Cyber Incident Response Coordination with Insurance Programmes India 2026: Vendor Panels, Timeline, and Privilege

On a material cyber incident affecting an Indian corporate insured, the first 72 hours determine more about the claim outcome than any subsequent week of investigation or remediation. Forensic evidence decays. Threat actors expand their access. Regulatory clocks tick under CERT-In and DPDP. Customer and media exposure accumulates. The insurer's panel vendors mobilise (or fail to mobilise). The choices the insured makes about who to call, in what order, with what scope, define the trajectory from incident to settlement.

Indian cyber insurance gross written premium reached approximately INR 1,650 crore in FY 2024-25, growing at roughly 38 percent year on year, with claims paid of approximately INR 720 crore across ransomware, business email compromise, data exfiltration, and third-party liability events. The loss-cost composition is shifting: ransomware events accounted for 41 percent of cyber claim value in 2024-25 (down from 56 percent in 2022-23), data-exfiltration-driven regulatory and customer-notification costs accounted for 23 percent, business email compromise and funds-transfer fraud for 18 percent, business interruption for 11 percent, and third-party liability for 7 percent. The shift toward regulatory and notification costs reflects the operationalisation of the DPDP Act 2023.

The coordination failure modes recur. The insured calls its general counsel and IT vendor first, with the insurer notification delayed by 24 to 72 hours, foreclosing panel forensic engagement under the policy. The breach coach is engaged late, with privilege not properly established over forensic communications. CERT-In notification within the 6-hour regulatory window is missed because the technical team is working the incident and not the notification clock. Ransomware payments are made or contemplated without insurer authorisation, opening coverage disputes on ransom indemnification. Customer notifications go out before legal review, creating litigation exposure that the underlying cyber cover does not extend to.

This guide lays out the coordination framework for Indian cyber incident response from hour 0 to hour 72, covering the panel forensic provider engagement, breach coach role, CERT-In and DPDP notification discipline, contract-of-engagement under privilege, claim cooperation clauses, and ransomware payment authorisation. It is written for CISOs, general counsel, risk managers, and broker claims advisors managing material cyber incidents above INR 1 crore loss potential.

Indian cyber insurers operate panel networks of forensic, legal, and crisis-communications providers that mobilise on insured incidents under negotiated rate cards and pre-approved scopes of work. The panel mechanism is operationally efficient and produces material cost savings, but engagement discipline at the insured's side is the precondition for the mechanism to work as designed.

The major panel forensic providers in India

The panel network for Indian cyber insurance overlaps with the major global incident response practices and Indian forensic specialists.

1. Kroll. Global incident response leader with India presence, panel provider for multiple Indian insurers. Strong in incident response, threat intelligence, and ransomware negotiation. Operational hub in Mumbai with regional teams.
2. Mandiant (part of Google Cloud). Threat intelligence and incident response, panel provider on several Indian programmes. Strong in advanced persistent threat investigations and nation-state-linked incidents. India operations via the Google Cloud Indian entity.
3. CrowdStrike. Falcon-based incident response with EDR integration, panel provider on programmes where the insured already uses CrowdStrike for endpoint protection. India operations expanding through 2025-2026.
4. KPMG Forensic India. Indian Big Four practice with cyber forensic capability, panel provider on multiple insurer programmes. Strong in Indian regulatory liaison and CERT-In coordination.
5. EY Forensic India (Forensic and Integrity Services). Indian Big Four practice with cyber capability, panel provider with strength in financial-services incidents and regulatory engagement.
6. Deloitte Cyber Risk Services India. Indian Big Four practice with incident response capability, panel provider with strong technology-sector and GCC client base.
7. PwC India Cyber Forensics. Indian Big Four practice with incident response capability, panel provider with strength in BFSI and pharma sectors.
8. Lodestone (a Beazley company). Mid-sized international IR specialist with India coverage, panel provider on Beazley-fronted and several other Indian programmes.
9. Arete. Mid-sized IR specialist with strong ransomware-recovery practice, panel provider on several Indian programmes.
10. Indian specialists. Sequretek, Lucideus (now SAFE Security), Kratikal, NII Consulting, and Network Intelligence handle India-specific incident response, often as second-tier panel providers or as escalation backups.

How panel engagement works

The panel engagement runs through five operational steps that must occur in the first 6 to 24 hours of incident awareness.

1. Insured notifies the insurer of incident. Notification is to the insurer's cyber claims team, typically through a dedicated incident hotline operated 24x7 by the major Indian cyber insurers. The notification triggers panel mobilisation.
2. Insurer assigns the breach coach. The breach coach (discussed in the next section) is a panel law firm that coordinates the incident response from the legal and claim perspective. Assignment is typically within 1 to 4 hours of notification.
3. Breach coach assesses incident and engages panel forensics. The breach coach reviews the preliminary incident assessment with the insured's CISO and recommends the appropriate panel forensic provider based on incident type, sector, and prior relationships.
4. Insurer issues scope-and-budget approval. The insurer's claims manager approves the scope of work and budget for the panel forensic engagement, typically within 24 hours of incident notification. The approval is the operational green-light for the forensic provider to mobilise.
5. Panel forensic provider mobilises. The forensic team begins on-site or remote engagement, with formal contract issued under the breach coach's privileged engagement (discussed below).

When the insured wants to use a non-panel provider

The insured may have existing relationships with non-panel forensic providers (the incumbent SOC vendor, a sectoral specialist, a longstanding MSSP) and want to use them rather than the insurer's panel. Three considerations apply.

1. Coverage scope on non-panel providers. The policy typically funds panel providers at full rate-card rates and non-panel providers at a capped rate (commonly 75 to 90 percent of the equivalent panel rate). The cap differential is borne by the insured.
2. Mobilisation speed and capability. Panel providers have pre-approved scope, pre-negotiated rates, and demonstrated capability that has been vetted by the insurer. Non-panel providers must be vetted at the incident stage, adding 12 to 48 hours of delay.
3. Coordination with the breach coach. Non-panel forensic providers may not have established working relationships with the breach coach or other panel components, creating coordination friction during the incident response.

For most Indian incidents, the panel route is operationally preferred. Where the insured has compelling reasons for non-panel engagement (incumbent vendor with deep environment knowledge, sectoral specialism not present on the panel), the broker should negotiate the non-panel engagement with the insurer at the policy design stage, securing pre-approval or rate-card alignment to remove the in-incident dispute.

The breach coach is the insurer-funded panel law firm that coordinates the incident response from the legal and claim management perspective. The breach coach role is operationally central in modern cyber claims and is one of the highest-value components of the cover, but the role is misunderstood by many Indian insureds who treat the breach coach as an optional resource rather than a structural coordinator.

What the breach coach does

The breach coach's responsibilities span six operational areas.

1. Incident triage and scope assessment. Working with the insured's CISO and the insurer's claims manager, the breach coach assesses the incident's scope, severity, regulatory exposure, and likely claim quantum. The assessment shapes the scope of forensic engagement and the claim trajectory.
2. Vendor coordination under privilege. The breach coach engages the panel forensic provider, legal specialists, and any other vendors under a privileged engagement structure, with the breach coach as the contracting party and the forensic findings communicated as work product under attorney-client privilege.
3. Regulatory notification advice. CERT-In notification within the 6-hour window, DPDP Act notification, SEBI notification for listed entities, sectoral regulator notifications (RBI for financial services, IRDAI for insurance, NPCI for payments), and similar regulatory obligations are coordinated by the breach coach with input from the insured's internal legal team.
4. Customer and third-party notification advice. Where the incident affects customer data, supplier data, or third-party stakeholders, the notification strategy, timing, and content are advised by the breach coach with input from the insured's communications and marketing teams.
5. Litigation and regulatory defence. Where the incident produces customer litigation, regulator enforcement, or third-party claims, the breach coach typically transitions to the role of coordinating defence counsel for those matters.
6. Claim documentation and submission. The breach coach maintains the claim documentation, prepares the formal claim submission to the insurer, and engages with the insurer's claims committee on settlement.

The privilege structure

The privileged engagement structure is the operational mechanism for protecting forensic findings from discovery in subsequent litigation. The structure depends on the breach coach engaging the forensic provider under a tri-partite contract (insurer, breach coach, forensic provider) with the legal services being primary and the forensic services being instrumental to the legal advice.

Indian privilege doctrine, while less developed than US or UK privilege for cyber matters, recognises legal professional privilege under Section 126 of the Indian Evidence Act 1872 (preserved as Section 132 of the Bharatiya Sakshya Adhiniyam 2023), extending to communications between client and lawyer for the purpose of legal advice. The privilege extends to work product prepared by experts engaged by the lawyer for the purpose of providing legal advice, subject to the dominant-purpose test.

For the privilege to hold in Indian courts, three discipline points matter.

1. The engagement letter must establish the legal-advice purpose. The contract between breach coach and forensic provider must state that the forensic engagement is for the purpose of providing legal advice to the client, with the legal-advice purpose dominant over operational remediation purposes.
2. Communications must flow through the breach coach. Forensic findings should be communicated to the breach coach, who then provides legal advice to the client incorporating the forensic findings. Direct communications between the forensic provider and the client's operational teams undermine the privilege claim.
3. Operational remediation should be documented separately. The day-to-day remediation activity (containment, eradication, recovery) is operational and not privileged. The strategic forensic analysis informing legal advice (root-cause analysis, threat-actor attribution, regulatory impact assessment) is the privileged work product. The two streams should be documented separately, with the privileged work product identified and protected.

Common privilege failures

Three privilege failures recur in Indian cyber incidents.

1. Forensic engagement direct by the client. Where the insured's IT team or CISO engages the forensic provider directly, with the breach coach added later, the privilege foundation is weak. The forensic engagement was operational, not for legal advice purposes.
2. Mixed-purpose engagements. Where the forensic provider is engaged for both incident response (operational) and litigation-preparation (legal), the dominant-purpose test can defeat privilege. The engagement letter should clearly establish the legal-advice purpose as dominant.
3. Internal sharing of forensic findings. Where forensic findings are shared widely within the insured organisation (to the board, to senior management, to operational teams) without privilege markings and access controls, the privilege claim is weakened.

The CERT-In notification window is the tightest regulatory clock on any Indian cyber incident, and the discipline of meeting the 6-hour window is one of the most operationally demanding elements of the response. The notification cascade extends beyond CERT-In to DPDP, sectoral regulators, and other notification obligations, with each having its own clock and content requirements.

The CERT-In 6-hour rule

The Indian Computer Emergency Response Team (CERT-In) directive of April 2022, as updated through 2024-2026, requires reporting of specified cybersecurity incidents within 6 hours of noticing or being brought to notice. The directive covers 20 categories of incidents including unauthorised access, ransomware attacks, data breaches, denial of service, identity theft, and several others. The notification format is the prescribed incident reporting form filed through the CERT-In portal.

The 6-hour clock is operationally tight because it runs from the point of noticing the incident, not from when the full scope is understood. The notification can be preliminary, with subsequent updates as the investigation progresses, but the initial 6-hour notification cannot be deferred while the technical team works the incident.

The operational discipline for meeting the 6-hour window has four elements.

1. Pre-positioned notification template. A pre-prepared CERT-In notification template should be maintained as part of the incident response runbook, requiring only incident-specific population at the time of incident.
2. Designated notification owner. A named person (typically the CISO or designated alternate) should own the CERT-In notification, separate from the technical incident response team. The owner has the singular responsibility of filing within the 6-hour window.
3. Pre-approved notification content. The notification content should be pre-approved by the breach coach and the insurer's claims team, with the standard format and language agreed in advance. The pre-approval prevents in-incident delay over notification language.
4. Continuous update discipline. Subsequent updates to CERT-In as the investigation progresses are operationally important. The initial 6-hour notification is brief; the substantive updates over the subsequent days are where the regulatory engagement is established.

DPDP Act notification

The Digital Personal Data Protection Act 2023 and its implementing rules require notification to the Data Protection Board of India and to affected data principals where personal data has been breached. The notification timeline under the DPDP rules is without delay, with the rules clarifying that the data fiduciary must notify the Board within 72 hours of becoming aware of the breach and notify affected data principals as soon as reasonably practicable.

The DPDP notification has more substantive content requirements than the CERT-In notification. The notification must include the nature and scope of the breach, the categories and approximate number of data principals affected, the categories and approximate volume of personal data records affected, the likely consequences of the breach, the measures taken or proposed to address the breach, and the contact point for data principals seeking further information.

Sectoral regulatory notifications

Three sectoral notification regimes apply in addition to CERT-In and DPDP.

1. RBI for regulated financial entities. Banks, NBFCs, and payment system operators must notify the Reserve Bank of India under the RBI cyber security framework, with specific notification timelines and content requirements varying by entity type. RBI-regulated entities also have additional reporting to NPCI for payment system incidents.
2. SEBI for listed entities. Listed companies have material event disclosure obligations under the SEBI Listing Obligations and Disclosure Requirements (LODR) 2015, with cyber incidents potentially constituting material events requiring stock exchange disclosure.
3. IRDAI for insurance entities. Insurers, brokers, and other IRDAI-registered entities have notification obligations under the IRDAI Information and Cybersecurity Guidelines 2023 (the IRDAI Information Security Guidelines, 2023 which formalised the framework through 2024-2025).

The notification matrix

The insured's incident response runbook should include a notification matrix with the regulators and other parties to be notified, the notification window for each, the responsible owner, and the content template. The matrix is operationally critical for incidents that touch multiple regulatory regimes simultaneously.

For a hypothetical incident affecting a listed insurance broker holding personal data of customers, the notification matrix would include CERT-In (6 hours), Data Protection Board under DPDP (72 hours), affected data principals (as soon as practicable), IRDAI (per the security guidelines, typically within 24 hours of significant incidents), and BSE and NSE under SEBI LODR (immediate, where the incident is material). The matrix sets the cadence and allocates responsibility to specific named persons.

The cyber insurance policy cooperation clause is operationally similar to the cooperation clause on other liability policies but has incident-specific operational requirements that the insured must understand. The cooperation discipline is the foundation of the claim, and breach of cooperation is the most common basis for cyber claim disputes in the Indian market.

What the cooperation clause requires

Indian cyber policy cooperation clauses typically require the insured to:

1. Notify the insurer promptly of any incident or circumstance that could give rise to a claim, with notification typically within the first 24 to 72 hours of incident awareness.
2. Provide all information and documents requested by the insurer, including network logs, threat intelligence, forensic findings, and internal communications related to the incident.
3. Cooperate with the insurer-appointed breach coach and panel vendors, including following the operational coordination structure described above.
4. Refrain from settlements, admissions, or payments without insurer consent, particularly important for ransomware demands and third-party settlement.
5. Attend interviews and provide witness statements as required by the insurer or its appointed counsel in any subsequent litigation or regulatory proceeding.
6. Preserve evidence and maintain chain of custody for forensic materials, system images, network logs, and other evidence relevant to the incident and the claim.

Common cooperation failures

The cooperation failures in Indian cyber claims recur in five patterns.

1. Delayed insurer notification. The insured notifies the insurer 24 to 96 hours after incident awareness, with the delay typically attributed to internal escalation processes. The insurer's position is that the delay foreclosed panel engagement opportunities and the operational scope of policy cover.
2. Unauthorised pre-notification spend. The insured incurs forensic, legal, or recovery costs before notifying the insurer, with the costs subsequently contested as outside policy scope. The dispute quantum can run from INR 30 lakh to INR 6 crore on material incidents.
3. Direct communication with claimants and regulators without insurer consent. The insured's communications team or general counsel communicates with affected customers, regulators, or media without insurer or breach coach review, creating positions that the insurer's claim handling must subsequently work around.
4. Settlement payments without insurer consent. The insured settles with affected third parties, makes ransom payments to threat actors, or offers compensation to customers without insurer consent, with the payments subsequently contested as voluntary and outside indemnity scope.
5. Evidence preservation failures. System images are not preserved, network logs are overwritten, or operational systems are wiped and rebuilt without forensic preservation. The evidence loss undermines the insurer's claim investigation and subrogation positions.

Operational cooperation discipline

Three disciplines maintain cooperation position.

1. The 2-hour insurer notification rule. Within 2 hours of incident awareness reaching the CISO or senior management, the insurer's incident hotline is called. The notification can be preliminary and incomplete; the discipline is the call itself, not the fully detailed briefing.
2. The pre-notification spend prohibition. No external forensic, legal, or recovery spend before insurer notification and panel engagement, except for emergency containment by existing internal resources or pre-approved retainers.
3. The single coordination point. A named coordinator (typically the CISO or general counsel) is the single point through which all external communications, panel vendor engagement, and insurer interaction is channelled. The single point prevents the situation where different parts of the insured organisation are taking inconsistent positions.

Ransomware payment is the most operationally contested element of Indian cyber incident response. The decision involves regulatory considerations (Indian and foreign sanctions, anti-money-laundering law), ethical considerations (paying the ransom funds the threat actor's future operations), operational considerations (does payment actually deliver decryption keys), and coverage considerations (is the payment indemnifiable under the policy). Coordination with the insurer at every step is the precondition for any payment to be coverable.

The current Indian regulatory position

Indian law does not prohibit ransomware payments per se. The relevant legal considerations are sanctions (where the threat actor or their wallet is on a sanctions list, payment can violate sanctions enforced through the Foreign Exchange Management Act 1999 and the Prevention of Money Laundering Act 2002), anti-money-laundering (large cryptocurrency transactions can trigger reporting and source-of-funds requirements), and tax (payments may have withholding and source-of-funds implications).

Indian cyber insurance policies through 2024-2026 generally permit ransom indemnification within policy terms, subject to insurer consent, sanctions checks, and documentation discipline. The position differs from some Western jurisdictions where regulators have signalled hostility to ransom payments and where insurers have voluntarily limited or excluded ransom coverage.

The decision matrix

The ransom payment decision should run through a structured matrix with six dimensions.

1. Operational necessity. Is decryption necessary for operational recovery, or can the insured recover from backups, alternative systems, or rebuild? The necessity assessment is honest, not aspirational; many ransom payments have been made when backup recovery was viable but slower.
2. Data exfiltration risk. Has the threat actor exfiltrated data, and is the ransom partly for non-publication of stolen data (extortion ransom rather than decryption ransom)? Extortion ransoms have lower technical effectiveness because the threat actor retains the data regardless of payment.
3. Sanctions and legal screening. Has the threat actor been screened against US OFAC, UN, EU, UK, and Indian sanctions lists? Has the proposed cryptocurrency wallet been screened? The screening is conducted by the breach coach or specialist sanctions counsel.
4. Technical likelihood of decryption. Based on threat intelligence on the specific ransomware variant and threat actor, what is the probability of receiving working decryption keys after payment? Industry data suggests 65 to 80 percent for major ransomware groups, lower for less established actors.
5. Insurer authorisation. Has the insurer authorised payment within policy terms, including the maximum amount, the timing, and the conditions of payment?
6. Documentation discipline. Is the payment going to be documented in a manner consistent with claim recovery, including the negotiation transcripts, the sanctions screening, the operational necessity analysis, and the payment transaction records?

How insurer authorisation works

The insurer's authorisation for ransom payment is a discrete claims-handling step that should not be assumed from general policy engagement. The authorisation typically requires:

1. The breach coach's confirmation that sanctions screening is clean.
2. The forensic provider's assessment of operational necessity and technical likelihood.
3. The insurer's claims manager approval, often escalated to a senior claims committee for material ransoms above INR 5 crore equivalent.
4. Documentation of the maximum authorised amount, the proposed payment method, and the timing.

Authorisation that comes without the structured assessment can be challenged by the insurer at the claim stage, with the insurer arguing that the authorisation was based on incomplete information.

Ransomware negotiation

The ransom amount initially demanded by the threat actor is typically negotiable, with settlement amounts running 25 to 60 percent of the initial demand in negotiated cases. Panel ransomware negotiators (Kroll, Coveware, Arete, and several specialists) handle the negotiation under the breach coach's coordination.

The negotiation discipline matters operationally and for coverage. A poorly conducted negotiation can produce inflated payments that the insurer subsequently contests as outside the operational necessity scope. A well-conducted negotiation produces documented offers, counter-offers, and settlement terms that support the claim quantum.

Post-payment discipline

If the payment is made, three post-payment disciplines apply.

1. Verification of decryption. The decryption keys delivered by the threat actor must be tested against representative systems to confirm functionality. Where the keys do not work, the payment is documented as ineffective for operational recovery, which has implications for future incident response.
2. Re-securing the environment. Payment of ransom does not eliminate the underlying vulnerability or the threat actor's residual access. Re-securing the environment includes credential rotation, vulnerability remediation, and threat actor eviction.
3. Regulatory and tax reporting. The payment may have CERT-In reporting implications, tax withholding considerations, and source-of-funds reporting requirements depending on the structure.

Pulling the components together, the hour-by-hour incident response playbook for Indian cyber incidents has fourteen operational checkpoints across the first 72 hours. The playbook is the operational synthesis that broker claims advisors and insurance teams should run on every material incident.

Hour 0 to 2: Initial detection and notification

1. Incident detection and triage. The SOC, MDR provider, or internal security team identifies an incident and escalates to the CISO. Initial triage establishes scope, affected systems, and incident classification.
2. Insurer hotline notification within 2 hours. The CISO or designated alternate calls the insurer's cyber claims hotline with the preliminary incident summary. The notification can be brief and incomplete; the call is the discipline.
3. Breach coach assignment. The insurer's claims team assigns the panel breach coach, who makes initial contact with the insured within 1 to 4 hours.

Hour 2 to 6: Coordination establishment

1. CERT-In notification within 6 hours. The pre-positioned template is populated with incident specifics and filed through the CERT-In portal. The notification is preliminary; substantive updates follow.
2. Internal coordination structure. The CISO, general counsel, CFO, communications head, and CEO are briefed and the single-coordination-point structure is established.
3. Panel forensic provider engagement under privilege. The breach coach engages the panel forensic provider with the privileged engagement structure described above.

Hour 6 to 24: Investigation and containment

1. Forensic provider mobilisation. The panel forensic team begins on-site or remote engagement, with initial focus on containment, evidence preservation, and scope assessment.
2. DPDP and sectoral notifications scoping. The breach coach assesses DPDP notification requirements, sectoral regulator requirements (RBI, SEBI, IRDAI), and customer notification implications.
3. Stakeholder communications planning. The communications head, breach coach, and general counsel align on stakeholder communication strategy, with public statements, customer notifications, and media engagement coordinated.

Hour 24 to 48: Substantive response

1. DPDP Board notification within 72 hours. The substantive DPDP notification to the Data Protection Board, with full incident scope, affected data categories, and remediation measures.
2. Customer notification preparation. Where customer notification is required under DPDP or by operational necessity, the notification content and distribution strategy is finalised under breach coach review.
3. Ransomware authorisation matrix (where applicable). For ransomware incidents, the six-dimension decision matrix described in the previous section is worked through, with insurer authorisation sought before any payment.

Hour 48 to 72: Stabilisation

1. Customer notifications dispatched (where required). Affected customers receive the substantive notification with the required content under DPDP and any sectoral requirements.
2. Public statement (where required). For incidents with material public exposure, the public statement is issued through the planned communications channels.
3. Claim documentation initiation. The breach coach begins building the formal claim documentation, with vendor invoices, internal cost tracking, and incident timeline documentation all assembled.

Beyond hour 72

The incident response transitions from acute response to sustained remediation, claim development, and post-incident review. The breach coach continues coordination through the regulatory engagement, customer responses, third-party claims, and final claim settlement, which typically runs 6 to 24 months from incident date depending on complexity.

The playbook is operationally demanding but each step prevents downstream failures that are more costly. The discipline of the first 72 hours produces claim outcomes that settle close to claimed amounts; the absence of discipline produces outcomes that settle at deep discounts or in coverage litigation.