Cyber claims case study: Two policies for the price of one

What happens if you suffer multiple cyber attacks within the same policy period? With CFC's unlimited reinstatements, you'll be covered for them all.

Cyber Case study 8 min Wed, May 22, 2024

Organizations are facing more cyber threats than ever before, with the potential for multiple attacks over the course of a year becoming increasingly common. For typical first-party covers in traditional insurance lines—such as property damage or traditional crime policies—policy limits and sums insured tend to be automatically reinstated following each claim, allowing the policyholder to claim up to the limit for every claim they make.

Yet traditional cyber insurance policies have been written on a single aggregate limit basis: as each claim is made under the policy, the policy limit erodes. Once this limit is exhausted, there is no money left for any subsequent claims during that policy period, potentially leaving the insured vulnerable should another cyber attack occur.


At CFC we recognized it was time for change. We moved to close this protection gap, providing cover on an unlimited reinstatements basis for all our first-party cyber covers for SME businesses—just like for this vehicle-part manufacturing firm, which suffered two significant cyber losses in a single policy period.

The first attack: ransomware

Almost all businesses have a cyber exposure, and this manufacturing firm was no different. Cybercriminals exploited a vulnerability in the manufacturer’s virtual private network (VPN) software, allowing them remote access to the insured’s network without the requirement for a username, password and a second authentication method. They then escalated their privileges by using a password scraping malware to obtain domain administrator account credentials. Now with admin access they launched an encryption software across multiple servers and left a ransom note demanding $750,000 of bitcoin be made in exchange for the decryption key.

Upon discovering the attack and ransom note the manufacturer immediately notified CFC’s incident response team. Our first priority was to establish the status of the manufacturer’s back-ups. Fortunately, the manufacturer had viable back-ups they could use to restore systems. Given the sizeable cost of the ransom demand and the fact back-ups were available, the business decided not to pay the ransom demand and looked to begin recovering from back-ups instead.

Recovering from the incident

Rebuilding affected servers takes time. It would be several weeks before operations were back to normal, and since they were locked out of enterprise resource planning (ERP) software— used to process orders, manage stock, outline production schedules and arrange for the transportation of goods—the manufacturer had to resort to manual processes. This resulted in having to pay their staff for working overtime, increasing costs. The downtime also put off customers from placing orders, encouraging them to go to competitors, increasing short and long-term financial losses for the business.

Though the insured had only purchased a $1 million policy limit, their CFC cyber policy covered all of these costs.

Financial impact

In total, the financial losses associated with the incident came to just over $1 million. This included over $600,000 in loss of income, $200,000 in staff overtime costs, $200,000 incurred to restore from back-ups and carry out a forensic investigation and $36,500 in legal counsel. Though the insured had only purchased a $1 million policy limit, all of these costs were covered by their policy with CFC.

That’s because our cyber policies for SME businesses provide two separate limits: the incident response limit, covering all costs associated with responding to and containing a cyber event, such as legal advice, forensic investigations and notifying affected individuals; and the policy limit itself, covering all other potential costs, such as business resumption services, loss of income, funds transfer fraud, liability actions and regulatory fines and penalties.

The second attack: social engineering

With the incident behind them and business gradually returning to normal, the manufacturer then fell victim to a funds transfer fraud loss through a social engineering scam. A key supplier of the manufacturer had their system compromised by hackers, leading the insured to receive a phony email asking them to transfer $200,000 for an outstanding invoice to the hacker's fraudulent bank account. As the email was part of an existing email chain it seemed legitimate, and the money was transferred. Despite efforts to try and reverse the payment, the funds were unrecoverable, leaving the insured $200,000 out of pocket. Once again, the manufacturer turned to CFC to assist them with the incident. 

Had their cyber policy been written with an aggregate policy limit in place, there would have been no funds available for reimbursing the loss, as the insured’s $1 million policy limit would already have been fully eroded by the ransomware attack. Fortunately, CFC’s policy was provided on an unlimited reinstatements basis, ensuring that the manufacturer had access to the full policy limit and incident response limit, meaning they were reimbursed for the full $200,000.

Learning and policy benefits

This case highlights the value of having a separate limit in place for cyber incident response costs. It’s not uncommon for an insured to use up most of the limit simply responding to and rectifying the incident, leaving little left for any consequential losses. That’s why CFC offers a separate incident response limit for SMEs on our standalone cyber policy as standard, providing businesses with two types of limits per each incident.

It also demonstrates the importance of having unlimited reinstatements on a cyber policy. With cyber-attacks growing in frequency, the chances of being hit by more than one cyber event during the policy period are only growing. In the event the incident is severe enough to significantly erode the insured’s policy limit, having an aggregate limit in place can leave the policyholder financially exposed to any other cyber attack within policy period. In response, CFC offers unlimited reinstatements for SMEs on our standalone cyber policy as standard, giving businesses a new reinstated policy and incident response limits for each unconnected claim within the policy period.

To learn more about unlimited reinstatements, check out our supporting article or get in touch via cybermarketing@cfc.com.

 

 

Legal Disclaimer: These examples are intended for illustrative purposes only and not intended to address the circumstances of any particular insured. Each claim submitted to CFC by an insured is based on the terms and conditions of the coverage provided to that particular insured and the facts and circumstances relating to a particular claim.