Navigating the Chaos: Toni Sukhan on the Cyber Claims Process

This is a companion blog to the “The SafeHouse” podcast dated August 7, 2025.

When a cyberattack strikes, panic and uncertainty often set in. For many businesses, it’s uncharted territory — one wrong move can make the situation far worse. That’s why understanding the cyber claims process is critical.

In a recent episode of The SafeHouse Podcast, co-chairs Jeff Edwards and Tawana Johnson sat down with Toni Sukhan, a veteran claims examiner, to explore how cyber claims are handled from the insurance carrier’s perspective.

Listen to the original podcast here: https://safehouseinitiative.org/cradle-to-the-grave-the-full-lifecycle-of-a-cyber-claim-with-toni-sukhan/

From Traditional Claims to Cyber’s Fast Lane

Toni has worked in claims for more than 20 years, handling everything from auto to general liability. But the dynamic, ever-changing cyber space drew him in:

“I was drawn to cyber because of its fast-paced environment. I love technology, and there’s always something new to learn. Every claim is different — it’s an opportunity to learn about new threat actors and stay on top of cutting-edge technology.”

As a cyber claims examiner, Toni’s role is to review coverage and guide businesses through the chaotic aftermath of a cyber incident — whether that’s ransomware, a data breach, or business email compromise.

Step 1: Immediate Notification

The clock starts ticking the moment suspicious activity is detected.

“As soon as an insured is suspicious of an event, we hope they notify their carrier immediately. Timing is critical,” Toni stressed.

She warns against contacting the attacker or hiring outside IT before notifying the insurer. Some policies may deny reimbursement for costs incurred without prior approval.

Step 2: Assembling the Response Team

Once the claim is reported, the insurer quickly engages a specialized team:

1. Breach Coach / Legal Counsel – Guides compliance with regulations and coordinates communications.
2. Forensic IT Investigators – Identify the attack vector, assess the damage, and contain the threat.
3. Forensic Accountants – Assist in calculating business interruption losses.

Toni likens it to an ER visit:

“First, we stabilize. Then we restore. And then we reconcile.”

The Ransomware Decision

Paying a ransom is always a last resort.

“If the insured has viable backups, data wasn’t exfiltrated, and the system can be restored quickly, we won’t recommend paying a ransom at all,” Toni explained.

But if downtime is crippling the business and backups are compromised, the cost of downtime may outweigh the ransom — prompting consideration of payment.

Step 3: Negotiation and Verification

If payment is unavoidable, trained forensic negotiators (posing as the business, not the insurer) handle communications to avoid tipping off attackers that insurance is involved.

Before paying, the team:

• Verifies the malware variant is not on the U.S. sanctions list.
• Requests proof of life by having attackers decrypt a sample file.
• Requests proof of exfiltration to confirm stolen data.

Only after these steps is cryptocurrency payment sent, the decryption key received, and restoration completed.

One Thing Every Business Should Do Now

When asked for one actionable tip for businesses, Tony didn’t hesitate:

“Make sure your backups are viable, and you back up your data frequently.”

This advice is especially relevant for SMBs — as Tawana noted, 70% of ransomware attacks last year targeted businesses with fewer than 500 employees.

Final Thoughts

Cyber incidents aren’t just an IT problem — they’re a business continuity crisis. Toni’s insights underscore the importance of speed, strategy, and expert coordination when navigating a claim.

As Jeff Edwards summed up:

“It’s not a question of if it’ll happen — it’s when.”

For more information about the SafeHouse Initiative and how you can protect your organization, visit safehouseinitiative.org.