TL;DR
- Preserve logs, disk images, and chain-of-custody documentation immediately—insurers expect forensic-grade artifacts.
- Notify your insurer and regulators within 24–72 hours and preserve SIEM / endpoint exports and backup snapshots.
- Collect system images, backup integrity reports, ransom notes, and a clear incident timeline to support cyber insurance claim documentation NJ and ransomware claims NY.
- Use a forensic vendor to produce insurer-ready deliverables; keep remediation-cost receipts and business interruption estimates.
Ransomware evidence for insurers matters because a claim succeeds or stalls on the quality of artifacts you provide. This guide explains exactly what insurers typically request after an attack, how to preserve it in the first 24–72 hours, and how regulated New Jersey and New York businesses should package evidence for cyber insurance claim documentation NJ and ransomware claims NY. The steps below are practical and platform-agnostic, and include a copyable ransomware insurance evidence checklist you can use immediately.
Who this is NOT for: organizations without cyber insurance, businesses operating entirely offline, and situations where immediate human safety is at risk — prioritize life-safety first and follow emergency services directions.
Why Insurer Evidence Requirements Matter for Regulated Businesses
Insurers need to verify cause, scope, and loss before paying a ransomware claim. For regulated sectors — financial services, healthcare, and similarly supervised entities in NJ and NY — regulators such as the NJ Department of Banking & Insurance and NYDFS expect both incident reporting and documented remediation steps. This is especially critical in the context of post-ransomware compliance and reporting, as poor evidence can lead to denied or reduced payouts, longer investigations, and regulatory penalties.
Insurers will ask for artifacts that prove the incident timeline, whether data was exfiltrated, whether backups were impacted, and what remediation steps were taken. Delivering SIEM exports, endpoint logs, disk images, backup snapshots, ransom notes, and an incident chronology reduces friction. Practical example: a mid-sized healthcare provider in New Jersey that supplied SIEM exports and a verified backup integrity report resolved its business interruption portion faster than a peer that supplied only screenshots.
"Preserve logs, disk images, and chain-of-custody documentation immediately—insurers expect forensic-grade artifacts."
Immediate Steps to Preserve Evidence (first 24–72 hours)
If you suspect ransomware, act fast. Aim to notify your insurer and regulators within 24–72 hours, and preserve volatile and persistent evidence. Start an incident log with timestamps, who acted and what they did, and assign a single incident lead. Then collect exports from SIEM and EDR solutions and capture full-disk images where possible. Following the appropriate steps for ransomware preparedness and recovery is crucial, as is adhering to NJ and NY reporting guidance—refer to the NJ bulletin and NYDFS guidance in the References.
Practical timing rule: within 24 hours, isolate infected hosts and export endpoint telemetry; within 48 hours, take forensic disk images of priority systems; within 72 hours, assemble initial documentation packet for your insurer. That packet should include exported logs, backup snapshots, ransom notes, and the incident chronology (sample template below).
Preserve system images and logs
Export endpoint detection logs, EDR alerts, and SIEM correlation logs in their native formats (CSV, JSON, or vendor-specific bundles). Capture memory and full-disk images from affected systems using standard forensic tools (e.g., FTK Imager, dd). Label each image with system name, timestamp, and capture tool. Example artifact list insurers expect: SIEM exported query covering the infection window, EDR timeline for each endpoint, and a write-protected forensic disk image per host.
Maintain chain of custody
Document who collected each artifact, when, and how it was transferred or stored. Use a simple chain-of-custody form that notes collector name, device identifier, capture time, storage media serial number, and hash (SHA-256). Insurers treat chain-of-custody as proof evidence hasn't been altered; without it, forensic artifacts lose credibility. Store originals on read-only media and provide copies for investigators.
Isolation vs. shut-down: guidance
Isolate infected endpoints from the network without powering them off when possible. Shutting down may destroy volatile memory and hamper analysis. If a host must be powered down for safety, document the reason and time. Isolation preserves network traffic artifacts and limits spread while keeping evidence intact—capture network flow logs and gateway logs before any reboots.
Preserve originals on read-only media and record a hash to validate integrity during insurer review.
Core Evidence Items Insurers Typically Request
Insurers commonly request a consistent set of artifacts to adjudicate ransomware claims: system/event logs, backup evidence, forensic disk images, ransom notes and attacker IOCs, and proof of remediation and business losses. Provide these artifacts in native or exported formats, plus clear documentation explaining what each file represents. Being comprehensive speeds reviews and avoids repeated requests.
"Insurers typically request SIEM exports, backup snapshots, disk images, ransom notes, and a documented incident timeline."
System and event logs (SIEM, endpoint logs)
Export log data for the period starting 72 hours before suspected compromise through containment. Include logs from domain controllers, VPN gateways, firewalls, email gateways, and EDR agents. Provide search queries used to extract relevant windows to support reproducibility. If you use SIEM, provide both raw events and the correlation rule outputs that triggered alerts.
Backups and backup integrity reports
Provide backup job logs, snapshot timestamps, and integrity verification reports that show whether backups were affected. A backup manifest that lists file hashes and retention periods is useful. If backups were encrypted or deleted, note the time and affected job IDs. Example: keep the nightly backup job log for the prior 30 days and a verification check for the most recent clean snapshot.
Forensic snapshots and disk images
Deliver read-only forensic images with accompanying hash values. Label each image clearly and include a short narrative of how and when images were taken. Vendors and insurers will use these to reproduce timelines and confirm the presence of ransomware binaries, encryption artifacts, or exfiltration tools.
Ransom notes, IO communication, and attacker indicators
Collect ransom notes, attacker email addresses, TOR or leak site URLs, and any attacker-controlled command and control (C2) IPs or domains. Provide network captures (PCAPs) if available and a list of indicators of compromise (IOCs) in a simple CSV (type,value,first-seen). These items help insurers assess whether data was exfiltrated and whether notification obligations apply.
Include both raw artifacts and a plain-language summary that explains what each artifact shows.
Documentation & Timelines for Claims Submission
An organized documentation packet reduces back-and-forth with insurers. Start with an incident chronology, then attach evidence manifests, relevant logs, backup reports, forensic images, ransom notes, and a business loss worksheet. Label files consistently and include file hashes. For regulated entities, include regulator report copies and dates of notification.
Incident chronology template
Use a simple table to show events with timestamps, actors, and artifacts. Below is a compact template you can copy into an incident report.
| Timestamp (UTC) | Event | Actor | Artifact(s) |
|---|---|---|---|
| 2026-04-01T02:15 | Initial suspicious activity | IT Ops | SIEM export (siem_export_20260401.zip) |
| 2026-04-01T03:10 | Endpoint alerts: encryption | IR lead | EDR timeline (edr_timeline_host12.json) |
| 2026-04-01T04:00 | Forensic disk image taken | Forensic vendor | image_host12_E01.dd (SHA256:...) |
Cost and loss documentation (business interruption, remediation)
Track hourly remediation costs, third-party vendor invoices, and revenue lost during downtime. Keep receipts for emergency contractors, additional hosting, and legal or notification fees. Provide insurer-ready spreadsheets that map costs to dates and tasks. For business interruption, include typical daily revenue and days unavailable—insurers use that to calculate lost-margin claims.
Working with Forensic Vendors to Produce Insurer-Ready Deliverables
Bring a forensic vendor early if evidence collection exceeds internal capabilities. Ask the vendor to deliver a statement of work that specifies deliverables, formats, and timelines. Vendors should produce write-protected forensic images, an examiner's report, IOC lists, and remediation recommendations. Ensure vendor invoices are granular for insurance accounting.
Minimum forensic report components insurers expect
Insurers look for a formal forensic report that includes scope, methodology, evidence list with hashes, timeline of attacker activity, indicators of compromise, and conclusions about data exfiltration or system compromise. The report should be signed by the lead examiner and dated.
Typical forensic timelines and how to accelerate delivery
Standard forensic engagements take 3–10 business days depending on scope. To accelerate delivery, prioritize critical systems, provide vendor remote access to SIEM/EDR, and deliver pre-collected artifacts (logs, backup manifests) to the vendor on day one.
Common Insurer Questions & How to Answer Them
Insurers often ask: What systems were affected? Were backups impacted? Was data exfiltrated? When did you notify regulators? Answer with concise, dated facts and reference attached artifacts. Example answers: "Active directory domain controller compromised on 2026-04-01T03:05 (see image_dc01_E01.dd and edr_timeline_dc01.json)." Use the phrase "what insurers need after ransomware" when assembling packets so you include expected artifacts.
Quick Checklist PDF / Downloadable Evidence Kit
Use this ransomware insurance evidence checklist as a starting point for cyber insurance claim documentation NJ and ransomware claims NY. Keep copies of each item in a single evidence folder.
- Initial incident log with timestamps and incident lead
- SIEM export covering –72 to +24 hours
- EDR timelines and alerts per host
- Forensic disk images with SHA-256 hashes
- Backup job logs and integrity reports
- Ransom notes and attacker IOCs (CSV)
- Vendor forensic report and invoice
- Business interruption spreadsheet and remediation receipts
- Chain-of-custody forms for each artifact
| Evidence | Format | Collector |
|---|---|---|
| SIEM export | CSV/JSON | Security team |
| Disk image | E01/DD + SHA256 | Forensic vendor |
| Backup manifest | PDF/CSV | Backup admin |
Conclusion: Next steps and contacting your insurer
Preserve evidence immediately, assemble the documentation packet, and contact your insurer within 24–72 hours. For regulated NJ and NY businesses, reference NJ and NY guidance and include regulator notification dates in your packet. If you want help preparing insurer-ready documentation or ongoing managed coverage, review our services for managed IT and cybersecurity. To discuss an incident or assessment, contact us, visit our contact us page, or use contact us for direct outreach. You can also request a demo of relevant capabilities at our services.