The Process Nobody Explains Until You Need It
You have cyber insurance. Something bad just happened. Now what? Most organizations have never filed a cyber claim before. The process is unfamiliar, the terminology is confusing and the stakes are high. Having worked the vendor side of hundreds of engagements, here is what actually happens from the moment you pick up the phone.
Phase 1: Notification (Day 1)
The clock starts the moment you discover the breach. Most cyber insurance policies have strict notification requirements, often 24-72 hours from discovery. Miss this window and you risk coverage complications.
Call your carrier's claims hotline. Not your broker's main line, not the general inquiries number. The claims hotline. This is the number on your policy declarations page, usually under "How to Report a Claim." When you call, have these details ready:
- Your policy number
- When the breach was discovered
- What type of incident it appears to be (ransomware, business email compromise, data exfiltration)
- Whether operations are currently disrupted
- Whether you believe customer data may be affected
The carrier assigns a claims adjuster and, in most cases, immediately activates their vendor panel. This is where we come in.
Phase 2: Triage (Days 1-3)
The carrier contacts an approved forensic vendor. If you have requested Sherlock Forensics specifically, they contact us. If not, they assign a vendor from their panel. Either way, a forensic examiner calls you within hours.
The triage call covers the immediate situation. We need to understand what systems are affected, whether the attack is still active, what evidence exists and what containment steps have been taken. Based on this call, we provide immediate guidance: what to isolate, what to preserve and what not to touch.
Remote evidence collection often begins during triage. We deploy collection tools to start acquiring forensic images, logs and memory dumps while the full investigation scope is still being defined. Every hour of evidence that is preserved now is an hour of investigation clarity later.
Phase 3: Investigation (Days 3-21)
This is the core of the engagement. The forensic investigation answers the questions everyone needs answered:
- How did the attacker get in? (initial access vector)
- When did they get in? (dwell time)
- What did they access? (scope of compromise)
- Was data exfiltrated? (data loss determination)
- Are they still in the environment? (persistence check)
- What systems were affected? (blast radius)
We analyze forensic images, correlate log data, examine malware samples and reconstruct the complete attack timeline. Throughout this phase, we provide regular status updates to the carrier, the insured's legal counsel and the claims adjuster. These updates are typically weekly but can be more frequent for high-severity incidents.
The investigation also identifies what data was potentially accessed or exfiltrated. This determination drives everything that follows: breach notification obligations under PIPEDA, regulatory reporting requirements and the financial scope of the claim.
Phase 4: Forensic Report (Days 14-28)
The forensic report is the most important document in the entire claims process. It is the evidentiary foundation for the claim, the basis for regulatory notifications and potentially the centerpiece of future litigation.
Our reports include:
- Executive summary for non-technical stakeholders
- Complete attack timeline with forensic evidence citations
- Scope of compromise detailing every affected system and data type
- Data exfiltration analysis with evidence supporting the determination
- Root cause analysis identifying the initial vulnerability and contributing factors
- Remediation recommendations prioritized by risk
The report is written for multiple audiences simultaneously. The adjuster needs it to process the claim. Legal counsel needs it for notification decisions. The insured's IT team needs it for remediation. And if the case goes to litigation, a judge needs to understand it. We write for all of them.
Phase 5: Remediation (Days 21-45)
With the investigation complete and the threat actor evicted, the focus shifts to hardening the environment. Remediation is often partially covered under the cyber policy's restoration expense provisions.
We provide detailed remediation guidance: specific vulnerabilities to patch, configuration changes to implement, access controls to tighten and monitoring improvements to deploy. Some organizations handle remediation internally. Others engage us for remediation verification, where we confirm that the recommended changes were properly implemented.
Phase 6: Claim Resolution (Days 30-120)
With the forensic report in hand, the claims adjuster processes the claim. They review the report against the policy terms to determine what costs are covered, apply the deductible and calculate the payout.
Common covered costs include forensic investigation fees, breach notification costs (mailing, credit monitoring), legal fees for regulatory response, business interruption losses and crisis management expenses. The forensic report provides the evidence the adjuster needs to justify each covered expense.
Claims that are well-documented with thorough forensic reports resolve faster and with fewer disputes. This is one of the reasons choosing the right forensic vendor matters. A vendor who produces clear, comprehensive reports makes the adjuster's job easier, which means your claim gets processed faster.
What You Can Do Now
If you have cyber insurance and have never thought about how a claim would actually work, now you know. The single best thing you can do today is find your carrier's claims hotline number and put it somewhere you can find it during a crisis. The second best thing is to pre-approve a forensic vendor so that when the call comes, there is no delay in getting the right team engaged.