How to File a Cyber Insurance Claim: Step-by-Step Guide

What You'll Learn

What to do in the first 24 hours after a cyber incident
The step-by-step claims process from notification to resolution
What documentation you need and how to organize it
Realistic claims timeline expectations
Common mistakes that can reduce or void your recovery

Filing a cyber insurance claim isn't like filing a property damage claim after a fire. The evidence is digital, the scope is often unclear for days or weeks, and mistakes made in the first few hours — like paying a ransom without approval or destroying forensic evidence during cleanup — can seriously compromise your recovery.

This guide walks through the actual process, from the moment you discover an incident through claim resolution, with practical advice on avoiding the mistakes that cost Canadian businesses money.

The first 24 hours: what to do immediately

When you discover a cyber incident, your first moves matter enormously. Here's what to do — and what not to do:

Immediate actions

Notify your insurer immediately. Most cyber policies require prompt notification — often "as soon as practicable." Delays can jeopardize coverage. Call the claims number on your policy or your broker.
Contain the incident without destroying evidence. Isolate affected systems but don't reimage, wipe, or rebuild them before forensic investigation. Preserved evidence is critical for both the claim and any regulatory reporting.
Document everything from the start. Who discovered the incident, when, what was observed, what actions were taken, and by whom. A contemporaneous timeline is invaluable.
Engage breach counsel. Many cyber policies include pre-approved breach counsel. If not, retain a law firm experienced in Canadian privacy and cyber incidents promptly.
Do not pay any ransom without insurer and legal approval. Ransom payments may be subject to sanctions regulations, policy conditions, or sublimits. Unauthorized payments can be excluded from coverage.
Do not communicate publicly about the incident yet. Initial facts are often wrong. Coordinate any external communications through legal counsel and your insurer.

The step-by-step claims process

1 Report the incident to your insurer

Contact your broker or the insurer's claims hotline immediately. Provide the basic facts: what happened, when you discovered it, what systems are affected, and what data may be involved. You don't need a complete forensic picture at this stage — you need to trigger coverage and get access to breach response resources.

2 Insurer acknowledges and assigns a claims adjuster

The insurer will acknowledge your claim, typically within 24–48 hours, and assign a claims professional. For cyber incidents, this adjuster usually has specialized experience with data breach and technology claims.

3 Engage approved breach response vendors

Most cyber policies include pre-approved panels of forensic firms, breach counsel, notification services, and crisis communications specialists. Using panel vendors is usually required for coverage and ensures the insurer will pay these costs directly without reimbursement delays.

4 Forensic investigation

A digital forensics firm investigates the scope and cause of the incident. This determines what data was accessed or exfiltrated, how the attacker gained entry, and what remediation is needed. The forensic report becomes a central document in the claims process.

5 Legal assessment and regulatory notification

Breach counsel evaluates notification obligations under PIPEDA, applicable provincial privacy laws, and any contractual requirements. If the breach creates a real risk of significant harm, notification to the Privacy Commissioner and affected individuals is mandatory under PIPEDA. Provincial frameworks like Quebec's Loi 25 and Alberta's PIPA have their own reporting requirements and timelines.

6 Notification and credit monitoring

If notification is required, the insurer covers the costs of notifying affected individuals and providing credit monitoring services. The scale depends on the number of affected records and the sensitivity of the data involved.

7 Business interruption assessment

If the incident caused a system outage that affected revenue, the insurer will assess business interruption losses. This typically requires financial records showing the revenue impact during the interruption period compared to normal operations.

8 Claim settlement and resolution

Once the investigation is complete, costs are documented, and any third-party claims or regulatory matters are resolved, the insurer settles the claim. Complex claims involving litigation or regulatory proceedings can take months or longer to fully resolve.

Documentation you'll need

The more organized your documentation, the smoother the claims process. Here's what insurers typically require:

Essential claim documentation

Incident timeline: When the incident was discovered, what was observed, containment actions taken, and when each step occurred.
Policy information: Your cyber insurance policy number, effective dates, and coverage limits.
Forensic report: From the approved forensic vendor, detailing the attack vector, scope of compromise, data affected, and remediation steps.
Financial loss documentation: Business interruption calculations, extraordinary expenses incurred during the incident, and any ransom demands or payments.
Breach notification records: Proof of notifications sent, credit monitoring enrollment, and regulatory filings.
Security posture evidence: Documentation of the security controls you had in place at the time of the incident — this is where your pre-incident documentation pays for itself.
Third-party correspondence: Any demands, claims, or regulatory correspondence related to the incident.

Realistic claims timeline

Cyber claims move through distinct phases, and the timeline depends heavily on the complexity of the incident:

Day 1–2: Initial report, insurer acknowledgment, breach counsel and forensic firm engaged.
Days 2–14: Forensic investigation, scope determination, containment and remediation.
Days 7–30: Legal assessment of notification obligations, regulatory reporting where required.
Days 14–60: Individual notification, credit monitoring setup, business interruption assessment.
Months 2–12+: Claim settlement, resolution of any third-party claims or regulatory matters, final payment.

Straightforward incidents with limited data exposure can resolve within 60–90 days. Complex incidents involving litigation, significant business interruption, or regulatory proceedings can take considerably longer.

Common mistakes that reduce or void recovery

Mistakes that can damage your claim

Delayed notification. Most policies require notice "as soon as practicable." Waiting weeks to report can give the insurer grounds to deny or reduce the claim.
Destroying evidence. Reimaging systems or deleting logs before forensic investigation is complete destroys the evidence needed to support your claim and satisfy regulatory requirements.
Using non-approved vendors. Many policies require you to use panel vendors for forensic, legal, and notification services. Using your own vendors without approval may mean those costs aren't covered.
Paying ransoms without authorization. Ransom payments made without insurer and legal counsel approval may be excluded from coverage, especially if the recipient is a sanctioned entity.
Inadequate pre-incident documentation. If you can't demonstrate the security controls you claimed to have in your insurance application, the insurer may challenge coverage based on misrepresentation.
Public statements before legal review. Inaccurate or premature public statements about the incident can create legal exposure and complicate the claims process.
Failing to cooperate with the insurer. Most policies include a cooperation clause. Failing to provide requested information or access can delay or jeopardize payment.

The pattern is clear: most claims problems stem from actions taken (or not taken) in the first 72 hours. Having an incident response plan that includes immediate insurer notification and evidence preservation procedures prevents the majority of these issues.

Is Your Current Policy Actually Usable?

Many businesses discover claim process gaps only after an incident occurs. CyberAgency's Gap Analyzer reviews your existing policy for coverage weaknesses before you need to file a claim.

Run the Gap Analyzer

Better to find gaps now than during a breach.

FAQ

How long does a cyber insurance claim take?

Initial insurer response typically occurs within 24–48 hours. Complex claims involving forensic investigation, data recovery, and privacy notification can take 3–12 months to fully resolve. Breach response services are usually engaged within hours of the initial report.

What documentation do I need for a cyber insurance claim?

You'll need the incident timeline, affected systems and data, forensic investigation reports, proof of security controls, breach notification records, financial loss documentation, and any regulatory correspondence. Organized documentation significantly smooths the process.

What are the most common cyber insurance claim mistakes?

The most costly mistakes include delaying notification to the insurer, failing to engage approved breach vendors, destroying evidence during remediation, paying ransoms without insurer or legal counsel approval, and not documenting the incident timeline as it unfolds.

Does cyber insurance cover ransomware payments?

Most Canadian cyber policies include ransomware coverage, but terms vary widely. Some sublimit ransom payments, some require legal review before payment approval, and certain policies may exclude payments to sanctioned entities. Always check your specific policy wording and consult breach counsel before paying.

Sources

Office of the Privacy Commissioner of Canada — PIPEDA breach reporting and notification guidance.
Canadian cyber insurance claims handling practices and policy forms, 2025–2026.
Incident response and digital forensics best practices for Canadian organizations.