Cyber Insurance: Coverage, Exclusions, and Claims Process

Constitutional Law IRDAI DPDP IT Act copyright
Veritect
Veritect AI
Deep Research Agent
13 min read
Continue with Veritect

Build a chronology of Constitutional Law matters in seconds with VeriScribe.

Try Veritect free Book a demo

Executive Summary

Cyber insurance provides financial protection against losses from cyber incidents, data breaches, and technology failures, addressing the evolving digital risk landscape:

  • Coverage types: First-party (own losses) and third-party (liability to others)
  • First-party coverage: Business interruption, data recovery, ransomware, forensics
  • Third-party coverage: Data breach liability, regulatory fines, legal defense
  • Common exclusions: War, prior incidents, intentional acts, unpatched vulnerabilities
  • Premium factors: Industry, revenue, security posture, prior claims
  • Claims process: Immediate notice, forensic investigation, documentation
  • Regulatory landscape: IRDAI guidelines, growing market in India
  • Risk mitigation: Insurance complements (not replaces) cybersecurity

This guide examines cyber insurance products, policy terms, and claims management.

1. Overview of Cyber Insurance

What is Cyber Insurance?

Aspect Description
Purpose Financial protection against cyber risks
Coverage Data breaches, cyberattacks, technology failures
Risk transfer Shifts financial burden to insurer
Complements Cybersecurity measures (not substitute)

Evolution in India

Year Milestone
2015 Early cyber insurance products introduced
2020 COVID-19 accelerates digital transformation and demand
2021 IRDAI encourages standardized cyber insurance
2023+ Growing awareness post-DPDP Act

Market Size and Growth

Metric Status
Global market $10+ billion annually
India market Emerging (estimated Rs. 100-200 crore premiums)
Growth rate 25-30% CAGR expected
Penetration Low (<5% of businesses insured)

2. Types of Cyber Insurance Coverage

First-Party Coverage (Own Losses)

Coverage Description
Business interruption Lost revenue due to cyber incident
Data recovery Cost to restore lost/corrupted data
Ransomware payment Ransom paid to attackers (policy-dependent)
Extortion expenses Negotiation, payment facilitation
Forensic investigation Digital forensics to determine breach cause
Public relations Crisis management, reputation repair
Notification costs Informing affected customers/regulators
Credit monitoring For affected customers (1-2 years)
Hardware replacement Damaged systems/infrastructure
Software restoration Reinstallation and configuration

Third-Party Coverage (Liability)

Coverage Description
Data breach liability Compensation to affected individuals
Privacy liability Damages for privacy violations
Regulatory fines Penalties (coverage varies by jurisdiction)
Legal defense Cost of defending lawsuits
Settlement costs Court-ordered or negotiated payments
PCI-DSS fines Payment card industry penalties
Media liability Defamation, copyright in digital content
Network security liability Failure to prevent attacks harming others

3. Common Policy Exclusions

Standard Exclusions

Exclusion Rationale
Acts of war Cyber warfare excluded (state-sponsored attacks debated)
Prior incidents Known breaches before policy inception
Intentional acts Insider sabotage, fraud by management
Bodily injury/property damage Covered under general liability
Unencrypted data Failure to encrypt sensitive data
Known vulnerabilities Failure to patch disclosed vulnerabilities
Infrastructure failure Power outages, ISP failures (non-cyber)
Betterment Upgrades beyond restoration

Debated Exclusions

Exclusion Issue
State-sponsored attacks NotPetya case - war exclusion debate
Ransomware Some policies exclude, others cover
Regulatory fines May be uninsurable in some jurisdictions
Cryptocurrency losses Emerging coverage area

4. Policy Terms and Conditions

Key Policy Elements

Element Description
Coverage limit Maximum payout (e.g., Rs. 1 crore, Rs. 5 crore)
Deductible/excess Amount insured pays before coverage (Rs. 5-50 lakhs)
Retroactive date Incidents before this date excluded
Extended reporting period Coverage after policy ends (tail coverage)
Sub-limits Caps on specific coverage types
Waiting period Time before coverage starts (uncommon in cyber)

Coverage Triggers

Trigger Description
Claims-made Claim must be made during policy period (most cyber policies)
Occurrence Incident must occur during policy period (rare in cyber)

5. Premium Determination Factors

Underwriting Criteria

Factor Weight
Industry/sector High-risk (finance, healthcare) pay more
Annual revenue Larger organizations = higher premiums
Data volume Amount of personal/sensitive data
Geographic scope Multi-country operations increase risk
Security posture Strong controls reduce premiums
Claims history Prior incidents increase rates
Coverage limits Higher limits = higher premiums

Security Controls Assessment

Control Premium Impact
MFA enabled 10-20% reduction
EDR/XDR deployed 10-15% reduction
Regular patching 5-10% reduction
Security audits 5-10% reduction
Incident response plan 5-10% reduction
Cyber awareness training 5-10% reduction
IS/ISO 27001 certification 15-25% reduction

Premium Ranges (India Market)

Organization Size Annual Premium Estimate
Small (< Rs. 10 Cr revenue) Rs. 50,000 - Rs. 2 lakhs
Medium (Rs. 10-100 Cr) Rs. 2 lakhs - Rs. 10 lakhs
Large (Rs. 100-1000 Cr) Rs. 10 lakhs - Rs. 50 lakhs
Enterprise (> Rs. 1000 Cr) Rs. 50 lakhs - Rs. 2 crores+

6. Claims Process

Immediate Actions (0-24 Hours)

Step Action
1. Notify insurer Immediately (within 24-48 hours required)
2. Activate incident response Contain breach
3. Preserve evidence Forensic imaging, logs
4. Contact panel vendors Use insurer-approved forensic firms
5. Document everything Timeline, actions, costs

Investigation Phase (1-7 Days)

Step Action
6. Forensic analysis Root cause, scope, attribution
7. Legal review Notification obligations, liability
8. Assess impact Financial, reputational, operational
9. Notify authorities CERT-In, DPB, law enforcement
10. Communication plan Internal and external messaging

Claims Submission (7-30 Days)

Step Action
11. Complete claim form Detailed incident description
12. Submit documentation Forensic report, invoices, notifications
13. Cooperate with adjuster Provide requested information
14. Quantify losses Business interruption, recovery costs

Resolution (30-90+ Days)

Step Action
15. Claim evaluation Insurer reviews coverage applicability
16. Settlement negotiation Agree on covered amount
17. Payment Reimbursement or direct payment to vendors
18. Post-incident review Lessons learned, policy updates

7. Documentation Requirements

Essential Documents

Document Purpose
Incident timeline When attack occurred, detected, contained
Forensic report Technical analysis of breach
Financial records Invoices for recovery, forensics, legal
Notification records Copies of breach notifications sent
Regulatory correspondence Communications with CERT-In, DPB
Legal opinions Liability assessments
Business interruption proof Revenue loss calculations

8. Regulatory Considerations in India

IRDAI Guidelines

Aspect Status
Product approval Cyber insurance products must be IRDAI-approved
Standard terms No mandatory standardization yet
Disclosure Clear policy wordings required
Claims settlement Subject to IRDAI timelines

Insurable Regulatory Fines

Penalty Insurability in India
DPDP Act fines Unclear - may be against public policy to insure
IT Act penalties Some criminal penalties likely uninsurable
Compensatory damages Insurable
Defense costs Insurable

9. Ransomware Coverage Deep Dive

Coverage Availability

Policy Type Ransomware Coverage
Comprehensive cyber Usually included
Basic cyber May be excluded
Standalone ransomware Specific coverage available

Ransom Payment Coverage

Aspect Consideration
Legality Paying ransom not illegal in India (but discouraged)
Coverage Most policies cover ransom payment
Sub-limits Often capped (e.g., 50% of policy limit)
Approval Insurer must pre-approve payment
Negotiation Insurer provides negotiation experts

Ransomware Response Expenses

Expense Covered
Forensic investigation Yes
Ransom payment Yes (if approved)
Negotiator fees Yes
Bitcoin purchase fees Yes
Data recovery Yes
Business interruption Yes
Public relations Yes

10. Business Interruption Coverage

Triggering Events

Event Coverage
Ransomware Network unavailable
DDoS attack Website/services down
Data breach System shutdown for investigation
Malware Systems corrupted/offline

Calculating Lost Revenue

Method Application
Historical revenue Average daily revenue × days offline
Projected revenue For seasonal businesses
Gross profit Revenue minus variable costs
Extra expenses Cost of temporary workarounds

Waiting Period

Policy Type Waiting Period
Standard 8-24 hours before coverage starts
Enhanced No waiting period
Sub-limit Often capped at 30-90 days

11. Panel Vendors and Breach Response

Pre-Approved Vendors

Vendor Type Service
Forensic firms Mandiant, CrowdStrike, Palo Alto
Law firms Privacy/cyber law specialists
PR firms Crisis communication
Credit monitoring Consumer protection services
Negotiators Ransomware negotiation experts

Why Use Panel Vendors

Benefit Description
Pre-negotiated rates Cost savings
Proven expertise Insurer-vetted quality
Claims acceptance Guaranteed coverage
Streamlined process Faster response

12. Risk Mitigation and Premium Reduction

Cybersecurity Best Practices

Practice Premium Impact Implementation
Multi-factor authentication -15% All users, all systems
Endpoint detection (EDR) -10% Deploy on all endpoints
Email security -10% Advanced phishing protection
Regular backups -10% 3-2-1 rule, tested restoration
Patch management -10% Automated patching
Incident response plan -10% Documented and tested
Security awareness training -10% Quarterly training + phishing tests
Penetration testing -5% Annual third-party testing
Cyber insurance questionnaire Honest answers Affects coverage validity

13. Common Claims Scenarios

Data Breach

Phase Covered Costs
Investigation Forensics (Rs. 5-20 lakhs)
Notification Email, postal (Rs. 2-10 lakhs for 10,000 customers)
Credit monitoring Rs. 500-1000 per customer × 1-2 years
Legal defense Rs. 10-50 lakhs+
Regulatory fines Varies (if covered)
PR Rs. 5-15 lakhs

Ransomware Attack

Expense Typical Cost
Ransom payment Rs. 10 lakhs - Rs. 5 crores
Forensics Rs. 5-15 lakhs
Data recovery Rs. 10-50 lakhs
Business interruption Rs. 1-10 crores (revenue-dependent)
System restoration Rs. 5-20 lakhs

BEC (Business Email Compromise)

Loss Type Coverage
Fraudulent transfer May be excluded or sub-limited
Investigation Covered
Legal fees Covered
Recovery efforts Covered

14. Compliance Checklist

Before Purchasing Cyber Insurance

  • Assess cyber risk exposure (data types, volume, systems)
  • Document current security controls
  • Identify coverage needs (first-party, third-party, limits)
  • Obtain quotes from 3+ insurers
  • Compare policy terms, exclusions, sub-limits
  • Review panel vendors and breach response services
  • Understand claims process and documentation requirements
  • Verify insurer's financial strength and claims reputation

After Purchasing Policy

  • Read and understand full policy document
  • Identify Grievance Officer and claims contact
  • Store policy in secure, accessible location
  • Train incident response team on claims notification process
  • Integrate insurance into incident response plan
  • Maintain security controls used to qualify for coverage
  • Update policy annually based on business changes
  • Conduct annual policy review with broker

During Incident (Claims Activation)

  • Notify insurer immediately (within 24-48 hours)
  • Contact panel vendors if required
  • Preserve all evidence (forensic images, logs)
  • Document all actions and expenses
  • Coordinate with insurer's adjuster
  • Do NOT make admissions of liability
  • Obtain insurer approval before major expenses
  • Submit claim form with complete documentation

15. Key Takeaways for Practitioners

  1. Two Coverage Types: First-party (own losses) and third-party (liability to others).

  2. Claims-Made Basis: Most cyber policies are claims-made - claim must be filed during policy period.

  3. Immediate Notification: Notify insurer within 24-48 hours of incident discovery.

  4. Panel Vendors: Use insurer-approved forensic and legal firms to ensure coverage.

  5. Exclusions Matter: War, prior incidents, intentional acts, unpatched vulnerabilities often excluded.

  6. Ransomware Coverage: Available but may require pre-approval for payment.

  7. Regulatory Fines: Coverage for DPDP/IT Act fines unclear in India - verify with insurer.

  8. Security Controls Reduce Premiums: MFA, EDR, training can reduce premiums by 30%+.

  9. Business Interruption: Often has sub-limits and waiting periods (8-24 hours).

  10. Documentation Critical: Maintain detailed records of incident, response, and costs for claims.

Conclusion

Cyber insurance provides essential financial protection against the growing threat of cyber incidents, complementing (not replacing) robust cybersecurity measures. Organizations must carefully evaluate coverage options, understanding the distinction between first-party and third-party coverage, and scrutinizing exclusions and sub-limits. The claims process requires immediate insurer notification, use of panel vendors, and meticulous documentation. As India's cyber insurance market matures post-DPDP Act, organizations should leverage insurance as part of a comprehensive risk management strategy while maintaining strong security controls to reduce both risk exposure and insurance premiums.

Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.
About Veritect

AI research & drafting, purpose-built for Indian litigation.

Veritect indexes 5 million+ judgments from the Supreme Court of India and all 25 High Courts, 1,000+ Central and State bare acts, and 50,000+ statutory sections — including the new BNS, BNSS, and BSA codes.

Built for Indian courts. Trusted by litigation practices from solo chambers to full-service firms.

Try Veritect free