As modern businesses become more reliant on technology, the threat of cyberattacks is a reality companies need to be prepared for. With AI and other advanced tools, it is becoming easier for bad actors to breach systems and networks. As threats grow, cyber insurance has become an increasingly popular line of defense in helping companies protect their business from the financial loss and sometimes reputational harm post-incident.

In the first few hours — then months — following a cyberattack, this is what a company can expect to unfold, and the role a cyber liability policy may play.

Threat Detected: The IT department recognizes anomalous behavior within the network and discovers that a threat actor has managed to breach their systems. They’ve moved laterally into critical systems, locking them down and encrypting files.

Executives and Experts Notified: The IT department head notifies company executives while their team begins to work on mitigating potential damage and stopping the threat actor. The chief financial officer (CFO) contacts the risk manager, who oversees the company’s insurance placements. He knows they have a cyber liability policy, and the event may need to be reported to the carrier.

Breach Coach Engaged: The risk manager accesses a copy of the policy from their email, since they can’t access the local network drive. It’s been locked down by the threat actor. They call the breach hotline and connect right away with a breach coach from a panel law firm. This individual manages next steps in handling the attack.

Forensics Begins Triage: Once the breach coach gains an understanding of what has occurred so far, they recommend engaging a forensics provider. That panel provider will conduct an investigation to determine important details from the attack, such as the time, place and reasons behind the incident and who the threat actor may be. As part of their triage efforts, they will also begin to help mitigate the damage alongside the insured’s own IT department, who are now working around the clock.

Public Relations Steps In: The company is public, so a public relations firm is also engaged to help them determine what may need to be disclosed according to Securities and Exchange Commission (SEC) regulations and how to manage external communications about the incident.

Ransom Identified and Reviewed: The forensics firm determines that the threat actor deployed ransomware, which allowed them to move laterally through the system, escalating privileges and encrypting critical files that contain sensitive information. Shortly into the investigation, the threat actor makes a ransom demand of $10 million dollars. Coincidentally (or not), the company’s cyber liability policy has a limit of $10 million.

Remediation and Negotiations Begin: The breach coach reviews the ransom demand to ensure it is not coming from a sanctioned country and consults with the forensics provider. They determine that while it will take some time, the company can restore their systems from backups. Fortunately, this is conducted daily. Because the threat actor’s activity was discovered by their endpoint detection and response tool, which fed directly into their 24/7 security operations center (managed by a third party), the IT team was able to begin remediating right away. The breach coach therefore knows, based on their extensive experience with ransom demands, that the value of what they hold is not near the $10 million demand. Negotiations begin.

Expenses and Damages Identified: Forensics determines that the threat actor was able to exfiltrate some data, including personal identifiable information (PII). They work with the breach coach and PR, as these services work together in attempting to mitigate expenses and damages during cyber incidents. One server was rendered useless post-attack, as it was damaged significantly by the threat actors from a security perspective. Given the cost of replacing it, the company hopes there is coverage under their policy for this type of property damage.

Voluntary Shutdown and Comms Roll Out: To contain the incident, the company’s critical systems were shut down voluntarily for five days. During that time, operations essentially ceased, and employees were unable to work. Even email and the IP phone systems were down. The CFO estimates they lost about $300,000 in revenue during this time and wonder whether or not the cyber liability policy will provide reimbursement. As a public company, they’ve also had to manage communication to its shareholders and have seen their stock price drop. There is perceived reputational harm, and they worry about a loss of trust across their customer base.

Process Improvements Begin: As the company moves past the cyber incident, they have learned lessons and improved processes. They are also very grateful to have purchased a cyber liability policy, as it provided access to the diligent vendors that assisted them along the way. Most of their expenses were reimbursed under the policy (subject to their self-insured retention) and their broker’s claims department helped ensure the results were satisfactory.  

Notice of Legal Action: Six months later, the chief legal officer receives notice that a class action lawsuit has been filed against the company as a result of the exfiltrated data during the ransomware event. Although it was never confirmed that the threat actor released any of it on the dark web, an opportunistic plaintiff’s attorney solicited enough individuals to start the class action. They contact their broker, who reports the lawsuit to the cyber insurance carrier, noting that because the suit is related to the previously reported ransomware event, any qualified expenses associated with it would trigger the same related claim. That means they do not have to satisfy a second retention/deductible. Defense counsel is assigned to begin building the company’s response to allegations (panel provider).

Be Prepared With Cyber Protection

Cybercrime is not victimless. Targeted companies are victims. Individuals whose personal information is compromised are victims. Employees who work diligently to keep the company running through an attack and rebuild its systems and protections are victims. Making sure there are resources in place to help ease the burden of these events are massively important.

Each company should ensure they have adequate cyber protection, especially in a world where we all depend much more on technology. The scenario featured above is about a malicious cyberattack, but as we know, a cyber incident can simply be a result of human error — a mistake. That certainly doesn’t mean the impact cannot be as great. Don’t believe the hype — strong cyber insurance is designed to protect companies against malicious and non-malicious attacks. Be resilient. Be ready!

Common Cybersecurity Terms to Know

First Party

• Business Interruption: Loss of income or extra expenses incurred resulting from a cyber incident.
• Data Restoration: Costs to recollect, recreate, or restore data that was lost, stolen, or corrupted from a cyber incident.
• Extortion: Costs associated with an extortion or ransom event related to a cyber incident.
• Hardware Replacement: Property damage coverage for physical property rendered useless because of a cyber incident. (Does not pay to upgrade systems.)

Third Party

• Network Security and Privacy Liability: Liability costs associated with the loss of data resulting from a cyber incident.
• PCI Fines and Penalties: Costs associated with written demands for non-compliance with PCI Data Security Standards following a cyber incident.
• Regulatory Fines and Penalties: Fines assessed by federal, state, local or international regulatory bodies resulting from a data breach.
• Media Liability: Liability associated with disseminated media content.
• Breach Response: Provides access to best-in-class panel providers, as well as reimbursement for these services that are often triggered first when a cyber incident occurs.