Cyber coverage vs compliance: Why Indian firms need more than just IT audits

In the last decade, India has witnessed a surge in cyberattacks targeting businesses across sectors—from manufacturing and retail to financial services and e-commerce. While companies are rushing to fortify their systems with compliance certifications like ISO 27001 or aligning with regulatory standards like RBI's cybersecurity guidelines, a dangerous misconception persists: compliance equals protection.

However, the reality on the ground is unlike this. Cyber-attacks are becoming increasingly sophisticated, indeed designed to find ways around even the most scrupulously compliant systems. Cyber attackers often exploit gaps that go unnoticed—be it outdated software updates, weaknesses in third-party vendors, or simple human error. As a result, even businesses that meet all regulatory requirements can still experience data breaches, ransomware incidents, and operational disruptions.

In early 2025, Chinese AI firm DeepSeek was hit with a massive-scale cyberattack consisting of a mix of DDoS attacks, leaking databases, and probable supply-chain attacks. Security researchers discovered ClickHouse databases containing sensitive internal information openly available to the public, ranging from API keys, chat histories, and system tokens. The incident exposed the increasing threats associated with AI platforms and insecure APIs, leading to global attention from data privacy authorities.

The latest cyberattack on Marks & Spencer served as a stark reminder of the evolving threat landscape. They were severely breached, with their origin traced back to the Scattered Spider hacker group, who employed sophisticated social engineering methods to outsmart technical defences. The outcome: A projected financial loss of over Euro 300 million, lost market trust, and widespread customer outrage. The key takeaway is clear: even the best-prepared businesses can fall, given that human vulnerabilities and contemporary threats intersect.

Most recently, the world's largest cybersecurity warning was sounded when a collection of 16 billion login credentials, drawing from historical breaches and infostealer malware was found available online. Although not stemming from any one recent hack, the enormous collection contained credentials for sites such as Apple, Google, GitHub, and government websites, making it possible for massive-scale identity theft and phishing attacks. These events highlight the imperative need for organisations to go beyond compliance to proactive risk watching, and for individuals to take improved cyber insurance to protect against ever-evolving digital attacks.

Compliance and protection are not synonymous. Compliance standards such as ISO 27001, GDPR, or the DPDP Act of India establish formalised methods for data management and system security. They do not promise much in terms of defence against dynamic threats or new attack vectors.

Consider the example of a certified ISO 27001 business that was breached through a third-party patch vulnerability. Compliant on all counts, the operations of the business were breached. This example shows the significant loophole: compliance is a point-in-time or sporadic test, not a continuous barrier.

Traditional IT audits come with a number of limitations that make them unsuitable for currently relevant situations in the quickly evolving cyber threat space. First, they are more often point-in-time checks, whereas the preferred mode of defence today is a continuous state of observation that facilitates countermeasures against emerging threats. The audit methodologies are, in fact, rather static, concentrating on documentation and systems more than on ever-changing risks such as insider threats, user atypical behaviour, and rapidly evolving external vulnerabilities. Secondly, the reviews tend to be quite narrowly focused, often overlooking critical exposures worth consideration, such as third-party vendor risks or some zero-day attacks, like that of the CrowdStrike hit that almost went worldwide. Hence, traditionally IT-audit-oriented organisations may well be ill-equipped to confront the challenges of the cybersecurity world of today.

Cyber insurance is more than a financial backstop; it is an enterprise resilience-enabling strategic risk transfer mechanism. It provides:

• Post-breach finance: Data breach response, legal fees, business interruption, PR management, and regulatory fines.
• Expert advice: Access to incident response teams, forensic experts, and legal counsel.
• Incentive to be ready: Insurers usually provide risk assessments and demand baseline security hygiene, enhancing readiness overall.

Example: When a big retail chain was hit with a breach, the financial loss was in the hundreds of crores. Those companies which had cyber insurance could weather the damage and get back to business faster.

Cybersecurity measures in the modern digital economy need to extend beyond compliance. When coupled with cyber insurance, organisations can materially improve their risk posture overall.

• An Integrated Approach to Risk: Insurers evaluate organisational risk beyond policy checklists. Insurers review technical audits, third-party risk assessments, and threat simulation scenarios based on possible events.
• Prevention Before a Crisis Affects: Insurers provide important pre-incident services, ranging from employee training to simulation exercises that enhance incident response preparedness.

Despite increased digital threats, the penetration of cyber insurance in India—particularly among small and mid-size enterprises—remains low. The major reasons are:

• Misplaced Confidence: Most organisations believe internal IT staff and compliance audits will be able to ward off threats.
• Cost Concerns: Cyber insurance is considered an extra expense, when in fact it is far more economical compared to the financial and reputational loss of a breach.
• Lack of Awareness: Executive-level decision-makers tend to be unclear on the operation and protection provided by cyber insurance.

Furthermore, reluctance stems from worries about denial and delay of claims, based on experience in conventional insurance segments. Regaining trust will require transparency by the insurers and intermediaries, and long-term education of the stakeholders overall. Resilience today is not about ticking off compliance boxes; it is about the integrated, holistic approach to cyber risk, which acknowledges the vulnerabilities, anticipates threats, and allows businesses an ability to respond swiftly. Cyberattacks are now being considered a ‘when’ rather than an ‘if.’ That said, there is no better time to institute solid actions.

By Neha Anand, Vice President & Head of Cyber, Prudent Insurance Brokers