We got our cyber/ransomware claim paid in full at $843k after six months of forensic auditing and one denied incident response invoice. What i wish i had known before the breach happened

I run operations at a 40 person regional accounting firm. We got hit with a Conti-variant ransomware attack in late October 2025. Attacker came in through a compromised RDP session on a remote workstation we had not patched in time. Within 4 hours they had moved laterally to two file servers, encrypted about 11TB of client tax documents and audit working papers, and dropped a $1.8M ransom note. We had a Beazley cyber policy with $1M aggregate, $250k incident response sublimit, and a $25k retention.

We paid the retention, called our broker, and the policy responded the same day with a panel incident response firm. They had a forensic team on a Zoom call within 90 minutes and a containment plan in motion by hour 6 of the incident. We did not pay the ransom. Beazley's incident response coverage paid for the forensic firm ($148k), the breach counsel attorney ($63k), the credit monitoring offer to affected clients ($94k), the regulatory notification work in three states ($31k), the business income loss reconstruction ($412k for 19 days of lost productivity), and the data restoration from backup ($95k). Total claim paid was $843k against a $1M aggregate.

The one fight we had was over a $34k invoice from a secondary IR firm we had on retainer before the breach. Beazley denied that piece because the policy required use of their panel vendors except in true emergency situations and the panel firm was on site within 90 minutes. We lost that argument and i think they were technically right under the policy language but it stung at the time. Lesson learned for any other small business owner reading, if your cyber policy has a panel vendor list, dump your retainer vendor or at least understand that the policy will not pay them in a covered incident.

Three things i would tell my pre-breach self. One, run a tabletop exercise with breach counsel before you ever need them. Two, know exactly where your backup data lives and how long it takes to restore. We had what we thought were good backups and the restoration took 9 days, not the 36 hours we had assumed from our last test. Three, take the business income loss documentation seriously. Beazley initially valued our 19 day disruption at $180k and we walked them up to $412k with detailed billable hour records, partner time logs, and client engagement letters that documented work that could not be performed during the incident.