How to File and Manage a Cyber Insurance Claim

The actions you take in the first 72 hours after discovering a cyber incident determine whether your claim succeeds or fails. Speed matters, but so does doing things in the right order. Hour 0-4: Contain and notify. Isolate affected systems to prevent further damage. Do not wipe or rebuild anything yet — preserving forensic evidence is critical for your claim. Call your insurance carrier's breach hotline immediately. Every major cyber policy includes a 24/7 hotline number on your declarations page. Failing to notify promptly can void your coverage. Hour 4-24: Engage the panel. Your carrier will assign a breach coach (typically an attorney from their approved panel) who coordinates the response. They will bring in forensics, public relations, and notification vendors — all pre-approved by your carrier. Using non-panel vendors without carrier approval can result in denied reimbursement. Hour 24-72: Document everything. Start a detailed incident log. Record every action taken, every system affected, every person contacted. Screenshot error messages, ransom notes, and suspicious emails. This documentation becomes the foundation of your claim. Cyber Defense Agent scan results from before the incident provide critical baseline evidence showing your pre-incident security posture.

Carriers require specific documentation to process claims. Missing any of these can delay or reduce your payout. Pre-incident documentation: Your most recent security questionnaire answers, evidence of controls you claimed to have (this is where Cyber Defense Agent's continuous scanning history is invaluable), your incident response plan, and proof of security awareness training. If your questionnaire answers don't match your actual controls at the time of the incident, the carrier can deny the claim for material misrepresentation. Incident documentation: A detailed timeline of the incident from discovery through containment, forensic analysis reports from the panel-approved forensics firm, evidence of the attack vector and scope of compromise, lists of affected data and individuals, business interruption calculations including lost revenue and extra expenses, and any communications with threat actors (in ransomware cases). Financial documentation: Invoices from all vendors involved in the response, payroll records for employees who worked on the incident, revenue records to support business interruption claims, and receipts for any emergency purchases (hardware, software, temporary services). Keep every receipt. Carriers reimburse documented expenses — not estimates.

Understanding why claims get denied helps you avoid those pitfalls. The most frequent denial reasons are entirely preventable. Material misrepresentation is the leading cause of claim denials. If you told your carrier you had MFA enforced but you actually did not, your claim can be denied entirely. This is not a technicality — courts have consistently upheld these denials. Cyber Defense Agent's continuous scanning creates an honest, verifiable record of your security posture that protects you from accidental misrepresentation. Late notification is the second most common reason. Most policies require notification within 24-72 hours of discovering an incident. Some business owners delay notification hoping to resolve the issue internally. This almost always backfires. Notify immediately, even if you are unsure whether it qualifies as a covered incident. Failure to mitigate means you are expected to take reasonable steps to limit damages after discovering an incident. If you know about a vulnerability and do not patch it, or if you fail to isolate compromised systems, the carrier can reduce or deny your payout. Excluded events include incidents caused by acts of war (including nation-state attacks, which is increasingly contested), known vulnerabilities left unpatched, and intentional acts by company insiders. Review your policy exclusions carefully before an incident occurs.

The claims adjuster assigned to your case determines how much you receive. Treating this relationship professionally maximizes your outcome. Be thorough but organized. Adjusters handle dozens of claims simultaneously. Present your documentation clearly, with a summary cover letter, organized supporting documents, and a clear calculation of losses. Disorganized submissions get delayed. Do not underestimate business interruption losses. Many SMBs focus on direct costs (forensics, notification, credit monitoring) but undercount business interruption losses. Calculate lost revenue from system downtime, reduced productivity during recovery, lost customers who left during the incident, overtime for employees working on recovery, and temporary solutions (manual processes, temporary systems). Business interruption coverage often represents the largest portion of a cyber claim. Hire a public adjuster for large claims. If your claim exceeds $100,000, consider engaging a public adjuster who specializes in cyber claims. They work on contingency (typically 10% of the settlement) and consistently achieve higher payouts than businesses negotiating directly with carrier adjusters. Cyber Defense Agent's pre-incident scan history provides objective evidence of your security posture before the breach, which strengthens your position in claims negotiations.