Dear Mary,
Our company experienced a cybersecurity incident. It seemed pretty minor — just a few suspicious emails and an employee’s account being locked. To my dismay, we’re now hearing from our IT team that the issue is more serious. We have cyber insurance, but we didn’t notify our carrier right away. Did we make a mistake? When should I reach out to our insurance provider?
– Unsure Insured of San Francisco
March 18, 2025
Dear Unsure Insured,
Your questions are ones that many entities wrestle with during an active incident. Cyber insurance policies are designed to help businesses respond to incidents effectively, but coverage may depend on timely notification according to the insurance carriers’ requirements. Waiting too long — or failing to notify at all — could put your ability to recover costs at risk.
Early notification is key. Most policies require notification within a specific timeframe. If an incident later escalates into something more serious — like data theft or system downtime — and you haven’t informed your carrier, you may be setting yourself up for some difficult conversations concerning coverage.
Beyond policy requirements, notifying your carrier early has some practical benefits. For instance, cyber insurers maintain a network of specialized resources to assist their insureds respond effectively to cybersecurity incidents. These resources (often called on-panel vendors) may include legal counsel, forensic firms, data mining services, threat actor negotiation firms, and public relations support. If you notify promptly, you may be able to leverage these experts to assess the situation, contain the threat, recover systems, and comply with legal obligations — often at reduced or even no cost to your organization beyond the policy deductible. This can significantly reduce the impact of the incident on your business.
To avoid scrambling during an incident, take these steps now:
- Review your policy to understand notice requirements and coverage triggers.
- Establish an incident response plan that includes when and how to notify your carrier.
- Connect with pre-approved vendors ahead of time to ensure agreements are in place before an incident occurs. Many insurers require use of specific legal, forensic, and recovery firms; establishing these relationships before an incident can speed up response time. Incidentally, Troutman Pepper Locke is a pre-approved law firm for certain insurance carriers.
Cyber insurance is a great tool to have in your arsenal, but like any tool, its effectiveness depends on knowing how to use it properly.
Signing off,
— Mary
‘Dear Mary,’ Troutman Pepper Locke’s cybersecurity advice column brought to you by its Incidents + Investigations team. Through this column, “Mary” responds directly to her readers’ questions, covering all things related to incident response, data breach, and cybersecurity. Have a question about security incidents, forensic investigations, data breaches, or preventing/managing the legal and regulatory challenges that follow? Reach out to have your question answered. Of course, answers provided will be general in nature and should not be considered legal advice. If you need legal advice or representation, please contact one of our attorneys directly. ‘Dear Mary’ also can be found here on the firm’s website.