Skip to main content
main content, press tab to continue

How you manage cyber insurance claims is critical to recover losses

By Elizabeth Caldwell , Matt O’Connor and Caroline Rafferty | October 31, 2022

Maximizing recovery under your cyber insurance policy for losses stemming from data breaches or cyberattacks requires detailed processes and expertise.
Risk & Analytics|Corporate Risk Tools and Technology|Cyber Risk Management

Cyberattacks or data breaches can be devastating because they can affect all locations, departments and functions of a business, resulting in significant losses across the organization. Though cyber insurance helps organizations recover financially from a cyberattack, they must be prudent and organized in order to recover the maximum they are entitled to under their policies. Incorporating insurance claim considerations into your response and recovery plan following a cyberattack or data breach will streamline the insurance claim process, ensure all costs are being identified and tracked, and reduce disputes during the claim adjustment process.

What should you do if you have a cyber insurance claim?

If your organization suffers a loss from a cyberattack or data breach, you should report the event to your cyber insurance carrier as soon as possible to preserve your organization’s rights under its cyber insurance policy. One of the primary reasons immediate reporting is critical, ideally before engaging any vendors or incurring any costs, is to avoid any pre-tender issues, where the insurer denies coverage for expenses incurred prior to the date the claim was reported.

Once the cyber event has been reported and expenses have been incurred, cyber insurers typically require their policyholders to submit a written proof of loss. The specific proof of loss requirements vary based on each insurer’s policy language, but generally insurers want the proof of loss to contain the following:

  • A detailed description of the loss that includes its time, place and cause
  • A calculation of loss and any underlying documentation that supports the loss

Many insurers require the proof of loss to be submitted within a certain number of days, such as 90 days. However, insurers will typically consent to an extension of time for you to submit your proof of loss, particularly if your organization continues to incur expenses because of the cyber event.

If you suffer business income or extra expense losses from the cyber event, you should carefully review your cyber insurance policy to determine which types of expenses are covered as “business income loss” or “extra expenses.” Typically, “business income loss” is defined as income loss, although the definition of income can vary widely between insurers.

Policies can also vary in terms of:

  • The length of the time during which the insurer will cover losses.
  • How the insurer defines “extra expenses;” for example, some policies define such expenses as those incurred to reduce loss of income, whereas other policies define “extra expenses” more broadly to include expenses incurred over and above the organization’s ordinary expenses because of the event.

Insurers will often engage their own experts, including IT consultants and forensic accountants, to review an organization’s proof of loss, business income and other losses. Engaging your own forensic accountant to assist in calculating business income losses and extra expenses resulting from the cyberattack or data breach is critical. The forensic accountant, who represents only your interest, and not the insurer’s, will assist in identifying, quantifying and maximizing your organization’s business income losses and extra expenses based on the terms and conditions of the cyber policy. The forensic accountant you hire will also advocate on your organization’s behalf in discussions with the insurer’s forensic accountant. Most policies provide coverage for forensic accountant expenses that you incur.

Narrative of events

In the initial hours and days following a cyber event, there is often confusion. You are trying to identify the affected systems and any related operational impacts, and continue operations given these potential system impacts. Consultants are often quickly engaged to help you recover from the cyber event while employees and external consultants frantically work to identify security vulnerabilities, restore systems and minimize operational disruptions.

In those initial hours, days and weeks, the focus is primarily on recovering from the cyber event and not on the insurance claim process that will follow in the coming months. However, to prepare the proof of loss, calculate business income losses and capture all expenses incurred because of the event, we recommend you implement a system to document the recovery efforts in real time and any costs while they are being incurred. This will be critical when the insurer and its forensic accountant reviews your claim submission.

We recommend taking detailed notes on events as they are occurring, such as:

  • Listing impacted systems and the date each system is partially and fully restored
  • Detailing the impact each systems outage has on your organization’s operations and revenue generation
  • Detail any manual workarounds or incremental hours incurred to continue operations or minimize operational impacts
  • Understand how the system outage impacts production levels, costs or ability to generate sales

We find that capturing this information in real time greatly assists in preparing a comprehensive and detailed narrative for your insurers to support the losses claimed. This complete and in-depth narrative helps provide context and background to the losses being claimed, which streamlines the insurance claim review process and reduces pushback from insurers.

Vendor expenses

Immediately following a cyber event, your organization will likely engage multiple third-party vendors to assist in the response and recovery process. These firms address a wide range of activities, including public relations and crisis management, legal counsel breach management, forensics/investigations and data/system restoration.

Many organizations’ first inclination is to engage vendors they have preexisting relationships with. However, you should be aware that some cyber insurance policies include vendor panel clauses requiring the use of vendors from a preapproved panel. Using non-panel approved vendors can result in denied reimbursement of costs or partial reimbursement up to the panel-approved hourly rates. Some cyber policies are more lenient when you engage non-panel vendors but may provide incentives for policyholders to engage preapproved vendors, such as higher limits or lower retentions.

In addition to considering panel requirements, your team should work closely with response and recovery vendors to ensure they are providing sufficient scope of work and invoice detail to support an expedited review and payment process by your cyber insurer. This can be achieved by providing:

  • Detailed statements of work (SOWs): Executing SOWs with each vendor outlining a detailed description of the work being performed.
  • Clear vendor invoice detail guidelines: For vendors billing hourly rates, cyber insurers regularly request detailed records of the work performed by each vendor employee daily, or at the very least, weekly. You should instruct all vendors, particularly IT consultants, to provide as much detail as possible regarding the activities being performed each day/week, as well as the specific systems they are working to restore.
  • Separate SOWs and invoices for system enhancements and improvements: Following a cyber event, organizations will often engage the same IT vendor(s) to perform system enhancement and improvement, and system recovery and restoration work. For vendors performing both types of work, it is important to clearly delineate the tasks on invoices and SOWs to simplify insurers’ review and payment process.

IT expenses – consultants, hardware and software

One of the largest expenses following a cyber event is often IT expenses. This may include hardware or software purchases and IT consultant costs. Often the cyber event exposes weaknesses within an organization’s IT systems and security. Organizations often strengthen their systems during the recovery and response process.

During the insurance claim process, insurers will want to ensure claimed IT costs only include restoration costs to restore IT systems to the standard that existed before the cyber event and not include any costs for upgrades, enhancements or strengthening of IT systems and security. During the claim review process difficulties and delays often arise if the costs incurred by IT vendors contain a mix of restoration and upgrade expenses.

If you are engaging IT vendors to provide a mix of restoration and system improvement services, it is prudent to execute separate SOWs for the restoration/recovery work and the upgrade/improvement work. This will ensure the costs are clearly segregated for the insurance claim process.

Further, when compiling IT expense details, it is useful to delineate expenses related to replacements for damaged or corrupted items that cannot be restored versus purchases of hardware for interim solutions to minimize operational disruption.

Business income

Depending on your industry and the type of event suffered, your organization may sustain a business income loss from a cyber event. Businesses typically prioritize reinstating key systems as quickly as possible following a cyber event to minimize operational and production disruption. As a result, organizations are usually able to return operations to at least partial capacity within a few days. Due to this short impact period to key systems and the difficulty of directly connecting sales losses to a cyber event, we typically find that business income losses included in cyber insurance claims are highly scrutinized.

Two main areas most scrutinized by insurers and their forensic accountants include:

  • Lost sales makeup and mitigation: The insurer’s forensic accountants often attempt to argue that lost sales and production from a cyber event are made up once operations are restored or that any potential lost sales are mitigated through existing inventory.
  • Connecting lost sales to system disruptions: The insurers often request burdensome support connecting sales losses to system disruptions caused by the cyber event or will argue that sales losses are related to other factors.

Providing a comprehensive written narrative, supplemented by conversations between your organization’s operations and sales teams and the insurer’s representatives, often help to provide more context to the sales losses resulting from the event. Some examples of items to document and address in this discussion include:

  • Discussion of production impacts or the ability to provide services
  • Ability to make up lost production with extra shifts, overtime, etc.
  • Increased production costs or inefficiencies resulting from manual workarounds
  • Lost or cancelled orders
  • Permanent customer or contract losses
  • Customers’ ability to purchase products/services from competitors

Other expenses

The financial impact of cyber events often spreads well beyond vendor-related expenses and business interruption. Examples of such losses include:

  • Incremental internal labor costs for restoration/recovery activities and makeup of lost production
  • Expenses to mitigate business income losses
  • Increased operating costs

Of the items listed above, internal labor costs often cause the most confusion and frustration in cyber claims. In many cases, organizations rely heavily or exclusively on internal staff for system restoration and recovery efforts, which are usually salaried IT employees. Unfortunately, most policies only provide coverage for incremental payroll costs above and beyond normal costs.

For example, incremental overtime costs for hourly IT resources are generally covered. However, one-time bonuses or other discretionary compensation to reward internal employees for working abnormally long hours is usually excluded from reimbursement. Given these coverage considerations, you should consider the costs and benefits of using internal labor and third-party IT consulting firms.

You should also ensure that a process is in place to track all incremental costs incurred to mitigate or reduce any operational disruption. Examples include costs incurred to makeup lost production, extra costs to accelerate the recovery process (such as purchasing new computers instead of reimaging infected computers), expedited freight costs or any other cost that reduces business income or other losses.

Further thoughts

Unfortunately, the question today is not whether a cyberattack and data breach will occur, but how fast and efficiently you can recover from one. Understanding the insurance process before you file a claim or experience an event can enable you to limit the financial and operational impact of such attacks.


Claims Advocate & Cyber Claims Leader – West
email Email

Director – West Region and Cyber
Forensic Accounting and Complex Claims
email Email

Associate Director
Forensic Accounting and Complex Claims
email Email

Contact us