What to expect when your organization submits a cyber insurance claim

Read Time: 6 Min
The cybersecurity insurance claims process can be complex and nuanced. This overview can help you better understand what is involved.

By Ashley Bauer, Insurance Product Manager, Huntington Insurance Inc.

Your organization has stressed the importance of thinking twice before acting and not clicking on suspicious emails for fear of a cybersecurity attack. But one day, an employee downloads what they think is an updated version of a program they use every day – and suddenly, your organization’s critical data is locked down. That program was cleverly disguised ransomware, and your data is now being held hostage. Threat actors are demanding payment and the deadline to pay is approaching.

What do you do?

This type of scenario has been all-too familiar for many organizations in the last few years. According to the FBI’s latest internet complaint center report, ransomware attacks like this one amounted to more than $34.5 million in adjusted losses in 2022. Ransomware is just one example of cybersecurity threats on the rise.

In the face of this digital landscape, understanding the intricacies of cyber insurance claims can help build preparedness in the face of a cybersecurity incident.

The cyber liability insurance claims process

There are many types of incidents and cybersecurity claims, so the steps involved might not always be the same. These are typical steps you may follow, but rely on your insurance carrier, breach coach, and legal team to guide you through your claims process.

1. Notify your carrier as early as possible

Contact your insurance carrier immediately after detecting a potential cybersecurity incident. Even if the incident might seem minor or unlikely to escalate, over-notification is better than waiting to report. Delaying or failing to report an incident promptly can lead to more severe consequences and potentially jeopardize your claim.

Cyber policies typically require companies to notify them of an incident during the policy period or during an extended reporting period after the policy ends. This can be confusing to understand in practice, so here’s an example:

You learn about a potential cyber incident within 30 days of your renewal period. It seems to be a minor issue, so you choose not to report it. Instead of renewing with the same provider, you decide to purchase a liability insurance policy with a new insurance company that has better terms and pricing.

Four months later, costs from that cyber incident you didn’t report begin to materialize. You submit a claim, but your new insurance company denies the claim because you knew about the incident before placing coverage with them. You submit a claim to your previous insurance carrier, but they deny the claim because your policy expired, and the incident was reported outside the required terms of the policy.

You’re stuck carrying the full cost of the incident because you failed to report the incident in a timely manner according to your policy’s requirements.

2. Connect with a breach coach

Many policies include breach coach services, typically offered by the insurance company through a third-party law firm. Breach coaches chosen by the insurance companies are legal experts specializing in cybersecurity incidents and can play a pivotal role in guiding your response.

Note that due to the nature of the relationship, contacting a breach coach might not constitute notice of a claim with your carrier. You may still need to file a claim. The breach coach may help you file the claim or walk you through how to file it yourself.

3. Cooperate with the response effort

Cyber threat intelligence sharing is an important tool in the fight against cybercrime. Depending on the details of the incident, you can expect to work with forensics teams, law enforcement, or a negotiator to facilitate a virtual currency transaction.

Law enforcement can assist in determining the extent of the threat and analysis of next steps. For example, in a ransomware incident, they can provide insight into whether negotiation with the cybercriminals is possible. Over the years, attempted negotiation on cybercriminal demands have yielded mixed results, including the cybercriminal:

  • Agreeing to decrease the demand.
  • Increasing the demand following negotiations.
  • Walking away from the negotiation without a solution, leading to further business disruption until terms are met.

Fully cooperating with the response effort could help minimize the disruption and financial consequences of the attack.

4. Document the incident and file a detailed claim

Led by the forensics team and law enforcement, your cooperation will be needed in securing evidence of the event. The forensic team will analyze and document detailed records to be reviewed by the insurance carrier and used as proof of the loss.

While ultimately the root cause may never be known, the forensic report will be able to generally identify what happened and the breach’s scope. Findings may point to improvements in security that need to be made to help prevent a recurrence.

Five considerations during the cybersecurity insurance claims process

1. Anticipate extended business interruption

Organizations often underestimate the time it takes to recover from a cyber incident. Many expect to resume operations within hours – or at worst, a few days. Unfortunately, incidents can potentially cause interruptions for several weeks or even months. In the event of an incident, prepare to be impacted longer than expected. Preparing for business interruption includes:

2. Understand the ramifications of operational downtime

The immediate impact of a cyber incident often extends beyond just technical disruptions. It can also lead to a loss of customer trust and, consequently, lost customers. One study on the state of digital trust found that 84% of consumers would consider switching to a competitor if they lost trust in an enterprise, which could be through a data breach, account hack, or similar.

While many policies cover lost income during the period of restoration, the wording of the policies vary dramatically leading to differences in what may or may not be covered.

3. Know how your policy handles extra expenses and unfulfilled orders

There is a difference between delayed revenue and lost revenue with cyber insurance claims, and understanding the distinction is vital for businesses when assessing their potential financial exposure.

If a cyber incident delays orders, but you can later backfill those orders without losing customers, it’s typically not considered lost revenue during the period of restoration and won’t be covered by the insurer. Incurring extra costs to fulfill those orders, such as paying overtime, is also not considered lost revenue.

4. Check your policy before hiring outside vendors

Do not hire outside investigators, law firms, or PR agencies without first consulting with your insurance carrier and breach coach. Cybersecurity liability insurance policies often carry a duty to defend, meaning that the carrier is agreeing to cover expenses but needs to be involved in the claims handling process. This includes the hiring of vendors and signing statements of work.

Many carriers have preferred vendors, so coverage might be afforded differently when outside vendors are used. If vendors are hired before the carrier is notified of an incident, the carrier might not agree to the costs.

5. Consider working with a lawyer who specializes in cyber and privacy law

Cyber incidents often carry legal and regulatory ramifications. While you might feel more comfortable with your organization’s lawyer, they might recommend consulting with a cyber and privacy law lawyer whose expertise could help expedite recovery and ensure compliance. Complying with regulations is increasing important in light of the new U.S. SEC cybersecurity rules, including mandating material cybersecurity incident disclosures within four business days§.

Not only are these privacy lawyers more experienced in these matters, but your insurance carrier may also have preferred legal teams available at negotiated rates, which stretches your policy limits further.

Understanding cyber liability insurance

Cyber liability insurance can be an important piece of your organization’s risk management strategy. Understanding the nuances of your policy could make a significant difference in navigating the aftermath of a cyber incident, but the complex nature of the policies makes this a challenge. Working with a team specializing in cybersecurity insurance can help you identify what’s right for your organization. To learn more about Huntington Insurance solutions, visit our site here.

Financial & industry insights delivered to your inbox.

Sign up to receive emails about our latest articles, case studies, and events on topics that matter most to your business.

Related Content

FBI Internet Crime Complaint Center (IC3). 2022. “Federal Bureau of Investigation Internet Crime Report 2022.” Accessed December 11, 2023.

Digicert. 2023. “2022 State of Digital Trust Report Infographic.” Accessed December 11, 2023. digital-trust-infographic-en.pdf (digicert.com)

§ U.S. Securities and Exchanges Commission. 2023. “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” Accessed December 11, 2023.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.