Safer Internet Day: Why Cyber Risk Is Now a Boardroom Issue

India’s rapid digital adoption has reshaped how businesses operate, but it has also reshaped how cybercrime works. Phishing attacks now arrive with AI-polished credibility, fake e-commerce storefronts mirror legitimate brands, and deepfake-led impersonation is turning trust into a vulnerability.

For SMEs and digital-first enterprises, cyber incidents are no longer isolated IT disruptions. They increasingly translate into direct financial loss, operational paralysis, and reputational damage. In this environment, cyber risk is emerging as a core business risk, one that leadership teams must address alongside growth and efficiency.

In this conversation with CiOL, Ankit Gupta, Head of Retail Cyber at Policybazaar for Business, explains how AI, cloud scale, and platform trust are redefining cyber threats, and why cyber insurance is becoming a critical layer of digital resilience.

As cybercrime increasingly leverages AI, cloud scale, and platform trust, how has cyber risk for Indian SMEs and digital-first businesses fundamentally changed in the last few years?

The nature of cyber risk faced by Indian SMEs has fundamentally changed. Cyber risk is no longer periodic or purely technical. Earlier, incidents were largely contained and discrete, such as isolated malware attacks or data breaches.

Today, cybercrime is increasingly enabled by AI-driven phishing, fake cloud-based storefronts, cloned payment pathways, and large-scale platform impersonation executed with speed and apparent legitimacy. Compounding this threat is the misuse of trusted digital platforms, cloud hosting services, verified social media accounts, communication tools, and payment systems.

As a result, the impact of a cyber incident is no longer limited to an organisation’s IT infrastructure. Cyber risk has effectively become a core business risk for every enterprise, particularly those operating in the digital economy.

With deepfakes and social engineering driving real financial and reputational damage, how should enterprises rethink cyber risk beyond a traditional IT lens?

Enterprises must move away from viewing cyber risk solely as an IT or security issue and instead assess it through financial, operational, and reputational lenses. Threats such as deepfake fraud, CEO impersonation, and compromised vendor communications exploit trust rather than technology.

This shift necessitates a more holistic risk management approach that extends beyond the IT function to include finance, operations, compliance, and senior leadership. Controls around payment approvals, vendor verification, employee awareness, and crisis response are now as critical as traditional cybersecurity tools.

Ultimately, the real stakes of cyber risk lie in its immediate impact on finances, legal exposure, and brand reputation.

Cyber insurance adoption remains limited in India. What are the most common misconceptions about coverage, and where do businesses often overestimate protection?

One of the most common misconceptions is that cyber insurance covers all losses, regardless of circumstances. In reality, coverage applies only to defined events, such as data breaches, ransomware attacks, unauthorised transactions, business interruption, and incident response, and typically requires adherence to prescribed security controls.

Businesses also tend to overestimate protection in cases involving voluntary actions, such as knowingly sharing OTPs or authorising suspicious transactions despite warnings. Cyber insurance does not replace cyber hygiene.

Another misconception is that cyber insurance is relevant only for large enterprises. In practice, SMEs are often more vulnerable due to weaker internal controls and are increasingly targeted by organised fraud networks.

As budget-led digitisation accelerates AI and MSME tech adoption, is digital growth outpacing cyber risk preparedness?

In many cases, digital growth is indeed outpacing cyber risk preparedness. India’s digitisation drive, increased AI adoption, and push toward digital payments have significantly improved MSME efficiency and market access.

However, governance, controls, and risk readiness have not always kept pace. This gap creates fertile ground for cybercriminals. Cyber preparedness must evolve alongside digital growth through stronger integration of technology, people, and processes, supported by risk-transfer mechanisms such as cyber insurance.

Without this balance, rapid digitalisation may amplify exposure rather than resilience.

How should businesses position cyber insurance within a broader cyber resilience strategy rather than treating it as a fallback?

Cyber insurance should be positioned as a risk transfer and recovery mechanism, not a last-resort solution. Much like fire insurance complements physical fire safety systems, cyber insurance is most effective when combined with strong cybersecurity controls and incident response planning.

A robust cyber resilience strategy integrates prevention through security tools, preparedness through training and response plans, and protection through insurance coverage. Insurance enables organisations to manage the financial and operational consequences of incidents, including recovery costs, legal expenses, customer notifications, and business interruption, allowing leadership to focus on continuity rather than crisis survival.

As insurers partner with cybersecurity and risk intelligence firms, how is cyber insurance evolving to address AI-driven and large-scale fraud?

Cyber insurance is increasingly becoming more data-driven and proactive, with insurers and brokers working closely with cybersecurity, threat intelligence, and incident response firms.

This collaboration supports more informed underwriting, improved risk assessment, and faster recovery outcomes. By gaining deeper visibility into emerging threats such as AI-driven fraud, social engineering, and platform abuse, insurers are expanding coverage beyond financial indemnification.

The focus is shifting toward early detection, response, and recovery, positioning cyber insurance as an integral component of enterprise-wide risk management.