Cyber Claims Process
Definition
The Cyber Insurance claims process involves immediate incident response, forensic investigation, regulatory notification, loss quantification, and settlement. Unlike traditional insurance claims, cyber claims require rapid response — often within hours — because a breach is an ongoing event where delay increases the damage.
Explanation in Simple Language
Step-by-Step Cyber Claims Process in India:
1. Incident Detection & Notification (0-6 hours): Detect the breach, activate the incident response plan, notify the insurer's 24/7 claims hotline immediately, file an FIR with the local Cyber Crime Cell, report to CERT-In within 6 hours.
2. Insurer Deploys Incident Response Team (6-48 hours): The insurer appoints forensic investigators, legal counsel, and PR crisis managers from their pre-approved panel. The forensic team contains the breach, identifies the attack vector, and preserves evidence.
3. Breach Containment & Assessment (48 hours - 2 weeks): Isolate affected systems, assess the scope of data compromised, determine regulatory notification obligations (CERT-In, RBI, SEBI as applicable), begin data restoration from backups.
4. Notification & Remediation (2-8 weeks): Notify affected individuals (if personal data was breached), offer credit monitoring or identity theft protection, engage PR firm for reputation management, implement system hardening and security improvements.
5. Loss Quantification & Settlement (2-6 months): Compile all costs — forensics, legal, notification, business interruption, regulatory fines. Submit the documented claim to the insurer. Insurer adjusts the claim against policy terms, deductibles, and sub-limits. Settlement is paid.
Critical Tip: Preserve all evidence. Do not wipe or reformat compromised systems before the forensic investigation is complete.
Real-Life Indian Example
Healthcare Chain — Chennai:
A multi-branch hospital chain discovered that a malware infection had been exfiltrating patient records for 3 months. By the time it was detected, 2.5 lakh patient records (including diagnoses, prescriptions, and Aadhaar numbers) had been leaked to the dark web.
The claims process:
- Day 1: Hospital notified insurer and CERT-In. FIR filed. Insurer activated a forensic team from a Big Four accounting firm.
- Week 1-2: Forensic team identified the malware entry point (a compromised vendor VPN), contained the breach, and assessed the data scope.
- Week 3-6: Hospital sent breach notifications to all 2.5 lakh patients. PR crisis management was engaged.
- Month 2-4: Consumer complaints from 320 patients were handled by the insurer's legal panel.
- Month 6: Total claim settled at Rs 3.2 Crore (forensics Rs 45L, notification Rs 28L, legal Rs 38L, regulatory defense Rs 65L, business interruption Rs 1.44 Cr).
Key learning: The 3-month detection gap dramatically increased the claim size. Early detection tools (SIEM, EDR) would have limited the damage.
Claim Scenario
Scenario: Business Email Compromise — Pharma Company, Ahmedabad
A pharmaceutical company's CFO received an email appearing to be from the CEO, instructing an urgent wire transfer of Rs 1.2 Crore to a "new supplier" in Dubai. The CFO, recognizing the CEO's email style and signature, processed the transfer. The money was immediately laundered through multiple accounts.
Claim process:
1. Fraud discovered 48 hours later when the real CEO asked about the transfer.
2. FIR filed with Ahmedabad Cyber Crime Cell. Bank notified to freeze destination accounts (too late — funds already moved).
3. Cyber Insurance claim filed under the Social Engineering Fraud endorsement.
4. Insurer investigated: confirmed the email was spoofed (domain was "company-name.co" instead of "company-name.com"), verified the company had no dual-authorization policy for transfers above Rs 50 Lakhs.
5. Insurer settled Rs 95 Lakhs (Rs 1.2 Cr minus Rs 25 Lakh sub-limit deductible for social engineering claims).
Lesson: Dual-authorization for large transfers and email domain verification training could have prevented this entirely.
Learning for POSP / Advisor
POSP Guide for Cyber Claims:
1. Educate clients on the claim timeline: Cyber claims are NOT like motor claims. The insurer needs to be notified within hours, not days. Delay in notification can void the claim.
2. Ensure the client has the insurer's 24/7 incident response hotline saved and accessible to their IT team. It should not be buried in a policy document.
3. Advise clients to have an Incident Response Plan (IRP) ready before a breach happens. Many insurers offer free IRP templates or workshops — highlight this as a value-add.
4. Document everything: Advise clients to keep screenshots, logs, emails, and records of every action taken during and after the incident. Poor documentation is the biggest reason for claim disputes.
5. Key selling point: "Cyber Insurance doesn't just pay money — it brings you a team of forensic experts, lawyers, and crisis managers within hours of a breach. That expertise is worth more than the premium."
Summary Notes
1. Cyber claims require immediate action: notify the insurer and CERT-In within hours, not days.
2. The insurer deploys forensic investigators, legal counsel, and PR crisis managers from their panel.
3. Never wipe or reformat systems before the forensic investigation — it destroys critical evidence.
4. Business interruption has a waiting period (8-12 hours typically) before coverage starts.
5. Social engineering fraud claims require a specific endorsement — verify coverage at point of sale.
6. Document everything during the incident — logs, screenshots, emails, actions taken.
7. An Incident Response Plan (IRP) should be in place before a breach, not created during one.