The seven steps
Call the carrier first — before the IR firm.
The single most-common mistake is engaging a forensics firm or paying a vendor before notifying the carrier. Most policies require carrier pre-approval for incident-response vendors; engaging anyone outside their pre-approved panel can void the policy. Even if you have a preferred IR firm, the carrier needs to consent.
Notify within the policy window.
Most cyber policies require notification within 24–72 hours of discovery. Missing this window is grounds for denial. Note: it's notification of discovery, not notification of full scope — you don't need to know everything before you call.
Engage the panel.
The carrier will provide a pre-approved list of incident-response firms, ransomware negotiators, breach counsel, and forensic investigators. These are pre-priced, pre-contracted, and the costs flow through the policy. Use them — even if you have other vendors you'd prefer, panel use is usually how the policy pays.
Preserve evidence and document everything.
Logs, screenshots, ransom notes, attacker communications, system state at time of discovery. Don't reboot or reimage affected systems before forensics has captured what they need. Every step you take should be timestamped and documented in writing — the claim file is built from this evidence.
Track all costs precisely.
Forensic firm invoices, attorney fees, ransom (if paid), data restoration costs, overtime, temporary staff, lost revenue during downtime, notification and credit-monitoring costs, PR support, regulatory fines. Categorise by policy coverage area (first-party vs third-party, BI vs DRC). The claim adjuster will want documentation for every line item.
Don't admit liability publicly.
Statements made to clients, the press, on social media, or in client emails can be used against the claim. Run customer and external communications through breach counsel before sending.
File the formal proof of loss within the window.
Most policies require a sworn proof of loss within a specific timeframe (often 60–180 days). This is the formal claim document with all dollar figures, supporting receipts, and a sworn statement. Your carrier will provide the template; your breach counsel and CFO complete it.
The six things that get claims denied
Material misrepresentation on the application
If your application said you had MFA on every account, EDR on every endpoint, written WISP, and quarterly backup testing — and you didn't — the carrier can deny the claim or rescind coverage. Honest applications are non-negotiable.
Late notification
Reporting outside the policy's notification window. Even by hours. Some policies are strict; others have grace periods. Don't test it.
Off-panel engagement
Engaging an IR firm, attorney, or vendor outside the carrier's panel without consent. Costs may not be reimbursable; full claim may be at risk.
OFAC sanctions
If a ransom payment is made to a sanctioned entity, the carrier may refuse to reimburse (in addition to the underlying legal exposure). Always OFAC-screen before paying anything.
Insufficient evidence
Forensic timeline gaps, missing log data, lost evidence due to system reimaging before investigation. Without evidence, the claim adjuster can't validate the loss.
Coverage exclusion applies
War / nation-state attacks, infrastructure failures, prior known incidents, certain regulatory fines — policies have specific exclusions. Read the policy before you need it.
The renewal-time conversation that prevents most denials
Most claim denials trace back to the application. The annual renewal questionnaire asks about controls (MFA, EDR, backups, WISP, training, MFA on email, MFA on remote access, MFA on privileged accounts, etc.). If you tick “yes” to something you don't actually have, a future claim is denied for material misrepresentation.
The right discipline at renewal:
- Tick honestly — even if the answer hurts the premium.
- For any “in progress” control, document the implementation timeline and verify it's actually being implemented.
- Get your IT provider or vCISO to validate the answers before submission.
- Save the application and the carrier's renewal terms in a place you can find them after an incident.
What to do before you ever need to file
- Read your policy. Know your notification window, your sub-limits (especially on ransom payments and BI), your retention, and your panel of pre-approved vendors. Don't learn this during the incident.
- Save the carrier's claim phone number and email somewhere reachable from a phone that isn't plugged into the compromised network. Sounds obvious; consistently isn't done.
- Save the carrier's panel list. The IR firm, attorney, and negotiator names should be pre-selected so you're not making vendor decisions during an incident.
- Run a tabletop exercise. 90-minute scenario walk-through with the owner, IT lead, finance lead, and (if you have one) breach counsel. Most policies fund this; some require it.
- Document your controls inventory honestly. So that if a claim ever needs to validate the application, you can.
If you're in an active incident
What a serious cyber policy actually pays
A well-structured SMB cyber policy typically reimburses across these coverage areas (sub-limits vary):
- First-party costs: Forensic investigation, breach counsel, ransom (with approval), data restoration, business interruption, extra expenses, public relations, notification and credit monitoring.
- Third-party costs: Liability defense, regulatory fines (where insurable), settlements, PCI fines for card-data exposure.
- Cyber-crime cover: Often a separate sub-limit for social engineering / BEC fraud losses (this is usually carved out and limited to a small amount; check carefully).
What's typically not covered:
- Acts of war or nation-state attacks (depending on policy).
- Failure of underlying infrastructure (cloud provider outage that wasn't cyber-attack-driven).
- Incidents that began before the policy started.
- Losses caused by failure to implement controls you attested to.
- Long-tail damages outside the policy period.
Need help filing a claim?
We coordinate with your cyber-insurance carrier from day-one of an incident — using the panel, preserving evidence, and assembling the proof-of-loss documentation.
Submit emergency intake