How to File a Cyber Insurance Claim: What to Do When You Have an Incident

BySmall Biz Security

Having Cyber Insurance Is Not Enough — You Have to Know How to Use It

Small businesses that purchase cyber insurance often assume the coverage works like auto insurance — something goes wrong, you call and file a claim, they handle it. Cyber insurance is significantly more complex. Policy terms vary enormously, coverage exclusions are numerous, and the actions you take in the first 24 to 48 hours after a cyber incident directly affect whether your claim is approved, how much you receive, and whether your insurer covers the incident response costs that can reach tens of thousands of dollars before the breach is even contained.

This guide covers what to do — and what not to do — when you experience a cyber incident as a policyholder.

Read Your Policy Before You Need It

The time to understand your cyber insurance policy is not during an active incident. Review your policy now and document the answers to these critical questions:

  • What is the incident reporting hotline number? Most cyber insurers have a 24/7 incident response hotline separate from their regular claims line. This number should be in your phone and on the physical incident response checklist in your office.
  • What is the notification deadline? Most cyber policies require notification of a potential incident within 24 to 72 hours of discovery — some within 24 hours. Missing this deadline can void coverage for the incident entirely.
  • What is the retroactive date? Cyber policies typically cover incidents discovered after the policy effective date but may exclude incidents that began before the retroactive date. Understanding this prevents surprises when a long-running intrusion is discovered.
  • What does your policy cover? First-party coverage (your own costs — business interruption, data recovery, notification costs) vs third-party coverage (claims from customers or partners whose data was compromised) are distinct and not all policies include both.
  • What are the key exclusions? Common exclusions include: acts of war (increasingly contested for nation-state ransomware), prior known conditions, failure to maintain minimum security standards, and social engineering/funds transfer fraud unless specifically endorsed.

Step 1: Call the Insurer’s Incident Hotline Before Doing Anything Else

When you discover or suspect a cyber incident — ransomware, data breach, business email compromise wire fraud, or any other covered event — your first call should be to your insurer’s incident response hotline, not to your IT person, not to law enforcement, and not to a ransomware negotiator you found online.

Why this matters: most cyber insurers have pre-negotiated rates with incident response firms, ransomware negotiators, forensic investigators, and breach notification services. Using these pre-approved vendors is typically required to receive full reimbursement — using outside vendors you find independently may result in costs that are not covered or reimbursed at a lower rate. The insurer’s incident response team also provides guidance on notification obligations and legal requirements that vary by incident type and affected data.

This call also starts the clock on your formal claim and creates a documented record of when the incident was reported — critical for meeting policy notification deadlines.

Step 2: Preserve Evidence — Do Not Delete or Wipe Systems

The instinct after discovering ransomware or a breach is to wipe infected systems and start fresh. This instinct must be resisted until forensic investigation is complete. Wiping systems destroys evidence needed to:

  • Determine how attackers entered — without this, remediation cannot close the entry point
  • Establish the scope of the breach — what data was accessed or exfiltrated
  • Support law enforcement investigation
  • Document the incident for insurance purposes and potential litigation

Preserve affected systems by isolating them from the network (unplug ethernet, disable Wi-Fi) rather than shutting them down or wiping them. Forensic investigators need running memory and intact file systems to reconstruct what happened.

Step 3: Document Everything From the Moment of Discovery

Begin a written incident log immediately — recording every action taken, every person contacted, every system affected, and every decision made with timestamps. This log serves multiple purposes: it supports your insurance claim, documents compliance with notification deadlines, provides a record for any regulatory investigation, and supports post-incident litigation if needed.

Include in the log:

  • Date and time the incident was discovered and by whom
  • Initial indicators — what was observed that indicated an incident
  • Systems and data believed to be affected
  • Containment actions taken and when
  • All parties notified and when — insurer, law enforcement, legal counsel, affected customers
  • All costs incurred — invoices, employee time, vendor fees

Step 4: Understand Ransom Payment Considerations

If you are dealing with ransomware, the decision to pay or not pay a ransom is complex and has insurance, legal, and financial dimensions:

  • Call your insurer before paying anything: Many cyber policies cover ransom payments but require pre-authorization. Paying without authorization may result in no reimbursement.
  • OFAC sanctions compliance: The U.S. Treasury’s Office of Foreign Assets Control has sanctioned several ransomware groups. Paying a sanctioned group — even unknowingly — can result in civil penalties regardless of whether you knew the group was sanctioned. Your insurer’s incident response team checks sanction status as part of pre-authorized payment processing.
  • Payment does not guarantee decryption: Roughly 20% of businesses that pay ransoms do not receive a working decryption key. Backup recovery, where available, is always preferable to ransom payment.
  • FBI reporting: The FBI requests that ransomware attacks be reported at ic3.gov regardless of whether ransom is paid. This aids national tracking of ransomware groups and occasionally enables recovery assistance.

Common Claim Denial Reasons to Avoid

  • Late notification: Reporting the incident after the policy’s required notification window — even by a day — can result in denial. Know your deadline and call immediately.
  • Failure to maintain required security controls: Policies increasingly require specific controls — MFA, EDR, patching — as a condition of coverage. Failure to maintain these at the time of the incident provides grounds for denial. Review your policy’s security warranty requirements.
  • Using non-approved vendors: As noted above, using incident response vendors not on your insurer’s pre-approved list may result in unreimbursed costs.
  • Social engineering not endorsed: Standard cyber policies often do not cover funds transfer fraud (BEC wire fraud) unless a social engineering endorsement is specifically added. Verify this coverage exists in your policy before you need it.

Bottom Line

Cyber insurance is only as valuable as your ability to use it correctly when an incident occurs. Read your policy, document the incident hotline number, understand your notification deadline, and train your team that the insurer calls before any other response action. The businesses that receive full coverage from cyber insurance are the ones that followed policy procedures correctly from the first moment of discovery — not the ones that responded well technically but notified late or used unapproved vendors.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *