Financial fraud:
The data: In the pursuit of increased efficiency, the default settings of cloud infrastructure often work against forensic investigations. For example, Azure Monitor retains 31 days of data, and AWS RDS backups sometimes only last for 7 days, which is crucial for checking database history. The CFOs and FinOps teams believe that storing old data is a “dead expense” that could be avoided to save money.
The truth: this difference in cost is a fraud. The cost of storing logs in “hot” storage (immediately accessible) is approximately $0.03 per month. But if you move the same data to “cold” storage (like Amazon S3 Glacier Deep Archive), the cost drops to just $0.00099 per GBP.
For a medium-sized company that logs 1000 times, the “savings” of deleting data every 14 days would only be a few hundred dollars. On the contrary, if an insurance claim is rejected because you lacked evidence (logs), it will cost a total loss – which has reached an average cost globally in 2024 was $4.88 million, while in the US it reached $10.22 million. You are gambling on an insurance payout of ₹5 to ₹40 crore to save ₹50,000 a month on storage.
The dangerous gap between detecting an attack and implementing a policy:
Source: IBM’s 2024/2025 data breach report.
Statistics show that the time it takes to catch a hacker is much longer than your data retention limit (retention policy). While in 2023, this gap was 277 days, and in 2024 IBM REPORT it has improved slightly to 258 days (194 days to detect an attack and 64 days to prevent it).
The calculation is simple:
- It takes 194 days to detect an attack,
- You have data for only 14 days,
- Which means there is a “blindspot” of 180 days
If the logs are gone in 14 days and the attack is discovered after 194 days, you’ve lost 100% of the evidence of how the hacker got in and what he did. You will only be left with traces of the loss, but you will not know what the cause was or how big the loss was.
- Insurance terms and the danger of “warranty” clauses.
The risk: Cyber insurance is a contract, there is no guarantee that you will get the money. These policies have a “duty to cooperate” clause, which means you must fully cooperate with the investigation.
The truth: When you make a claim, the insurance company’s forensic team will ask you for logs of:
- Attribution: Who did it? (Because if a country’s government carried out the attack, the insurance company may refuse to pay.)
- Scope: What was stolen? (Was personal, sensitive data lost or something else that doesn’t matter).
- And Timeline When did it start? (Insurance checks to make sure the attack didn’t start before you took out the policy).
If you say, “We deleted the logs,” the insurance company may deny the claim by invoking the “Doctrine of Prejudice”. The legal argument is that due to lack of data the company was unable to defend itself, hence they can refuse to pay the money. The courts have also supported the insurance company when the company was unable to provide data, due to which the insured could not fight their case. One thing to note: if there are no logs, there is no proof of scope, and there is a high chance the claim will be rejected.
Impact on company valuation (RiskFortress view).
The law has changed: According to the Gadpar and India’s DIP Act 2023, the responsibility of providing evidence now lies with the company. Until you prove your innocence, you are guilty. Numeric Example-
Case A (90+ days of logs): You’ve proven that the hacker only viewed 1,000 non-sensitive records.
Result: A minor fine.
Case B (14-day logs): You couldn’t prove anything. The government assumed the entire database was stolen.
Result: You’ll have to inform millions of people and you’ll be fined the maximum amount. Churn Risk: Customers leave after a data breach, in some industries up to 30% if the incident is not handled properly.
Top 5 threats for the next 12 months.
- Insurance Claim Denial: ₹5 Cr – ₹40 Cr loss because Keeping data for less than 90 days violates the “Duty to Cooperate” clause.
- Forensic Blindness: ₹2 Cr+ cost because the logs were deleted before the attack was detected (because it takes more than 190 days to detect an attack).
- Regulatory Max Fine: Up to ₹250 Crores (India) under DPDP Act.
- Audit Failure: ₹50 Lakhs cost for breaking ISO and PCI DSS rules (which govern data security)..
- Valuation Discount: ₹25 Cr+ loss in M&A because when a big company comes to buy us (M&A), poor data management will be a red flag for them.
- Action Plan: “90-Day Makeover.”
- Immediate (0-48 hours): Check your retention settings.
- Check your AWS CloudWatch: See if it says “Never Expires” (expensive) or less than 30 days.
- Check Azure Monitor: Check if you are on the default 31-day plan..
- In 30 days: Implement a “cold” storage strategy.
- Shift the required logs to Glacier or Archive Blob.
- Target spend: Spend only ~$1 (₹85) per TB per month so that there is no loss of crores. Target: Keep logs for 365 days to cover a 258-day attack lifecycle.
- In 90 days: Develop a new incident response plan.
- Every 3 months during practice (drills) check whether the logs are intact or not.
- Have an “Insurance Eligibility Score” in your working process (KPI) that tells you how ready we are to receive a claim.
- Ground reality and the way to talk to the client.
Reality check
The MSSP Deception: Don’t assume your security vendor (MSSP) will keep logs forever. Many MSSP contracts provision 30-60 days of “hot” storage by default to protect their margins. Solution: Check the contract. If they don’t offer a 12-month guarantee, build your own storage.
Client-Facing Communication Script:
- CxO Opener: “We are claiming ₹5 crore on insurance to save ₹1,000 a month”. When it takes six months to detect an attack, a 14-day policy ensures that we won’t have any evidence when needed.
- Price Rebuttal: We’re not asking for expensive “hot” storage. We’re simply moving the data to inexpensive “cold” storage (Glacier), which costs less than a penny. “This is the cheapest insurance policy we will ever buy”.
About the Author
Kunal Pratap Singh is the Founder of RiskFortress, where he architects defensive strategies to eliminate the forensic blind spots that void cyber insurance policies. He specializes in closing the gap between technical security protocols and financial recoverability, ensuring that enterprise infrastructure holds up under legal and financial scrutiny during a breach. Kunal is a vocal advocate for shifting security from a cost center to a value-preservation asset through data-driven risk quantification.
Kunal can be reached online at E-mail, LinkedIn and at our company website https://riskfortress.in/.
