Submitting a cyber insurance claim: Steps to minimize risk and downtime

Read Time: 6 Min
Cyber insurance claims can be complex. Here’s what businesses need to know to protect themselves after a data breach or ransomware attack.
By Ashley Bauer, Insurance Product Manager, Huntington Insurance Inc.

Key takeaways

  • Reporting cyber incidents immediately is critical – delays can jeopardize your claim and may lead to uncovered costs.
  • Leveraging breach coaches and preferred vendors ensures compliance with policy terms and potentially speeds up recovery.
  • Preparing for extended downtime with business continuity planning and a strong incident response plan helps minimize operational and financial impact.

Your organization has stressed the importance of thinking twice before acting and not clicking on suspicious emails for fear of a cybersecurity attack. But one day, an employee downloads what they think is an updated version of a program they use every day – and suddenly, your organization’s critical data is locked down. That program turned out to be ransomware, and your data is now being held hostage. Threat actors are demanding payment, and the deadline is rapidly approaching.

What do you do?

This kind of situation has become all too common for many organizations in recent years. According to the FBI’s 2024 Internet Crime Report, cybercrime losses in the U.S. reached a record $16.6 billion – a 33% increase year-over-year1. Ransomware remains the most pervasive threat to critical infrastructure, with complaints rising by 9% from 20231.

In the face of this digital landscape, understanding cyber liability coverage and the intricacies of cyber insurance claims can help build preparedness in the face of a cybersecurity incident.

Cyber insurance claims process: What businesses need to know

There are many types of incidents and cybersecurity claims, so the steps involved might not always be the same. These are typical steps you may follow, but rely on your insurance carrier, breach coach, and legal team to guide you through your claims process.

1. Notify your carrier as early as possible

Contact your insurance carrier immediately after detecting a potential cybersecurity incident. Even if the incident might seem minor or unlikely to escalate, over-notification is better than waiting to report. Report incidents promptly. Delays can lead to severe consequences and may jeopardize your claim.

Most cyber policies require you to report incidents as soon as practicable during the policy period or within an extended reporting window after it ends. This can be confusing to understand in practice, so here’s an example:

You learn about a potential cyber incident within 30 days of your renewal period. It seems to be a minor issue, so you choose not to report it. Instead of renewing with the same provider, you decide to purchase a liability insurance policy with a new insurance company that has better terms and pricing.

Four months later, costs from that cyber incident you didn’t report begin to materialize. You submit a claim, but your new insurance company denies the claim because you knew about the incident before placing coverage with them. You submit a claim to your previous insurance carrier, but they deny the claim because your policy expired, and the incident was reported outside the required terms of the policy.

You’re stuck carrying the full cost of the incident because you failed to report the incident in a timely manner according to your policy’s requirements.

2. Connect with a breach coach

Many policies include breach coach services, typically offered by the insurance company through a third-party law firm. Breach coaches chosen by the insurance companies are legal experts specializing in cybersecurity incidents and can play a pivotal role in guiding your response.

Note that due to the nature of the relationship, contacting a breach coach might not constitute notice of a claim with your carrier. You may still need to file a claim. The breach coach may help you file the claim or walk you through how to file it yourself.

3. Cooperate with the response effort

Cyber threat intelligence sharing is an important tool in the fight against cybercrime. Depending on the details of the incident, you can expect to work with forensics teams, law enforcement and/or a negotiator to facilitate a virtual currency transaction.

Law enforcement can help assess the threat and guide next steps. For example, in a ransomware incident, they can provide insight into whether negotiation with the cybercriminal is possible. Over the years, attempted negotiation on cybercriminal demands have yielded mixed results, including the cybercriminal:

  • Agreeing to decrease the demand.
  • Increasing the demand following negotiations.
  • Walking away from the negotiation without a solution, leading to further business disruption until terms are met.

Fully cooperating with the response effort could help minimize the disruption and financial consequences of the attack.

4. Document the incident and file a detailed claim

Led by the forensics team and law enforcement, your cooperation will be needed in securing evidence of the event. The forensic team will analyze and document detailed records to be reviewed by the insurance carrier and used as proof of the loss.

The forensic report will outline what happened and the scope of the breach, even if the root cause remains unclear. Findings may point to improvements in security that need to be made to help prevent a recurrence.

5 key tips for cyber insurance claims and incident response planning

1. Anticipate extended business interruption

Organizations may underestimate how long recovery takes after a cyber incident. Many expect to resume operations within hours – or at worst, a few days. Unfortunately, incidents can potentially cause interruptions for several weeks or even months. In the event of an incident, prepare to be impacted longer than expected. Preparing for business interruption includes:

2. Understand the ramifications of operational downtime

A cyber incident affects more than just technology – it can damage customer trust. A global survey revealed that 64% of consumers stated fraud or data breach incidents negatively affect their perception of a brand2. In the U.S., the impact is even more severe – with 38% of cybercrime victims cutting ties with the organization entirely2. This underscores how critical trust and security are to maintaining customer relationships.

While many policies cover lost income during the period of restoration, the wording of the policies vary dramatically leading to differences in what may or may not be covered.

3. Know how your policy handles extra expenses and unfulfilled orders

There is a difference between delayed revenue and lost revenue with cyber insurance claims, and understanding the distinction is vital for businesses when assessing their potential financial exposure.

If a cyber incident delays orders, but you can later fulfill them without losing customers, that revenue is generally not considered lost during the restoration period and won’t be covered by insurance. Likewise, extra costs incurred to complete those orders – such as paying overtime – may also be excluded from lost revenue coverage.

4. Check your policy before hiring outside vendors

Check with your insurance carrier and breach coach before hiring outside vendors. Cybersecurity liability insurance policies often carry a duty to defend, meaning that the carrier is agreeing to cover expenses but needs to be involved in the claims handling process. This includes the hiring of vendors and reviewing statements of work.

Many carriers prefer particular vendors, so coverage might be afforded differently when outside vendors are used. If vendors are hired before the carrier is notified of an incident, the carrier may decline to cover the costs or only reimburse a portion of the hourly rates, especially if their preferred vendors could have completed the work at a lower cost.

5. Consider working with a lawyer who specializes in cyber and privacy law

Cyber incidents often carry legal and regulatory ramifications. While you might feel more comfortable with your organization’s preferred lawyer, they might recommend consulting with a cyber and privacy law lawyer whose expertise could help expedite recovery and ensure compliance. The U.S. Securities and Exchange Commission’s (SEC’s) cybersecurity rules require public companies to disclose material cybersecurity incidents within four business days and provide annual details on how they manage and oversee cyber risks3.

Not only are these privacy lawyers more experienced in these matters, but your insurance carrier may also have preferred legal teams available at pre-negotiated rates, which stretches your policy limits further.

What is cyber liability insurance and why it matters

Cyber liability insurance, sometimes referred to as data breach insurance, can be an important piece of your organization’s risk management strategy. Understanding the nuances of your policy could make a significant difference in navigating the aftermath of a cyber incident, but the complex nature of the policies makes this a challenge. Working with a team specializing in cybersecurity insurance can help you identify what’s right for your organization. To learn more about Huntington Insurance solutions, visit our site here.

Financial & industry insights delivered to your inbox.

Subscribe to Huntington Insights

Sign up to receive emails about our latest articles, case studies, and events on topics that matter most to your business.
Subscribe

Related Content

Risk Management
Read Time: 7 Min
How water risk mitigation could potentially lower insurance costs for commercial properties
Insurance carriers are increasingly requiring water risk mitigation for commercial properties. Explore proactive measures to help your business reduce premiums and secure better coverage terms.
February 05, 2026
Risk Management
Read Time: 6 Min
As commercial property insurance premiums rise, consider prioritizing risk mitigation
Addressing key areas of risk for carriers can help organizations alleviate the financial pressures of today’s commercial property insurance market.
June 06, 2024

FBI Internet Crime Complaint Center (IC3). April 2025. “Federal Bureau of Investigation Internet Crime Report 2024.” Accessed December 12, 2025.

2 Business Wire. November 2024. “Nearly Two-Thirds of Consumers Say Fraud Incidents Damage Brand Trust and Loyalty.” Accessed December 12, 2025.

The CPA Journal. May/June 2025. “The SEC Finalizes Rule on Cybersecurity Disclosures.” Accessed December 12, 2025.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Huntington, Huntington Bank, and the Huntington Brandmark are service marks of Huntington Bancshares Incorporated.