By Ryan Windt | Head of Growth Marketing | Updated March 2026
Most businesses buy cyber insurance hoping they never need it. When an incident actually happens, many of them discover they have no idea how the claims process works, and that gap costs them.
A ransomware attack, a business email compromise, a data breach: the moment something goes wrong is exactly the wrong time to be reading your policy for the first time. The businesses that recover fastest are the ones that already understand what to do, in what order, and what not to do in the first hours and days after an incident.
This guide walks through the full claims process, the most common reasons claims get denied, and what you can do before an incident to make sure your policy actually pays when you need it.
Before You Do Anything Else: Find Your Policy and Your Hotline Number
Most cyber insurance policies include a 24/7 incident response hotline. This is not the general customer service line. It is a dedicated line staffed by breach response professionals whose job is to help you in the immediate aftermath of an incident. The number is usually on your policy declarations page or in a wallet card your carrier provides at binding.
Find that number now, before you need it. Save it in your phone, post it in your IT room, and make sure your IT lead and executive team have it.
When you call, you are not filing a formal claim yet. You are notifying your carrier that an incident may have occurred and activating their response resources. This matters for two reasons.
First, most policies require notification within 24 to 72 hours of discovering an incident. Missing that window is one of the most common and most avoidable reasons claims get denied. The clock starts when you discover the incident, not when you finish investigating it.
Second, your carrier’s panel of approved vendors, including forensic investigators, legal counsel, and public relations firms, must be used for their costs to be covered. If you hire your own forensic firm or attorney before notifying the carrier, those costs may not be reimbursable. Notify first, then engage resources.
Step 1: Contain, But Preserve Evidence
Your instinct when something goes wrong is to fix it. Restore from backup, wipe the affected machines, get systems back online. That instinct is often the right one for business continuity, but it can be the wrong one for your claim.
Insurers and their forensic investigators need evidence to understand what happened, how access was obtained, what data was affected, and whether the incident falls within your coverage. If you wipe systems or overwrite logs before a forensic image is taken, you may eliminate the evidence needed to support your claim.
The right approach is to isolate affected systems from the network without wiping them. Disconnect compromised devices to prevent further spread, but do not reformat or restore them until the carrier’s forensic team has assessed them or explicitly cleared you to do so.
Document everything you observe as you go. Timestamps, error messages, unusual activity, what systems are affected, when you first noticed something was wrong. That log becomes part of your claim file.
Step 2: Notify Your Carrier Formally
After the initial hotline call, your carrier will walk you through their formal notification process. This typically involves completing a written notice of claim, which establishes the official record of when the incident was reported and what was known at that time.
Be thorough and accurate in this notice. Do not speculate about cause or scope if you do not yet know. Do not minimize the incident to avoid the appearance of a large claim. Describe what you know, what you do not yet know, and what steps you have taken so far.
If you work with an insurance broker, loop them in at this stage. Your broker’s role during a claim is to advocate on your behalf, help interpret coverage questions, and manage communication with the carrier. They should not be the last person you call.
Step 3: Engage the Carrier’s Approved Vendors
Once you have notified the carrier, they will typically assign a claims handler and coordinate access to their panel vendors. For most incidents of meaningful size, this will include some combination of the following:
Forensic investigators examine your systems to determine how the attacker gained access, what they did, what data was accessed or exfiltrated, and when the breach began. Their report forms the technical foundation of your claim.
Legal counsel advises you on notification obligations under state and federal privacy laws, potential regulatory exposure, and how to manage communications in a way that does not create additional liability. Most states have breach notification requirements that trigger once you confirm personal information was compromised.
Public relations support is available on some policies for incidents that carry reputational risk. Not every claim requires it, but it is worth knowing whether your policy includes it.
Ransomware negotiators are available through many carriers if the incident involves an extortion demand. Your carrier should be involved in any ransom negotiation. Paying a ransom without carrier involvement can affect coverage and may create sanctions exposure depending on who the attacker is.
Use the carrier’s panel. Vendors who are not pre-approved may not have their fees covered, and in some cases using unapproved vendors can affect the overall claim.
Step 4: Document Your Losses
Your claim is only as strong as your documentation. As the incident unfolds and recovery begins, you need to build a clear record of every cost associated with it.
This includes direct costs such as forensic investigation fees, legal fees, notification costs, credit monitoring services if personal data was exposed, and any ransom payment made with carrier approval.
It also includes business interruption losses, which are often the largest component of a cyber claim. Business interruption coverage pays for lost revenue and extra expenses incurred while your systems are down. Calculating this requires documentation of your normal revenue, the period during which operations were disrupted, and the specific extra costs you incurred to maintain business functions during recovery.
Keep every invoice, every internal time log, every vendor contract, and every communication related to the incident. Carriers will request this documentation when evaluating the loss.
Step 5: Meet Your Regulatory Notification Obligations
Cyber insurance covers many of the costs of regulatory compliance after a breach, but it does not eliminate the obligations themselves. You still have to comply.
Most states require notification to affected individuals within a specified window after confirming that personal information was compromised. Requirements vary by state, by the type of data involved, and by the number of affected individuals. Some states also require notification to the state attorney general or other regulatory bodies.
If your business is subject to HIPAA, PCI DSS, or other industry-specific frameworks, additional notification and reporting requirements apply on top of state law.
Your carrier’s legal counsel will help you navigate this. But do not assume the carrier handles it automatically. You are the responsible party. The policy funds the response. You execute it.
Step 6: Cooperate With the Claims Investigation
After notification, the carrier will conduct their own investigation of the incident. This is separate from the forensic work done on your behalf. The carrier’s investigation is focused on coverage: confirming what happened, verifying that the incident falls within the policy terms, and assessing the scope of covered losses.
Cooperate fully. Provide requested documentation promptly. Make relevant personnel available for interviews if asked. Do not obstruct or delay the investigation.
Carriers have the right to examine your security controls as they existed at the time of the incident. If your MFA deployment, backup practices, or other controls were not consistent with what was represented on your application, that discrepancy will be scrutinized. Policies can be rescinded and claims denied if there is material misrepresentation in the application.
Why Claims Get Denied (and How to Avoid It)
Cyber insurance denials rarely happen because a carrier disputes that a breach occurred. They happen because something in the policy conditions was not met. The most common reasons:
Late notification. Missing the 24 to 72-hour notification window is responsible for a significant share of denials. The window starts at discovery, not at the end of the investigation. When in doubt, notify early and update the carrier as you learn more.
Security controls not in place. If your policy requires MFA, EDR, or other specific controls and those controls were not implemented or were only partially deployed at the time of the incident, the carrier can deny the claim. This is the leading cause of denials across the industry.
Application misrepresentation. If you represented that certain controls were in place when you applied and they were not, the carrier can rescind the policy entirely. This has happened in high-profile cases involving MFA misrepresentation. What you attest to on the application must match your actual posture.
Unapproved vendors. Engaging forensic or legal vendors who are not on the carrier’s approved panel without prior authorization can result in those costs being excluded from coverage.
Excluded incident types. War exclusions, infrastructure failure exclusions, and social engineering sublimits catch many policyholders off guard. If the incident involved a nation-state actor, a third-party vendor breach, or a funds transfer fraud event, coverage may be limited or excluded depending on your policy structure.
Waiting too long to report third-party breaches. If a vendor or cloud provider was breached and your data was exposed, that is still a covered incident on many policies, but you must notify your carrier when you discover it, not months later.
What to Do Before an Incident to Make Claims Go Smoothly
The businesses that have the least trouble with claims are the ones that treated claims readiness as part of their ongoing security program, not an afterthought.
A few things that matter before the incident:
Know your notification window and have a process for meeting it. If your IR plan does not include a step for notifying your carrier within 24 to 72 hours, it is incomplete.
Keep your policy current and accurate. If your security posture changes in a meaningful way after binding, inform your carrier. Adding a new business unit, moving to the cloud, changing your backup architecture: these are the kinds of changes that affect your risk profile and should be disclosed.
Document your controls. Carriers increasingly want evidence, not just attestation. Screenshots, configuration exports, patch logs, and backup test records are the documentation that supports both your underwriting application and your claims file if something goes wrong.
Run a tabletop exercise that includes the insurance notification step. Most IR tabletops focus on technical response. Very few include the moment someone picks up the phone and calls the carrier. Practice that step so it is not improvised under pressure.
At SeedPod Cyber, we underwrite directly, which means we are involved in your coverage from the start, not just at claim time. If you want to talk through how your current policy is structured for a real incident, we are here.
This content is intended for informational purposes only and does not constitute legal or insurance advice. Coverage terms, notification requirements, and claims processes vary by policy and carrier. Consult your carrier and a licensed insurance professional for guidance specific to your situation.