Cyber insurance is one of those products you hope to never use, and when you finally use it, you discover the policy you bought is not what you thought you had. This is a composite case showing what an actual claim looks like at a small tax firm, from first call to final payment.
The setup
A 3-person tax firm with 200 clients. $1 million cyber liability policy with a $5,000 deductible. Premium was $2,800 per year. Claim was triggered by a business email compromise: an attacker took over the firm's primary email and intercepted a wire transfer between the firm and a client.
The wire was for $42,000. The client thought they were paying the firm for a tax planning engagement. The money went to a mule account controlled by the attacker.
Hour 0 to 4: discovery and the first call
The owner discovered the compromise when the client called to confirm receipt of the wire. The wire had cleared 11 days earlier but never landed in the firm's account.
First call: cyber insurance broker. The broker activated the breach coach and provided the claims hotline.
Second call: the firm's bank. Bank fraud resolution was started. Most of the money was already gone.
Third call: the FBI's Internet Crime Complaint Center (IC3). Required for any wire fraud incident over $5,000.
Day 1 to 3: forensics
The breach coach engaged a forensic firm. They confirmed:
- The owner's email had been compromised 18 days before the wire
- The attacker had set up an inbox rule that filtered emails about the wire transfer to a hidden folder
- The attacker replied to the client from the owner's account with updated wire instructions
- No client data outside the wire transaction was accessed in bulk
Forensics costs at this point: about $14,000.
Day 4 to 14: notification and legal review
The breach coach reviewed the affected client's data. Since the client's bank routing details were exposed, notification was required under the relevant state's breach notification law.
Notification was sent to the affected client. Credit monitoring was offered (the client declined).
Legal fees: about $7,500.
Day 15 to 30: the documentation push
This is the part most firms do not anticipate. The insurance carrier sends a formal documentation request. The list typically includes:
- Current WISP, dated
- Risk assessment
- Employee training records for the last 12 months
- MFA configuration evidence
- Incident response plan
- Backup verification logs
- Email security configuration
- Vendor list with data processing agreements
The firm in this case had everything except the vendor list with current DPAs. They scrambled to gather signed agreements from 4 vendors, two of which had to be re-executed.
Lesson: the documentation requirement is not "nice to have." A missing artifact can result in coverage denial. The firm came close to having the wire fraud portion denied because the email security configuration documentation was 14 months old.
Day 31 to 60: claim resolution
The carrier reviewed the documentation and approved the claim. Final payments:
- Wire transfer loss: $42,000 minus the $5,000 deductible = $37,000 reimbursed
- Forensic costs: $14,000 covered in full
- Legal fees: $7,500 covered in full
- Notification and credit monitoring: $400 covered in full
Total claim payout: about $58,900. Out of pocket for the firm: $5,000 deductible plus the time cost of the documentation gathering.
What worked
- Speed of first call. The owner called the broker within 4 hours of discovery. That triggered the breach coach engagement, which protected the firm legally and procedurally.
- Existing WISP and risk assessment. Both were dated within the last 9 months. The carrier did not even question them.
- FBI report. Filed within 24 hours. The carrier required this for the wire fraud portion.
- MFA on email had been on for 6 months. The carrier asked specifically when it was enabled. If MFA had been enabled less than 30 days before the incident, the carrier would have asked tougher questions about whether the firm met the policy's representations.
What almost didn't work
- The vendor list. Missing DPAs almost triggered a partial denial. The firm got lucky that the carrier accepted retroactive execution.
- Email security configuration. The documentation was 14 months old. The carrier asked for current configuration. The firm provided it within 48 hours, but the gap was a real risk.
- Phishing training records. The firm had run training but the completion records had not been saved with dates. They were able to reconstruct from the training tool's logs, but it cost 6 hours of work.
What this means for your firm
Three things make a claim go well.
- The first call is to your broker, not your IT person. Within hours, not days.
- Every artifact your application attested to needs to be available within 48 hours of a claim opening. If it takes longer than that, expect coverage friction.
- Your security program needs a paper trail. Every control needs a dated artifact, refreshed at least annually.
The firm in this case got a $58,900 payout and kept their license, their clients, and their relationship with the insurer. That outcome was determined by the documentation that existed before the incident, not by anything they did during it.
