A cybersecurity incident is one of the most operationally disruptive events a business can experience. Systems go down without warning. Data may be compromised. Customers and vendors begin asking questions. Employees who have never trained for this moment are suddenly being asked to make consequential decisions under severe time pressure. Leadership is overwhelmed, and the instinct is to act decisively and immediately to regain control.
In this environment, organizations regularly make decisions in the first 24 to 48 hours that seem entirely reasonable in the moment but that inadvertently jeopardize their insurance coverage. Some of these decisions involve what not to do — not notifying the insurer quickly enough, not preserving evidence, not following the policy’s procedural requirements. Others involve what people do say — communications to customers, employees, or the public that create admissions or waive legal protections. The result is that businesses suffering genuine, covered losses end up in coverage disputes that were entirely preventable.
This page identifies the most common coverage-threatening mistakes businesses make during a cyber incident and explains what to do instead. The goal is not to add bureaucratic complexity to an already difficult situation but to help businesses understand which decisions carry the highest legal and coverage risk so they can be made deliberately rather than reactively.
Notify Your Insurer Before You Do Almost Anything Else
The single most important coverage-preservation step during a cyber incident is providing timely notice to your insurer. Most cyber policies require notice “as soon as practicable” or within a specified time window after discovering a covered event. The notice requirement is a condition of coverage — it is not a formality, a courtesy, or a procedural technicality. Failure to comply can void the policy entirely or provide the insurer with a basis to deny coverage for the entire claim.
The most common reason businesses provide late notice is the instinct to investigate first and understand what happened before informing the insurer. This instinct is entirely understandable. No business leader wants to call their insurer and say “something may have happened but we don’t know what.” The pressure to present a clear picture before making contact feels like responsible management. In the context of insurance notice requirements, it is legally dangerous. The clock on the notice obligation begins running when a covered event is discovered — not when it is fully understood.
The practical guidance is straightforward: call your insurer’s claims hotline and your insurance broker on day one, even if you know only that something suspicious has occurred. “We have detected what appears to be a security incident and are in the early stages of investigation” is sufficient initial notice — it satisfies the policy’s timing requirement and leaves room to provide additional detail as the investigation develops. Waiting for complete information before making that call is when coverage gets denied. Keep the insurer’s claims contact information saved somewhere accessible outside your systems — a number on your phone or in a paper document — because if you are experiencing a ransomware attack, that information may not be reachable through your normal network.
Privilege — Why Your Attorney Should Come Before Your Insurer
Attorney-client privilege is one of the most important legal protections available to a business navigating a cyber incident, and it is one of the protections most easily inadvertently waived in the chaos of incident response. Business owners who do not think about privilege at the outset of an incident routinely make communications that they later wish they had protected.
When a business communicates with its outside attorney about a legal matter, those communications are protected by attorney-client privilege. The insurer cannot demand to see them. Regulators generally cannot compel their disclosure. Plaintiffs suing the company for the breach cannot obtain them in discovery. But when those same communications — the same candid assessments of what happened, what the security failures were, what the liability exposure looks like — are shared with the insurer without going through an attorney, the privilege may be waived, and those communications become potentially discoverable.
For this reason, the recommended sequence at the outset of any cyber incident is: call your outside legal counsel first, explain the situation as you understand it, and receive legal advice about your obligations and your rights. Then notify the insurer, with your attorney involved in or guiding what is communicated. This preserves attorney-client privilege over the most sensitive internal assessments and legal communications while still satisfying the policy’s notice requirement. It is not about concealing information from the insurer — it is about ensuring that your most candid internal communications receive the legal protection they deserve.
Approved Vendor Panels — Do Not Bypass Them
Cyber insurance policies typically condition coverage for incident response costs on the use of vendors from the insurer’s pre-approved panel. The approved panel includes forensic investigation firms, breach counsel law firms, public relations agencies, and notification vendors. The insurer has negotiated rates with these vendors, vetted their capabilities, and integrated them into the claims process. Using a vendor outside the approved panel without the insurer’s prior written authorization creates a real and significant risk that those costs will not be reimbursed.
This is a source of genuine frustration for businesses that have existing relationships with IT consultants, law firms, or communications agencies they trust. The desire to bring in familiar professionals during a crisis is completely natural. But if your regular IT firm is not on the insurer’s approved panel, engaging them for forensic investigation without authorization means you may be paying for that work out of pocket. The approved panel requirements are coverage conditions, not suggestions.
There is one important and deliberate exception to this rule. Retaining your own independent legal counsel — separate from the insurer-appointed breach counsel — is not only permissible but often advisable. The insurer-appointed breach counsel manages the technical legal response to the incident on the insurer’s terms. Your own counsel represents your interests, advises you about your rights under the policy, and protects you if coverage disputes arise. This is entirely different from bypassing the approved forensic firm or notification vendor. For operational response vendors, use the approved panel unless you have explicit written insurer authorization to do otherwise. For independent legal advice about your own position, retain your own counsel regardless of what the approved panel says.
Admissions of Liability — What NOT to Say
Insurance policies across virtually every line of coverage include a condition prohibiting the insured from making voluntary admissions of liability or assuming obligations without the insurer’s prior written consent. In a cyber incident, the pressure to communicate publicly and reassuringly is intense. Customers want to know what happened to their data. Employees want to understand the situation. The press may be asking questions. There is a genuine and legitimate desire to express concern for affected individuals and to project transparency and accountability.
The problem is that public communications drafted under this kind of pressure, without legal review, frequently contain statements that constitute admissions of liability. “We take full responsibility for what happened to your data” is an admission. “Our security systems failed to protect your information” is an admission. “We should have done more to prevent this” is an admission. Statements like these can be used against the company in regulatory proceedings, in litigation by affected individuals, and by insurers investigating whether the company’s security failures were so fundamental as to implicate a policy exclusion.
Every external communication related to the incident — press releases, customer notification letters, social media posts, website statements, regulatory filings — should be reviewed by legal counsel before it is published or sent. This review does not need to take days. A breach counsel attorney experienced in incident response can turn around a reviewed communication quickly. The instruction to employees is equally important: no one outside of the formal communications chain should be making statements about the incident, and employees who interact with customers, vendors, or media should be given explicit guidance about what they can and cannot say. Empathy and transparency can be expressed without admissions of legal liability — the two goals are not in conflict with proper legal guidance.
Documentation — What to Capture From Day One
A successful insurance claim requires the insured to substantiate its losses with adequate documentation. Many cyber claims are underpaid not because the coverage does not apply but because the business cannot produce sufficient documentation of what the loss actually was. Starting the documentation process from the moment of discovery — even in the midst of the crisis — is essential.
A timeline of events is the foundation of the claim documentation: when was the anomaly first detected, by whom; when was it escalated to leadership; when was it confirmed as a security incident; what containment steps were taken and when; when was the insurer notified; what response actions were authorized and when. This timeline needs to be created in real time, not reconstructed from memory weeks later, because the memory of exact sequences deteriorates quickly and reconstruction invites inconsistencies.
All response costs should be tracked as they are incurred: invoices from forensic firms and legal counsel, notification vendor fees, credit monitoring service costs, overtime costs for internal IT staff, costs of temporary systems or services brought in to maintain business operations. Business interruption losses require their own documentation: daily revenue records from the affected period, documentation of what normal revenue looked like in a comparable prior period, records of any extra expenses incurred to work around the systems disruption. If a ransom payment is made, documentation must include cryptocurrency wallet addresses, the amount paid, the OFAC sanctions screening results, and any communications with the attackers. Every dollar claimed on the insurance policy needs an evidentiary basis.
Communication Between Legal, IT, and the Insurer — Who Says What
One of the less obvious but important coverage-preservation challenges in a cyber incident is managing the flow of information between the technical response team, the legal team, and the insurer. These three groups have different needs, different perspectives, and different audiences, and information that serves one purpose may harm another if communicated without care.
The forensic team’s investigation report documents precisely what happened technically: how the attacker gained initial access, what vulnerabilities were exploited, what security controls failed or were absent, how long the attacker was present before detection. This is exactly the information the insurer needs to understand the claim. It is also exactly the information that, in the wrong hands or communicated without legal framing, constitutes an admission about the company’s security posture that can be used by regulators, plaintiffs, or the insurer itself in a coverage dispute. Raw forensic reports shared directly with the insurer before legal counsel has reviewed them may waive privilege and create problems that could have been avoided.
The standard practice for managing this tension is to have all forensic investigation work conducted at the direction of legal counsel. When forensic work is performed at a lawyer’s direction for purposes of providing legal advice, it may qualify as attorney work product, which is a separate and additional privilege protection. Communications with the insurer should then be managed and reviewed by legal counsel before transmission. This structure does not withhold coverage-relevant information from the insurer — it ensures that information is provided in a legally sound manner that protects the business’s interests. Establishing this structure at the outset of the incident, before any reports are drafted or shared, is far easier than trying to impose it after the fact.
