The attack itself may be a crime, but the response can create additional legal exposure.
As India's digital economy grows, so too does the shadow of ransomware — a threat that forces organizations into a legal labyrinth where victimhood and liability can quietly exchange places. Indian cyber insurance policies offer a measure of shelter under 'Cyber Extortion' covers, yet the act of paying a ransom, while not explicitly forbidden, brushes against anti-money laundering, foreign exchange, and data protection frameworks that were never designed with digital extortion in mind. In this space between silence and prohibition, the law does not protect the unprepared — it waits for them.
- Ransomware attacks are surging across India's expanding digital economy, locking critical systems and forcing organizations into impossible decisions under extreme time pressure.
- Cyber insurance policies promise coverage but impose strict conditions — insurers must be notified immediately, kept informed throughout, and must grant written consent before any ransom payment is made or costs are incurred.
- India's overlapping legal frameworks — the IT Act, DPDPA, PMLA, and FEMA — create a minefield where a ransom payment, though not explicitly illegal, can expose a victim organization to money laundering scrutiny, foreign exchange violations, and data protection penalties reaching 250 crore rupees.
- CERT-In mandates incident reporting within six hours of discovery, while regulated sectors face additional obligations to notify the RBI, IRDAI, or SEBI — compressing the window for deliberate, compliant decision-making.
- Organizations are navigating toward resolution by engaging insurance brokers and legal counsel before any negotiation begins, treating insurer communication not as a formality but as a legal safeguard.
India's rapidly expanding digital economy has made ransomware one of its most consequential threats — attacks that encrypt critical systems and demand payment in exchange for restoration place organizations in a legal space that appears simple until the moment it must actually be navigated.
Cyber insurance policies in India do cover ransomware, typically under 'Cyber Extortion' or 'Cyber Crime' categories, but coverage is conditional. Insurers require immediate notification, continuous cooperation, and written consent before any ransom payment is made. Some policies also require law enforcement reporting as a prerequisite for reimbursement — meaning an organization cannot pay and simply expect to be made whole.
The legal landscape is layered. The IT Act of 2000 and the Bharatiya Nyaya Sanhita of 2023 criminalize ransomware, with penalties ranging from fines to life imprisonment in terrorism-linked cases. CERT-In must be notified within six hours of discovery, and regulated entities — banks, insurers, securities firms — carry additional obligations to their respective sectoral regulators. The Digital Personal Data Protection Act of 2023 adds further exposure: if personal data is involved, organizations must notify the Data Protection Board and potentially affected individuals, with penalties reaching 250 crore rupees operating independently of criminal charges.
The central ambiguity is this: India has no law explicitly prohibiting ransom payments. IRDAI itself recognized cyber ransom as a legitimate coverage type in 2021. Yet payment carries real risk. Under the Prevention of Money Laundering Act, a payer whose funds are later linked to scheduled offenses may face regulatory scrutiny despite being a victim. Payments made via foreign remittance or cryptocurrency trigger FEMA compliance requirements, and cryptocurrency transactions must be disclosed under the Companies Act.
The practical consequence is that an organization under attack must consult both legal counsel and its insurance broker before entering any negotiation. Failing to obtain consent, report properly, or comply with financial regulations can transform a victim into a defendant — the attack itself may be the crime, but a mishandled response can generate legal exposure that outlasts the breach.
India's digital economy is expanding rapidly, and with it comes a growing threat that few organizations are fully prepared to handle: ransomware attacks that lock up critical systems, encrypt sensitive files, and demand payment in exchange for restoration. The question that follows—whether to pay the criminals demanding money—sits in a peculiar legal space in India, one that looks straightforward on the surface but becomes far more complicated the moment an organization actually faces it.
Cyber insurance policies in India do offer protection against ransomware incidents, typically bundled under broader coverage categories labeled "Cyber Extortion" or "Cyber Crime." These policies promise to cover losses arising from ransomware deployments and threats to steal or publicly release sensitive information. But the coverage comes with conditions. Insurers require immediate notification of any extortion threat, ongoing cooperation throughout the response, and—critically—written permission before the insured makes any ransom payment or incurs response costs. Some policies go further, demanding that the incident be reported to law enforcement as a prerequisite for coverage. The structure reflects an insurer's need to control the process and limit exposure, but it also means that an organization cannot simply decide to pay and expect automatic reimbursement.
The legal framework governing ransomware in India is layered and interconnected. The Information Technology Act of 2000 and the newer Bharatiya Nyaya Sanhita of 2023 treat ransomware as a criminal offense, with penalties ranging from fines of 100,000 to 200,000 rupees and imprisonment up to three years—or life imprisonment in cases involving cyber terrorism. The law designates the Indian Computer Emergency Response Team, known as CERT-In, as the national agency responsible for collecting and analyzing information on cyber incidents, issuing alerts, and coordinating responses. Organizations that experience a ransomware attack are required to report it to CERT-In within six hours of discovery. For regulated entities—banks, insurance companies, securities firms—the reporting obligations are even more stringent, with separate mandates to notify their respective regulators, the Reserve Bank of India, the Insurance Regulatory and Development Authority, or the Securities and Exchange Board of India, depending on the sector.
Beyond the IT Act, India's newer Digital Personal Data Protection Act of 2023 adds another layer of complexity. If a ransomware attack involves personal data, organizations must notify the Data Protection Board according to prescribed timelines and formats, and they must inform affected individuals if the breach is likely to cause significant harm. The DPDPA imposes penalties of up to 250 crore rupees for violations—penalties that operate independently of any criminal charges under the IT Act. This means an organization could face both criminal prosecution and substantial administrative fines for a single incident.
Here is where the legal gray area emerges: India has no law that explicitly prohibits paying ransom to threat actors. The Insurance Regulatory and Development Authority even acknowledged this in 2021 when it published a report on cyber insurance products that listed "cyber ransom" as a legitimate coverage type. Yet paying ransom is far from risk-free. Under the Prevention of Money Laundering Act of 2002, if ransom proceeds are later linked to money laundering, terrorist financing, or other scheduled offenses, the payer—despite being a victim—may face regulatory scrutiny and potential legal consequences. Ransom payments made through foreign remittances or in cryptocurrency trigger additional compliance concerns under the Foreign Exchange Management Act of 1999, which prohibits dealings in foreign exchange with unauthorized persons and requires accurate disclosure of the purpose of any remittance. Companies must also disclose cryptocurrency transactions in their financial statements under the Companies Act of 2013.
The practical implication is that an organization facing a ransomware attack must navigate a minefield of overlapping regulations before deciding whether to negotiate with threat actors. The prudent course is to immediately consult with both an insurance broker and legal counsel before entering into any negotiations or making any payment. The insurer must be kept informed at every stage to avoid disputes over coverage later. Failure to follow this path—to obtain consent, to report properly, to comply with anti-money laundering and foreign exchange rules—can transform a victim into a defendant. The attack itself may be a crime, but the response to it, if mishandled, can create additional legal exposure that extends far beyond the original breach.
Citas Notables
The prudent approach for an insured in the event of a ransomware attack is to seek immediate advice from their broker and lawyers prior to entering into any negotiations with threat actors or making payment of ransom.— Marsh India Insurance Brokers and Khaitan Legal Associates
La Conversación del Hearth Otra perspectiva de la historia
So if a company gets hit with ransomware in India, can they just pay the criminals and move on?
Not quite. There's no law that explicitly says you can't pay, but the moment you do, you step into several other legal frameworks—anti-money laundering laws, foreign exchange rules, data protection regulations. You're not just dealing with the attack anymore.
What happens if they don't tell their insurance company first?
They risk losing coverage entirely. The policy requires written consent before payment. If you pay without that consent, the insurer can deny the claim, and you're left holding the full cost.
And if the ransom money somehow ends up connected to terrorism or money laundering?
Then the payer—the victim—can face regulatory scrutiny under India's anti-money laundering laws. You're a victim of crime, but you could still be investigated for how the money moved.
How quickly do companies need to report this to authorities?
Six hours. CERT-In, the national cyber agency, requires notification within six hours of discovery. For banks or insurance companies, there are additional reporting requirements to their specific regulators on top of that.
So what's the smart move when ransomware hits?
Call your broker and your lawyer immediately. Don't negotiate, don't pay, don't do anything until you've got legal and insurance guidance. The attack itself is bad enough—you don't want to compound it by breaking other laws in your response.
Is there any scenario where paying ransom is actually the right call?
Only after you've consulted with both your insurer and legal counsel, obtained written consent, and ensured you're compliant with anti-money laundering and foreign exchange rules. It's possible, but it requires careful orchestration.