Claims Evidence
Tamper-evident, portable, verifiable across the carrier-reinsurer-regulator chain.
Cyber insurance claims hinge on what the insured can prove about an incident — when it started, who detected it, what controls were active, what response was triggered. Standard logs are insufficient: they can be edited, lost in vendor changes, or contradicted across systems. H33 produces tamper-evident claims evidence that travels across the carrier, reinsurer, regulator, and litigation chain without losing fidelity at any hop.
The cyber claims evidence problem
Cyber insurance claims have a specific evidentiary structure. The claim depends on facts about an incident: timeline, scope, controls, response. Each downstream party — carrier, reinsurer, regulator, court — has progressively less trust in the insured's internal records. Standard cyber logs do not survive this chain well: the insured's MFA logs can be edited; the SIEM may have been compromised in the incident; the identity provider may have changed vendors; the endpoint detection vendor may have been acquired; the cloud provider may have rotated logs out of retention. By the time the claim reaches the regulator or the courtroom, the evidentiary trail may be incomplete or unverifiable.
What H33 captures at incident time
H33 evidence bundles are generated at the moments that matter: Detection — when an intrusion detection or behavioral system identifies a candidate incident, a bundle captures the detection's basis, the model or rule that fired, the data that triggered it, and the response action that followed. Response — when the IR team takes an action, a bundle captures the action's authority, the policy that justified it, the system state, and the evidence considered. Control assessment — when periodic control assessment runs (MFA usage validation, EDR coverage, patch level), a bundle captures the basis and result. Notification — when timelines start, a bundle captures who knew what, when they knew it, and what triggered the timeline. Bundles are signed by three independent post-quantum algorithm families. They can be anchored to a public chain for time binding. They are stored under the insured's control.
How bundles survive the claims chain
Carrier review. The insured provides bundles supporting the claim. The carrier runs the open-source verifier offline. Verification confirms the bundles are unmodified and the timeline is consistent. Reinsurance handoff. The carrier passes the relevant bundles to the reinsurer. The reinsurer runs the same verifier. No re-investigation required. Regulatory review. A breach notification triggers regulatory scrutiny. The insured provides the bundles. The regulator verifies them. The verification result is binding because the open-source verifier is reproducible. Litigation discovery. A third party brings suit alleging negligence. The insured provides the bundles. Opposing counsel runs the verifier. Both sides agree on what the verifier returns.
The reinsurance modeling angle
Reinsurers consistently report that cyber loss data is insufficient for actuarial modeling. The data is sparse, inconsistent across carriers, hard to verify, and contaminated by selection bias. H33 evidence bundles improve the data substrate. Loss events documented with portable, verifiable evidence are comparable across carriers (the bundle format is standardized), verifiable without re-investigation, resistant to selection bias (generated at incident time, not after-the-fact), time-bound (the anchor proves when the bundle was created), and stable across retention windows.
Use cases
Ransomware claim. An insured organization is hit by ransomware. The H33 bundles document the detection, the timeline of encryption, the response actions, and the eventual restoration. The carrier evaluates offline. The reinsurer confirms the basis. The claim is settled without dispute over evidence authenticity. Business email compromise claim. An employee approves a fraudulent wire. The bundles document the MFA state, the email gateway controls, the policy governing wire approval, and the deviation from policy. Insider data theft claim. The bundles document the user's access scope, the data accessed, the DLP signals, and the access timeline.
Common questions
Does this require changing my incident response process?
No. H33 evidence generation runs in parallel with your existing IR tooling. Bundles are produced as a byproduct of the detection, response, and assessment events that already happen.
Can my carrier accept H33 bundles today?
The bundles are open standard, canonical JSON, with an open-source verifier. Any carrier can accept them. Adoption is a contractual matter, not a technical one.
Does this work with my existing SIEM and SOAR?
Yes. The bundle-generation integration is API-based.
What happens if my SIEM is compromised in the incident?
The bundles produced before the compromise are unaffected. The bundles are signed at generation time and stored separately from the SIEM.
Are the bundles privacy-preserving?
Bundles stay under your control. Only the 32-byte commitment goes on-chain when anchored.
Related: Cyber Claim Verification · AI Audit Trails · H33 vs Traditional Audit Logs · Avalanche Evidence Anchoring