When Business Stops: Coverage Litigation and the Fight for Recovery with Ted Brown

Alan Gin
, CEO
, ZeroDown Software
When a cyber incident hits, SMBs suddenly have to navigate three specialties at the same time: cybersecurity, privacy law, and insurance coverage. Our blog unpacks the most common pitfalls and the practical moves that keep claims on track.

This is a companion blog to the “The SafeHouse” podcast dated August 28, 2025.

Listen to the original podcast here: https://safehouseinitiative.org/when-business-stops-coverage-litigation-and-the-fight-for-recovery-with-ted-brown/

SafeHouse Podcast — Summer Cyber Insurance Series

“Not If, But When”: Coverage Lessons from Cyber Claims Attorney Ted Brown

Small and midsize businesses are great at what they do—but when a cyber incident hits, many discover (all at once) that they’re being asked to navigate three specialties at the same time: cybersecurity, privacy law, and insurance coverage. In this week’s episode, Jeff Edwards and Tawana Johnson sit down with Ted Brown, partner at Lavender Ridner Duffield, an insurer-side boutique focused on cyber, media, and technology coverage, to unpack the most common pitfalls—and the practical moves that keep claims on track.

How Ted Landed in Cyber Coverage

Ted didn’t start in law—or insurance. He worked in construction management during the 2008 financial crisis and helped his company scrutinize insurance claims from the policyholder side while in law school. That experience pulled him into coverage work after graduation, right as cyber was evolving.

Why Cyber Claims Are So Hard for SMBs

Most SMB leaders aren’t cyber, privacy, or insurance experts—yet cyber claims force them to operate in all three domains at once.

“You’re dealing with both cyber issues which they may be unfamiliar with and coverage issues which they may be unfamiliar with… there’s a lot of unknowns and uncertainty for small and medium-size businesses.” 

Ted’s first recommendation: lean on your broker and insurer early. They see these events “day in and day out” and can assemble the right response team.

“Leverage the expertise of others… really work with your insurer on the response.”  

What Makes Cyber Claims Different

Unlike a single-threaded slip-and-fall or a straightforward property loss, cyber claims are multifaceted, often combining first-party and third-party components.

“If you have… a ransomware incident, you have first-party response costs… notifications… you also may have lawsuits… you also have… potential business interruption loss. There’s a lot of different angles to it.”  

The good news: modern policy forms can be comprehensive. If you have a data privacy class action and you also have a business interruption loss many policy forms cover both of those risks.

But coverage is not unlimited.

The Most Common Coverage Disputes (and How to Avoid Them)

Late Notice

Untimely reporting can create a host of issues for the insured that it could otherwise avoid had it simply provided notice early and often.

Applications Treated as Aspirational

The application is not aspirational. It’s what are the controls now because that’s what the insurer is underwriting.

Using Off-Panel Vendors Without Consent

Some policies require pre-approved panels; others need insurer consent. Going off-panel can complicate coverage. You tend to have a better experience when you’re working with those on-panel providers.

‘Betterment’ After the Incident

Upgrades are great for security but don’t expect the policy to fund them. Insurance brings you back to where you were. It doesn’t bring you back to where you should have been. If you crash your 2012 Ford Fusion your insurance company’s not going to buy you a brand-new Cadillac.

Business Interruption Math

It’s not a slush fund; losses must be actual, provable, and directly tied to the cyber event. It really does cover actual financial loss directly tied to the cyber event.

What To Do Before You Have a Claim

Have a printed incident game plan (yes, printed). Print it out… have phone numbers, have emails, be ready to engage.

Call your insurer quickly and coordinate through your broker. Partnering with your insurance company early and looping in counsel as needed is a really good option for responding to incidents.

Turn on MFA everywhere it matters. A very common refrain is that a compromise came through access not secured by multi-factor authentication.

The Mindset That Gets Companies Through

Even on the worst day, there’s a path forward. There is a light at the end of the tunnel you do get through it’s a lot easier and less impactful if you have the right legal partners, the right insurance partners, and a game plan that you’re ready to execute.

Quick Checklist (Print This)

Know your policy: panel requirements, consent clauses, notice triggers.

Pre-load contacts: broker, carrier claim line, panel counsel, IR forensics, PR.

Enable MFA on email, VPN, remote desktop, privileged accounts, SaaS admin.

Document controls honestly on applications—no “aspirational” answers.

Report early and often—don’t start remediation off-panel without consent.

Track BI impacts with evidence (timestamps, order logs, revenue deltas).

Final Word

Cyber claims aren’t like other claims. They’re faster, messier, and more multidimensional—but with early notice, the right panel, MFA, and a printed plan, SMBs can move from chaos to control.

“I’d love to say if, but really when it happens.” 

For more information about the SafeHouse Initiative and how you can protect your organization, visit safehouseinitiative.org.

Latest posts

Related posts

Discover more information