Cyber Insurance First Notice of Loss
The cyber insurance first notice of loss (FNOL) starts the policy claim process and is often a condition of coverage. Missing the FNOL window or engaging off-panel vendors before notice can void coverage. This page covers the trigger, the recommended content, the relationship between FNOL and panel-vendor activation, and the structured workflow IR-OS uses to deliver compliant first-notice within the policy window. It is a process reference, not legal advice; confirm specifics with your broker and breach counsel.
What FNOL triggers
First notice triggers four downstream processes at the carrier. (1) Claim file opens with a claim handler assigned. (2) Panel counsel and panel forensics become eligible for engagement, often at favorable rates. (3) Any pre-approvals the policy requires (for example, public statement review, ransom payment screening) become available. (4) The carrier's coverage analysis begins, which determines what costs the policy will reimburse.
Notice itself does not commit the insured to any specific facts beyond what is in the notice. Notices are typically issued as preliminary and subject to update as facts develop. Coverage analysis is the carrier's responsibility under the policy; the insured's job is to provide accurate factual information and follow the claim handling process.
When the clock starts
Most cyber policies tie the first-notice window to incident awareness, sometimes worded as "as soon as practicable" or with a stated window (24, 48, or 72 hours). The trigger language varies by carrier. Common triggers include: (a) discovery of unauthorized access; (b) discovery of data exfiltration or encryption; (c) receipt of a ransomware demand; (d) discovery of a system compromise that may result in a covered loss.
The window starts at organizational awareness, not at the moment a single analyst becomes aware. Carriers and brokers commonly interpret awareness as the point at which the organization (typically through the CISO, CIRT lead, or named incident commander) determines that a potentially covered event has occurred. Document the awareness timestamp in the incident record.
What goes in the notice
A compliant FNOL is short, factual, and reviewed by counsel before transmission. It typically includes:
- Insured organization name and policy number
- Date and time of incident discovery (the awareness timestamp)
- Brief incident description in factual terms (no speculation about cause or scope)
- Current incident status (containment in progress, scope unknown, etc.)
- Named incident commander and primary contact details
- Request for panel counsel and panel forensics activation
- Request for any policy-specific pre-approvals
- Reservation of rights to update as facts develop
- Counsel of record contact (if engaged before notice with prior approval)
What does not go in the notice: speculation about threat actor identity, premature attribution, specific data class counts before confirmation, commitments to remediation timelines, admissions of fault, or descriptions of root cause not supported by evidence. Factual but reserved beats specific but wrong.
FNOL template
This template is a starting point. Confirm the carrier's preferred form, transmission channel (claim email, web portal, broker), and content with your broker before an incident. Capture all of this in the IR plan so first notice is reflexive, not improvised.
Panel-vendor coordination
The panel is the list of vendors the carrier has vetted: breach counsel firms, digital forensics providers, ransomware negotiators, public relations agencies, credit monitoring services. Using a panel vendor typically requires no additional carrier approval and engages the vendor at pre-priced rates. The carrier knows the panel; the panel knows the carrier's process; coordination is faster.
Engaging an off-panel vendor without prior carrier approval can result in the carrier refusing to reimburse that vendor's fees, even if the underlying incident is covered. The recommended sequence is: declare incident; engage panel breach counsel under privilege; issue FNOL with counsel's review; counsel coordinates panel forensics, panel PR, and any other panel activations.
Multi-carrier notice
A material cyber incident commonly engages multiple policies. Cyber primary and excess are the obvious candidates. Other policies that may respond depending on facts: errors and omissions (technology professional liability), directors and officers (especially for SEC-related claims), crime (for wire fraud or theft), kidnap and ransom (for extortion in some policy forms), business interruption (for revenue loss), and property (for physical damage from cyber-physical incidents).
Each policy has its own first notice window. Failing to notice a policy that could respond can void that policy. The broker coordinates the multi-carrier notice strategy. The complete coverage map should be in the IR plan and captured in IR-OS at onboarding so the platform surfaces all applicable notices when an incident opens.
IR-OS workflow
IR-OS captures the cyber insurance policy details at onboarding: carrier name, policy number, claim notification channel, broker contact, panel list, notice window, and policy-specific requirements (for example, ransom payment pre-approval rules). When an incident is opened, the platform surfaces a first-notice task with a countdown to the policy window.
The Stakeholder Agent drafts the FNOL against the captured policy facts and current incident description. The risk officer or counsel reviews, edits, and approves. The transmission is sent via the carrier's named channel. The notice content, recipient, transmission timestamp, and approval signature are committed to the hash-chained ledger. The complete first-notice record is independently verifiable later.
Cyber insurance and AI-augmented response
2026 cyber insurance markets are beginning to reward documented, AI-augmented response. Carriers value: a hash-chained incident record (independently verifiable claim documentation), faster first-notice (within or well within the policy window), counsel-reviewed drafts (lower risk of communication errors that complicate the claim), and structural privilege (preserves work product and reduces discovery risk). Some carriers offer premium credits for organizations that maintain these capabilities. Discuss with your broker.
Frequently Asked Questions
What is a cyber insurance first notice of loss?
The first notice of loss (FNOL) is the formal communication from the insured to the cyber insurance carrier that an incident potentially covered by the policy has occurred. It starts the policy claim process, triggers panel-vendor activation (breach counsel, forensics, public relations), and is often a condition of coverage. Most cyber policies require notice as soon as practicable or within a stated window (commonly 24, 48, or 72 hours of incident awareness).
What happens if I miss the cyber insurance first notice window?
Missing first notice can void coverage under a late-notice exclusion or reduce reimbursement for costs incurred before notice. Many cyber claims that get denied are denied not because the incident was not covered but because the insured engaged forensics, counsel, or public relations vendors before notifying the carrier and getting panel approval. The first notice window is one of the most consequential decisions in the early hours of a cyber incident.
Who issues the cyber insurance first notice?
The risk officer or general counsel typically issues the first notice, in coordination with the broker who placed the policy. Some organizations also include the incident commander or CISO in the FNOL workflow. The notice is sent to the carrier's claim notification address (often a dedicated cyber claim email or web portal) and copies the broker. The notice is recorded as an event in the incident record.
What should the cyber insurance first notice include?
A compliant first notice typically includes: incident description (high-level facts known to date), incident discovery timestamp, current incident status, named incident commander and contact, request for panel counsel and panel forensics activation, request for any pre-approval the policy requires, and reservation of rights to provide additional information as facts develop. The notice should be factual, not speculative, and reviewed by counsel before transmission.
What is a pre-approved panel in cyber insurance?
A pre-approved panel is the list of vendors (breach counsel, digital forensics firms, public relations agencies, ransomware negotiators, credit monitoring providers) the carrier has vetted and pre-priced. Using a panel vendor typically requires no additional carrier approval and engages the policy at favorable rates. Engaging an off-panel vendor without prior carrier approval can result in the carrier refusing to reimburse the vendor's fees.
Can I engage breach counsel before issuing first notice?
Most carriers allow engagement of panel counsel concurrent with or immediately after first notice. Engaging off-panel counsel before first notice often requires retroactive approval and may not be reimbursed. The recommended sequence is: declare incident, engage panel breach counsel under privilege, issue first notice with counsel's review, and let counsel coordinate downstream panel vendor activations. Confirm the specific sequence in your policy and with your broker.
Does cyber insurance cover ransomware payments?
Most 2026 cyber policies cover ransomware payments subject to sublimits, OFAC compliance review, and carrier pre-approval. The carrier and panel counsel must approve any payment before it is made. OFAC sanctions screening of the threat actor is mandatory under US Treasury guidance. A payment made without these steps may not be reimbursed and may itself violate OFAC regulations. Coverage and procedure vary by carrier; review the policy before relying on payment coverage.
How does IR-OS handle the cyber insurance first notice?
IR-OS captures the cyber insurance policy at onboarding (carrier, policy number, claim notification address, panel list, notice window). When an incident is opened, the platform surfaces a first-notice task with a countdown to the policy window. The Stakeholder Agent drafts the FNOL against the captured policy facts. The risk officer or counsel approves and transmits. The notice transmission is recorded in the hash-chained ledger.
What is the typical cyber insurance first notice window?
Cyber insurance first notice windows are typically 24, 48, or 72 hours from incident awareness, with many policies using as soon as practicable language. Some policies tier the window by severity. The window is a contractual obligation, separate from regulatory clocks like SEC 8-K Item 1.05 or GDPR Article 33. Confirm your specific policy window with your broker and capture it in your IR plan.
Can I issue first notice to multiple carriers?
Yes, and you should if multiple policies may respond: primary cyber, excess cyber, E&O, D&O, crime, kidnap and ransom, business interruption, and property may all apply. Each policy has its own first notice window. The broker coordinates multi-carrier notice. Failing to notice a policy that could respond can void that policy's coverage. The full coverage map should be in the IR plan.
Run first notice on the policy window, not on memory
IR-OS captures your cyber insurance policy at onboarding and surfaces the first-notice task with a countdown the moment an incident opens. AI-drafted FNOL, counsel approval, hash-chained transmission record.
Start your 7-day free trial