Skip to main content
Marsh logo

Article

Legality of Ransomware and Ransom Payments in Cyber Insurance Policies: Insights from Marsh India and Khaitan & Co

In this Article, Marsh India Insurance Brokers Private Limited and Khaitan Legal Associates, examine the implications of a Ransomware Attack, available protection under Cyber Insurance and legality of ransom payments in cyber breaches in India.

24/06/2026 · 8 minute read

Accelerated digitalisation has significantly increased organisational exposure to cyber threats, particularly ransomware attacks that disrupt operations, compromise sensitive data, and expose entities to significant regulatory scrutiny and reputational risk.

In this Article, Marsh India Insurance Brokers Private Limited and Khaitan Legal Associates, examine the implications of a Ransomware Attack, available protection under Cyber Insurance and legality of ransom payments in cyber breaches in India.

What is a Ransomware Attack?

A Ransomware Attack is a category of data extortion which typically manifests as a threat delivered over the internet to extort money from the insured. Such threats are commonly accompanied by the risk of deletion, alteration, or corruption, or unauthorised restriction of access to data stored in the insured’s computer systems while such data remains in the insured’s physical possession and custody.

Does Cyber Insurance cover loss from ransom related events?

Ransomware coverage under cyber insurance policies is typically structured as part of a broader “Cyber Extortion” or “Cyber Crime” cover and is commonly subject to defined sub-limits. In fact, in many cases, the applicable deductible is distinct from other categories of cyber loss. Within this framework, a cyber extortion cover promises indemnity for losses arising from cyber incidents affecting the insured’s systems or data, including ransomware deployments and threats to exfiltrate or publicly disclose sensitive information.

Rather than just restricting coverage to ransom payment, cyber insurance policies frequently extend sub-limited coverage to consequential losses arising from ransomware incidents. Coverage for such losses is typically conditional upon immediate notification to the insurer, prompt cooperation with the insurer and the insurer’s prior written consent for incurring covered expenses. Indemnity under a Cyber Extortion Cover is further subject to stringent procedural and reporting requirements. Standard policy wordings require the insured to provide immediate or prompt notice of the extortion threat, keep the insurer informed throughout the response process, and obtain prior written consent before making any extortion payment or incurring response-related costs. Certain policies additionally require, or strongly encourage, reporting of the incident to law enforcement authorities as a condition or relevant consideration for coverage. 

Ransomware incidents in India: Which law gets attracted?

Indian law, by virtue of statues such as the Information Technology Act, 2000, and Bharatiya Nyaya Sanhita, 2023, treats ransomware attacks as criminal offences attracting penalties and punishments in the form of fines ranging from INR 1,00,000 to 2,00,000 and imprisonment which may extend 3 years, in extreme cases involving cyber terrorism, imprisonment for life. 

Section 70B of the Information Technology Act, 2000 designates the Indian Computer Emergency Response Team (“CERT-In”) as the national agency for, inter alia, collection, analysis and dissemination of information on cyber incidents, issuing alerts and advisories, coordinating responses. The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provide that any individual, organisation, or corporate entity affected by a cybersecurity incident may report such incident to the CERT-In. The rules further empower CERT-In to exchange relevant information relating to cybersecurity attacks, vulnerabilities, and remedial measures, particularly in respect of critical sectors, with the National Critical Information Infrastructure Protection Centre.

In terms of the Information and Cyber Security Guidelines, 2023 issued by the IRDAI require regulated entities to establish a clear mechanism for reporting cyber security incidents to both internal stakeholders and relevant external authorities. Such external authorities may include regulators, law enforcement agencies, customers, the IRDAI, the CERT-In, CSIRT-Fin, and the Cyber Swachhta Kendra, as applicable. Notably, cyber incidents are required to be mandatorily reported to CERT-In within six (6) hours of the incident being noticed or brought to the organisation’s attention. A copy of such intimation is also required to be shared with IRDAI and any other concerned regulator or authority.

Similarly, the Cyber Security Framework for banks issued by the Reserve Bank of India mandates banks to promptly report all cyber security incidents to the Reserve Bank of India in the prescribed format.

In addition, under the Cyber Security and Cyber Resilience Framework for SEBI Regulated Entities issued by the Securities and Exchange Board of India. any cyberattack, cybersecurity incident, or data breach experienced by a SEBI-regulated entity and falling within the scope of the CERT-In cybersecurity directions is required to be reported to both SEBI and CERT-In within six (6) hours of such incident being noticed, detected, or brought to the entity’s attention. 

A ransomware incident in India, attracts liability under multiple provisions of the Information Technology Act, 2000 (“IT Act”), including the following:

  • Section 43 read with Section 66: addressing unauthorised access to or damage of a computer, computer system, or network without the consent of the owner.
  • Section 65: relating to tampering with computer source documents, punishable with imprisonment for up to three years or a fine not exceeding INR 2,00,000, or both.
  • Section 66D: dealing with cheating by personation through the use of computer resources, punishable with imprisonment which may extend to three years and a fine up to INR 1,00,000.
  • Section 66F: Covers cyber terrorism, addressing severe cases of cyberattacks that threaten national security, including large-scale ransomware attacks that disrupt critical infrastructure, imprisonment which may extend to imprisonment for life.

In addition to penal consequences, the IT Act and the rules framed there under impose affirmative data protection and security obligations on body corporates that handle sensitive personal data. Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 mandates the implementation of reasonable security practices and procedures to safeguard such data. In the event of a data or information security breach, affected entities may be required to demonstrate that appropriate security controls were in fact implemented, failing which liability may arise under Section 43A of the IT Act, includes an obligation to compensate persons who suffer loss as a result of such failure.

While the IT Act and SPDI Rules have historically governed data protection obligations, India is now transitioning to a dedicated privacy law. The Digital Personal Data Protection Act 2023 (“DPDPA”), together with the Digital Personal Data Protection 2025 Rules, establishes a modern framework governing the processing, protection and breach-handling of personal data.

For ransomware incidents involving personal data, the DPDPA introduces additional statutory obligations, including:

  • Mandatory notification to the Data Protection Board where a personal data breach occurs, in accordance with prescribed timelines and formats.
  • Notification to affected Data Principals where the breach is likely to result in significant harm.
  • Requirement to demonstrate reasonable security safeguards for all personal data under Section 8 going beyond the SPDI Rules’ limited “sensitive personal data” scope.
  • Processor obligations to promptly inform the Data Fiduciary of any breach and support incident response.
  • Exposure to substantial administrative penalties (up to INR 250 crore), which operate separately from IT Act criminal offences.

As a result, ransomware incidents will increasingly be assessed under both the IT Act (for system offences) and the DPDPA (for personal data breach obligations and penalties).

Making payment of Ransom: Is it legal in India?

In the context of Ransomware attacks, an interesting question or rather more of a conundrum often emerges for the insured: Should they negotiate with the threat actor and is it even legal to make payment of Ransom in India.

Per se, there is no law that prohibits the payment of Ransom or categorises it as “illegal”. In fact, the IRDAI, in 2020, constituted a Working Group to study the need for a standard Cyber Liability Insurance product and in the Report of the Group  published in 2021, “cyber ransom” is mentioned as one of the covers contemplated in cyber insurance products.

However, in practice, negotiating with threat actors and / or making payment of ransom gives rise to a complex set of ethical, operational and legal risks.. As ethical concerns, for an organisation to engage with threat actors or make payment of ransom, can in a way incentivise a criminal action and result in increased future threats of this nature. From an operational standpoint, the persons involved in such negotiations and the manner of making payment of Ransom can pose challenges. Most importantly, from a legal point of view, Ransom payments also carry heightened exposure under India’s anti-money laundering framework. Under the Prevention of Money Laundering Act, 2002 (“PMLA”), if ransom proceeds are subsequently linked to money laundering, terrorist financing, or other scheduled offences, the payer may be subjected to regulatory scrutiny despite being a victim of the underlying crime.

Additionally, ransom payments involving foreign remittances or cryptocurrency may trigger compliance concerns under the Foreign Exchange Management Act, 1999 (“FEMA”). Section 3 of FEMA prohibits dealings in foreign exchange with unauthorised persons, while Section 10 requires accurate disclosure of the purpose of remittances made through authorised channels. Schedule III of the Companies Act, 2013 mandates companies to make certain disclosures in their financial statements pertaining to profits earned/ loss incurred during a financial year on transactions involving cryptocurrencies/ virtual currencies; amount of virtual currencies/ cryptocurrencies held; and the deposits or advances received by companies from any person for the purpose of trading or investing in virtual currencies/ cryptocurrencies.

Given the various moving parts and intersection of various laws, the prudent approach for an insured in the event of a Ransomware attack is to seek immediate advice from their Broker and Lawyers prior to entering into any negotiations with threat actors or making payment of Ransom. The Insurer must also be kept informed at every stage of the process to avoid a liability dispute under the Policy.

Leadership

Bhishma Maheshwari

Managing Director - FINPRO & Cyber, Marsh India   

Ritesh Thosani

Cyber Practice Leader, Marsh India

Akshara Sharma

Executive Vice President, Claims Advocacy, FINPRO/Cyber

Debashree Pusti

Assistant Vice President, Claims Advocacy, Cyber

Harshit Saini

Assistant Vice President, Cyber Practice

This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. The information contained herein are based solely on our experience as insurance brokers and risk consultants. Insurance is the subject matter of solicitation. For more details on benefits, exclusions, limitations, terms, and conditions, please read the sales brochure/policy wording carefully before concluding a sale. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Although Marsh may provide advice and recommendations, all decisions regarding the amount, type or terms of coverage are the ultimate responsibility of the insurance purchaser, who must decide on the specific coverage that is appropriate to its particular circumstances and financial position. Insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies.

Prohibition of Rebates – Section 41 of the Insurance Act, 1938; as amended from time to time: No person shall allow or offer to allow, either directly or indirectly, as an inducement to any person to take or renew or continue an insurance in respect of any kind of risk relating to lives or property in India, any rebate of the whole or part of the commission payable or any rebate of the premium shown on the policy, nor shall any person taking out or renewing or continuing a policy accept any rebate, except such rebate as may be allowed in accordance with the published prospectuses or tables of the insurer. Any person making default in complying with the provisions of this section shall be punishable with a fine which may extend to ten lakh rupees.