Compliance scans and cyber insurance pricing in India

Cyber underwriters price Indian SaaS policies. A compliance posture scan produces verifiable evidence of your GDPR, DPDP, and DORA configuration — and insurers are starting to use it to price risk more precisely. Our broker partner has indicated this can translate to 10–15% lower premiums at renewal.

JeCertis (jurocompliant.com) is a compliance posture scanner — distinct from Juro (juro.com), which is a contract management tool.

The problem with self-attestation

Cyber underwriters writing policies for Indian SaaS and fintech companies face a fundamental information gap. The standard underwriting process relies on application questionnaires: Do you encrypt data at rest? Do you have a breach notification procedure? Have you conducted a privacy impact assessment?

The answers are self-reported. Nobody verifies them. An engineering team under deadline pressure fills out the questionnaire in an hour. A company with a thoughtfully documented DPDP data flow and a company with a checkbox in a spreadsheet return identical questionnaires.

This means premiums are a proxy for risk, not a measurement of it. Companies with genuinely strong controls pay the same rates as companies with gaps. From an underwriter's perspective, every Indian SaaS company in a given revenue and sector band looks roughly the same.

Why DPDP Rules 2025 changed the liability picture

The Digital Personal Data Protection Rules 2025 (notified via G.S.R. 846(E) on November 13, 2025) created a new and specific liability regime in India. For the first time, data fiduciaries (organisations that determine the purpose and means of processing personal data) face enforceable obligations with financial penalties, a Data Protection Board with adjudication powers, and processor accountability requirements.

Cyber policies written before November 2025 were priced before this enforcement landscape existed. An insurer covering DPDP breach exposure today is taking on a materially different risk than the policy language was designed for — and most policies have not been re-underwritten against the new rules.

Underwriters who want to price this correctly need better signal than a questionnaire completed before the rules existed.

What does a compliance posture scan actually produce?

A posture scan is not a certification and it is not an audit. It is a deterministic technical process that checks your live configuration, code, and public surface against a defined rule pack — and it produces findings cited to specific regulation articles: GDPR Art. 32, DPDP §8, DORA Art. 28.

Each scan output is:

• Deterministic. The same target snapshot and the same rule pack produce identical output. There is no human judgment in the finding itself.
• Signed. Output is cryptographically signed and a fingerprint is published to a public notary log. A broker or underwriter can verify the artefact hash against that log without trusting JeCertis.
• Cited. Every finding references the exact regulation section it maps to. A finding is not "you have a privacy gap" — it is "your cookie consent implementation does not meet GDPR Art. 7 requirements, detected at [specific location]."

This is independently verifiable evidence of posture — not a statement that the company is compliant. A clean scan means no gaps were detected in the scanned configuration at the time of the scan. It does not mean no gaps exist.

If you want to understand how the underlying scan approach handles DORA and DPDP in the same artefact, the DPDP processor guide covers the rule-pack design in more detail. Companies with DORA ICT risk obligations can also review how the scanner maps DORA Art. 28 controls.

Can a clean scan actually lower your premium?

Our broker partner has indicated that companies with a clean posture scan can qualify for 10-15% lower cyber liability premiums compared to companies relying solely on self-reported questionnaires. This is not a guarantee — it depends on the specific policy, the underwriter, and your overall risk profile.

But the arithmetic is worth considering. For a company paying ₹5 lakh per year in cyber coverage, our broker partner's 10-15% indication translates to ₹50,000-75,000 annually. For a company paying ₹20 lakh per year, that range is ₹2,00,000-3,00,000.

More practically: a signed, verifiable scan artefact gives your broker something concrete to present during renewal negotiations. Instead of re-submitting a questionnaire, you hand over a timestamped artefact with a public notary entry anyone can check. That changes the conversation.

Is this the right moment to act?

The DPDP Rules have been in effect since November 2025. Insurance renewal cycles typically run 12 months. If your current policy was written or renewed before the rules were notified, your next renewal is the first real opportunity to be underwritten against the current liability regime — with evidence to support it.

Companies that can present a clean scan artefact at renewal are in a materially better negotiating position than companies presenting the same questionnaire they filled out two years ago.