Category: Claims handling · Reviewed by Jake Leat, Associate Director · Last reviewed 2026-06-11
Cyber incident notification is the process of informing the cyber insurer (and the regulators) of a confirmed or suspected cyber event that may trigger cover under the cyber policy — typically time-critical and triggering coordinated incident-response activity.
Cyber incidents — ransomware, data breach, business email compromise, denial of service, supply-chain attack — are now the most rapidly growing class of claim notification across most commercial insureds. The cyber policy’s effective response depends on prompt notification because the insurer’s panel incident-response team is the principal mechanism for containing the damage.
Notification must be made within the policy’s defined notification window (often 24-72 hours of discovery) and typically through a 24-hour notification line operated by the cyber insurer or its breach-response coordinator.
The framework includes:
The Insurance Act 2015 section 11 applies to the cyber policy’s notification provisions. Late notification will not automatically defeat cover unless the lateness increased the risk of the loss.
Cyber notification typically runs:
Hour 0: incident discovered by the insured’s IT team.
Hour 1-4: insured’s senior management briefed. Decision taken to engage the cyber insurer.
Hour 4-12: notification to the cyber insurer through the 24-hour notification line. The line is staffed by the breach-response coordinator who assesses the incident, allocates the appropriate panel team and begins coordinating response.
Hour 12-24: panel team mobilised — typically a panel forensic IT firm to investigate the incident; a panel breach lawyer to coordinate legal aspects (regulator engagement, contractual notification, customer communication); sometimes a public-relations firm for major reputation events.
Hour 24-72: containment and assessment. Decision on ransomware payment (where applicable; subject to OFSI sanctions screening and other constraints). Notification to the ICO if personal data has been affected. Notification to other regulators as required.
Days 4-14: ongoing investigation and recovery. Substantive coverage decision by the cyber insurer.
The cyber policy’s first-party covers typically include:
Third-party covers respond to claims by affected individuals, customers and counterparties.
For the insured, the discipline of notification matters because the panel team’s effectiveness depends on early engagement. An insured that delays notification while attempting to handle the incident in-house may consume coverage and may face section 11-defeated late notification arguments.
For the insurer, the notification is the trigger for coverage analysis and reserve setting. The breach-response coordinator’s first 24-48 hours of work shapes both.
“Confirmed incident notification” — the insured has confirmed a cyber event has occurred.
“Suspected incident notification” — the insured suspects but has not confirmed an event; precautionary notification to engage panel team for triage.
“Circumstance notification” — the insured has identified vulnerability or near-miss; precautionary notification under claims-made cyber wording.
“Multi-jurisdiction notification” — for events affecting multiple jurisdictions, coordinated notification to ICO and overseas data protection authorities.
“Group-wide notification” — for events affecting multiple group entities, coordinated notification across the group’s cyber programme.
A retailer’s IT team detects unauthorised access to the payment-card processing environment at 04:47 on a Saturday. By 07:00 the team has determined that the access was real and likely involves data exfiltration.
Notification to the cyber insurer’s 24-hour line at 07:30. The breach-response coordinator engages:
Sunday: forensic investigation confirms exfiltration of approximately 270,000 payment card records and 90,000 customer records (name, email, postal address). Lawyer-coordinated notification to the ICO at 17:30 on the Sunday — within the 72-hour requirement of Article 33 UK GDPR. Notification to the payment-card scheme regulators on Monday.
Week 1: containment confirmed; affected customers notified by email and post. Public statement issued.
Week 2-4: forensic investigation continues; breach-related costs continue. Estimated first-party costs by end of week 4: £1.4m (forensic £600k, legal £350k, PR £150k, customer notification £180k, regulator engagement £120k).
Months 2-6: third-party claims emerge. The retailer’s cyber policy responds to first-party costs (within sublimit) and third-party claims. Total cover used: £3.8m by month 6.
Regulatory: ICO investigation continues with potential fine to follow. Card-scheme fines processed through the scheme regulators. Total exposure across all heads estimated at £6-8m.
By Matt Bartlett, Director, on 2026-06-11. Next review: 2026-12-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote