupees. 

Copyright 2024 Marsh India Insurance Brokers Pvt Ltd. All rights reserved.

Page Compliance ID