Submitting a cyber insurance claim: Steps to minimize risk and downtime

Your organization has stressed the importance of thinking twice before acting and not clicking on suspicious emails for fear of a cybersecurity attack. But one day, an employee downloads what they think is an updated version of a program they use every day – and suddenly, your organization’s critical data is locked down. That program turned out to be ransomware, and your data is now being held hostage. Threat actors are demanding payment, and the deadline is rapidly approaching.

What do you do?

This kind of situation has become all too common for many organizations in recent years. According to the FBI’s 2024 Internet Crime Report, cybercrime losses in the U.S. reached a record $16.6 billion – a 33% increase year-over-year¹. Ransomware remains the most pervasive threat to critical infrastructure, with complaints rising by 9% from 2023¹.

In the face of this digital landscape, understanding cyber liability coverage and the intricacies of cyber insurance claims can help build preparedness in the face of a cybersecurity incident.

Cyber insurance claims process: What businesses need to know

There are many types of incidents and cybersecurity claims, so the steps involved might not always be the same. These are typical steps you may follow, but rely on your insurance carrier, breach coach, and legal team to guide you through your claims process.

1. Notify your carrier as early as possible

Contact your insurance carrier immediately after detecting a potential cybersecurity incident. Even if the incident might seem minor or unlikely to escalate, over-notification is better than waiting to report. Report incidents promptly. Delays can lead to severe consequences and may jeopardize your claim.

Most cyber policies require you to report incidents as soon as practicable during the policy period or within an extended reporting window after it ends. This can be confusing to understand in practice, so here’s an example:

You learn about a potential cyber incident within 30 days of your renewal period. It seems to be a minor issue, so you choose not to report it. Instead of renewing with the same provider, you decide to purchase a liability insurance policy with a new insurance company that has better terms and pricing.

Four months later, costs from that cyber incident you didn’t report begin to materialize. You submit a claim, but your new insurance company denies the claim because you knew about the incident before placing coverage with them. You submit a claim to your previous insurance carrier, but they deny the claim because your policy expired, and the incident was reported outside the required terms of the policy.

You’re stuck carrying the full cost of the incident because you failed to report the incident in a timely manner according to your policy’s requirements.

2. Connect with a breach coach

Many policies include breach coach services, typically offered by the insurance company through a third-party law firm. Breach coaches chosen by the insurance companies are legal experts specializing in cybersecurity incidents and can play a pivotal role in guiding your response.

Note that due to the nature of the relationship, contacting a breach coach might not constitute notice of a claim with your carrier. You may still need to file a claim. The breach coach may help you file the claim or walk you through how to file it yourself.

3. Cooperate with the response effort

Cyber threat intelligence sharing is an important tool in the fight against cybercrime. Depending on the details of the incident, you can expect to work with forensics teams, law enforcement, or a negotiator to facilitate a virtual currency transaction.

Law enforcement can help assess the threat and guide next steps. For example, in a ransomware incident, they can provide insight into whether negotiation with the cybercriminal is possible. Over the years, attempted negotiation on cybercriminal demands have yielded mixed results, including the cybercriminal:

• Agreeing to decrease the demand.
• Increasing the demand following negotiations.
• Walking away from the negotiation without a solution, leading to further business disruption until terms are met.

Fully cooperating with the response effort could help minimize the disruption and financial consequences of the attack.

4. Document the incident and file a detailed claim

Led by the forensics team and law enforcement, your cooperation will be needed in securing evidence of the event. The forensic team will analyze and document detailed records to be reviewed by the insurance carrier and used as proof of the loss.

The forensic report will outline what happened and the scope of the breach, even if the root cause remains unclear. Findings may point to improvements in security that need to be made to help prevent a recurrence.

5 key tips for cyber insurance claims and incident response planning

1. Anticipate extended business interruption

Organizations may underestimate how long recovery takes after a cyber incident. Many expect to resume operations within hours – or at worst, a few days. Unfortunately, incidents can potentially cause interruptions for several weeks or even months. In the event of an incident, prepare to be impacted longer than expected. Preparing for business interruption includes:

• A comprehensive business preparedness strategy incorporating business continuity, disaster recovery, and incident response plans.
• Developing and exercising a strong data recovery and protection plan.
• Alternate operational strategies in case of prolonged disruption.

2. Understand the ramifications of operational downtime

A cyber incident affects more than just technology – it can damage customer trust. A global survey revealed that 64% of consumers stated fraud or data breach incidents negatively affect their perception of a brand². In the U.S., the impact is even more severe – with 38% of cybercrime victims cutting ties with the organization entirely². This underscores how critical trust and security are to maintaining customer relationships.

While many policies cover lost income during the period of restoration, the wording of the policies vary dramatically leading to differences in what may or may not be covered.

3. Know how your policy handles extra expenses and unfulfilled orders

There is a difference between delayed revenue and lost revenue with cyber insurance claims, and understanding the distinction is vital for businesses when assessing their potential financial exposure.

If a cyber incident delays orders, but you can later fulfill them without losing customers, that revenue is generally not considered lost during the restoration period and won’t be covered by insurance. Likewise, extra costs incurred to complete those orders – such as paying overtime – may also be excluded from lost revenue coverage.

4. Check your policy before hiring outside vendors

Check with your insurance carrier and breach coach before hiring outside vendors. Cybersecurity liability insurance policies often carry a duty to defend, meaning that the carrier is agreeing to cover expenses but needs to be involved in the claims handling process. This includes the hiring of vendors and reviewing statements of work.

Many carriers prefer particular vendors, so coverage might be afforded differently when outside vendors are used. If vendors are hired before the carrier is notified of an incident, the carrier may decline to cover the costs or only reimburse a portion of the hourly rates, especially if their preferred vendors could have completed the work at a lower cost.

5. Consider working with a lawyer who specializes in cyber and privacy law

Cyber incidents often carry legal and regulatory ramifications. While you might feel more comfortable with your organization’s preferred lawyer, they might recommend consulting with a cyber and privacy law lawyer whose expertise could help expedite recovery and ensure compliance. The U.S. Securities and Exchange Commission’s (SEC’s) cybersecurity rules require public companies to disclose material cybersecurity incidents within four business days and provide annual details on how they manage and oversee cyber risks³.

Not only are these privacy lawyers more experienced in these matters, but your insurance carrier may also have preferred legal teams available at pre-negotiated rates, which stretches your policy limits further.

What is cyber liability insurance and why it matters

Cyber liability insurance, sometimes referred to as data breach insurance, can be an important piece of your organization’s risk management strategy. Understanding the nuances of your policy could make a significant difference in navigating the aftermath of a cyber incident, but the complex nature of the policies makes this a challenge. Working with a team specializing in cybersecurity insurance can help you identify what’s right for your organization. To learn more about Huntington Insurance solutions, visit our site here.