Timely Reporting Can Be the Deciding Factor in Cyber Insurance

Cyber risk is manageable. We repeat this mantra to brokers, policyholders, and anyone else who’s willing to listen. But it’s only manageable if everyone involved is on the same page.

When Coalition detects a new cyber threat, we immediately notify our policyholders and encourage them to swiftly remediate the risk. Similarly, if a policyholder notices something unusual, we want them to promptly report it to us so we can help.

Speed and responsiveness are essential when it comes to managing cyber risk, yet some don’t call us until it’s too late. There are many reasons businesses may hesitate to report suspicious activity. Some might not realize how serious an issue is, while others simply deny that anything is wrong.

Active Insurance is intentionally designed to encourage policyholders to ask questions and seek guidance about potential cyber incidents without fear of triggering a costly investigation or claim. Coalition’s Active Cyber Policy acknowledges and rewards policyholders for taking proactive security measures, like reduced retentions for swift reporting.

Businesses often equate reporting suspicious activity with filing a formal claim under their policy, but that’s not always the case. Below, we’ll explore exactly what happens once a cyber issue is reported to Coalition and how timely reporting can significantly reduce the likelihood of a bigger, and more costly, problem for your business.

Active Insurance is intentionally designed to encourage policyholders to ask questions and seek guidance about potential cyber incidents without fear of triggering a costly investigation or claim

Timely reporting results in positive outcomes

Businesses have been conditioned to be judicious in what they report to traditional insurers out of concern for substantial costs, increased premiums at renewal, and other repercussions. Coalition’s approach to cyber insurance is different.

With Coalition’s cyber insurance, timely reporting of a cyber issue can be the deciding factor in whether a matter develops into a costly claim. In fact, 56% of all matters reported to Coalition were handled without any out-of-pocket payments by the policyholder.

Streamlined response to reported incidents

If a policyholder encounters something suspicious, like a phish-y email, we encourage them to contact us immediately. And if we’re going to ask policyholders to contact us at the first sign of concern, it’s only right that we respond with the same expediency.

Coalition’s 24/7 claims hotline is staffed around the clock, and policyholders are able to get help at any time of day. Our full response protocol typically involves three phases: assessment, investigation, and recovery.

1. Assessment: When a policyholder reports a cyber issue to Coalition, our claims handlers provide an initial assessment and triage the matter. The primary goal is to determine if the policyholder is facing a security threat and what experts may be needed to assist the policyholder to quickly remediate the threat and any losses, thereby avoiding the need to file a claim. 

2. Investigation: If a cyber incident is confirmed, a full investigation may be needed. For ransomware, extortion, and business email compromise events, claims handlers will engage incident response experts to work with breach counsel to investigate how and where the compromise originated. The claims team is involved throughout the investigation.

3. Recovery: In parallel with the forensic investigation, claims handlers will work with policyholders to determine whether additional support for remediation and restoration is needed, and provide recommendations on how the policyholder can improve their security posture in the future.

What differentiates Coalition’s streamlined process from other cyber insurance providers is the extent to which its internal and external cybersecurity experts can assess policyholder’s potential security incidents before they evolve into costly losses.

Rapid Response Services

Rapid Response Services often come into play during the assessment process. If the severity of a cybersecurity incident is unclear, the claims handler may seek a cyber forensic expert, such as Coalition Incident Response (CIR),* to evaluate the situation. 

Every Coalition Active Cyber Policy includes access to initial breach response services provided by security experts and two hours of consultation from a breach counsel on our panel to help remove ambiguity about accessing Rapid Response Services, including legal, forensic, and IT support. 

These services can help policyholders address cybersecurity concerns before they develop into active breaches, an approach that’s financially beneficial. Policyholders can use Rapid Response Services without depleting their policy limits, thereby reducing their potential out-of-pocket expenses.

In many cases, Coalition policyholders report spoofed emails that don’t result in a claim. But flagging anything suspicious is better than waiting. For example, if a business waits until encryption is present in a ransomware event, recovery costs and time can increase significantly.

Empowering policyholders to reach out is necessary when triaging and mitigating risks that have the potential to develop into larger claims. Matters that are resolved before evolving into costly losses appear on the policyholders’ loss runs but show a $0 loss. Zero-dollar losses on closed claims are generally viewed the same as loss runs with no claims at all.

Clawing back stolen funds

When a policyholder contacts Coalition to report a funds transfer fraud (FTF) event, we work to recover the wrongly transferred funds. Threat actors typically attempt to move stolen funds across various jurisdictions to cover their tracks, and we work with U.S. government entities to stop payments or track down and “claw back” the funds.

The first 72 hours are critical to a successful FTF clawback. If we’re notified of the event promptly, we have a significantly higher chance of recovering the funds. 

The first 72 hours are critical to a successful FTF clawback. If we’re notified of the event promptly, we have a significantly higher chance of recovering the funds. 

In 2024, Coalition successfully clawed back more than $31 million in fraudulent transfers with an average recovery of $278,000 in instances where recovery was successful. In one case, Coalition successfully clawed back all but $405 in a $3.5 million FTF incident and the policyholder never had to file a claim. 

In addition, Coalition’s Active Cyber Policy rewards fast action. Policyholders that report FTF incidents within 72 hours can receive a lower FTF retention upon renewal.**

Brokers can empower clients to report suspicious activity

Access to Coalition’s Rapid Response Services can significantly enhance a business’ security posture by helping them to immediately address security concerns and also prepare them to better handle future threats.

Where other cyber insurance providers may help a policyholder who has experienced a loss, Coalition takes an active approach by helping them avoid losses in the first place.

But it all depends on swift and timely reporting.

Cyber insurance policyholders should always feel comfortable reaching out to Coalition’s claims team and asking questions, even if they’re unsure of what’s wrong. Coalition’s expert claims handlers provide policyholders with immediate support and can identify other rapid response services to assist in avoiding a cybersecurity incident. 

Reporting suspicious activity quickly can be the difference between a full recovery and a multimillion-dollar cyber claim. The more brokers and other cyber insurance providers promote this concept, the better off policyholders will be.

INNOVATIVE COVERAGE. EXPANDED PROTECTION.

Meet the Next Generation of Active Insurance

Explore Coalition’s new Active Cyber Policy >

Coalition’s new Active Cyber Policy referenced in this blog is offered in the U.S. by Coalition Insurance Solutions Inc., a licensed insurance producer and surplus lines broker (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies on a non-admitted basis. See licenses and disclaimers. *Coalition Incident Response, Inc. (CIR) dba Coalition SecurityTM, is an affiliate of Coalition Inc. CIR services are offered to Coalition policyholders as an option via Coalition’s Panel Provider List and are subject to availability. Coalition Security does not provide insurance products. Coalition is the marketing name for the global operations of affiliates of Coalition, Inc.

**Eligibility for reduced retention for early FTF reporting depends on risk profile, underwriting approval and other qualifications determined at the time of quote or renewal. Please see a copy of your policy for eligibility and full terms and conditions.

This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.