Responding to and remediating cyber incidents is expensive work, and it’s common for the costs associated with handling these incidents to extend beyond the initial policy limit—leaving businesses exposed.
To confront this harsh reality, CFC cyber policies come with an additional limit solely for incident response costs as standard. The two towers of cover, along with offering initial incident response at nil deductible, are essential for giving businesses the comprehensive coverage they need to effectively recover from cyber incidents.
Here we’ll explore how the value of nil deductible and two separate limits come to life through five real-life claims examples across industries.
Healthcare
A provider of home respiratory care, medical and pharmacy services with a $3 million policy limit suffered a ransomware attack which impacted every one of its locations across the country and the thousands of patients they serve.
Since the healthcare provider had a cyber policy with CFC, they contacted our inhouse incident response team immediately, without fear of automatically triggering a claim. This enabled our team to begin remediation at an early stage, where it was found the threat actor had exfiltrated thousands of sensitive files and left a ransom demand in return for that data.
Incident response costs came to $376,000, including forensics into the incident. The policyholder decided that they had no choice but to pay the ransom and legal notifications had to be provided to more than 300,000 individuals. This led to a class action lawsuit, where the agreed settlement plus legal and administration fees and the business interruption loss amounted to more than $2.9 million.
With just one policy limit, the insured would have been left to cover more than $300,000. But since they had two towers of cover, one for incident response costs and one for business resumption, they received financial cover for the entire incident.
Manufacturing
An engineering manufacturer with a $1 million policy limit fell victim to a ransomware attack that encrypted its systems end to end and ground operations to a halt.
Because of our nil deductible clause, the manufacturer notified CFC as soon as they suspected an incident was occurring. After forensic work, our team found the ransom demand did not have to be paid and guided the insured through restoring systems using data backups. The incident still caused widespread disruption, with many facilities forced to reduce capacity and others unable to function altogether, while privacy notifications had to be sent to employees past and present.
The incident eroded the insured’s limit for incident response costs by just over $150,000, due to the forensic investigation and risk mitigation work. This sat apart from the business interruption claim, which was calculated by considering the loss of profit, system damage, rectification, the increased cost of working and reputational harm. These costs alone came to more than $900,000.
In all, the total costs associated with managing the incident overtook the original policy limit of $1 million by $60,000. But since $150,000 of those costs were attributed to incident response, the insured avoided making a payout and benefited from complete cover.
Retail, leisure and hospitality
A casino with a $2 million policy limit was targeted in a ransomware attack that encrypted its network, causing an outage and removing the possibility to restore systems from backups
.
After notifying CFC, our incident response team began to investigate the incident immediately. Both of the casino’s locations were unable to trade, as the incident disrupted the back-office systems connected to front-end gaming systems. The insured also lost out on food and beverage sales, due to the sale system being inaccessible. Therefore it was vital to get the insured back up and running as quickly as possible.
Our team found the system backups were unrecoverable, so there was no choice but to pay the ransom. Our experts helped to negotiate with the threat actor to agree on a reasonable ransom price, while a expert forensic accountant was needed to help calculate the insured’s business interruption claim. The extortion payment alone came to just under $2 million—the insured’s original policy limit.
Without a separate limit for incident response, the casino would have faced a $200,000 bill for these costs. However, the two towers of cover meant the insured had complete financial cover.
Education
A university with a $1 million limit detected ransomware on their network, which encrypted endpoint devices and a mass storage device.
With CFC’s expert support, the university managed to successfully restore systems from backups and was back fully operational in just five days. This meant the insured had no need for the decryption key, however the threat actor gained access to the university’s emergency alert systems and used it to warn individuals they would leak their sensitive data if the university didn’t pay the ransom demand. After negotiations, the insured made a ransom payment of just over $250,000.
Our incident response team’s forensic investigation discovered the information that had been accessed, and the insured had to notify over 20,000 impacted individuals. This led to a data breach class action lawsuit, resulting in a settlement of $500,000.
The settlement cost, legal fees, ransom demand and business interruption loss came to just under the $1 million limit. Fortunately, the additional incident response limit took care of the outstanding $110,000 costs, ensuring the insured had full cover.
Wholesale and distribution
A wholesale distributor of medical equipment with a $2 million limit was targeted in a ransomware attack that encrypted, one fifth of its servers, significantly disrupting its supply chain and hampering its ability to fulfil orders.
After notifying CFC, our incident response team supported the wholesale distributor’s MSP in restoring impacted servers through backups, avoiding the need to pay the ransom demand; though the restoration process was complicated by the need to obtain offsite backups, assess the backups and move them onto a clean environment. Systems were fully recovered in 11 weeks, during which the insured struggled to meet delivery obligations and generate revenue—also posing the risk of losing customers to competitors.
Our forensic investigation found it was unlikely the threat actor had exfiltrated sensitive data, and so a data breach had not occurred and no data notifications were required. This saved time and money, however the business interruption claim plus data rectification costs amounted to just less than the $2 million limit, with the additional incident response costs totaling $140,000.
At a time when recovering from a disruptive event, the insured would have been left to cover more than $100,000. However because of CFC’s separate limit for incident response costs was covered, helping the insured get back on its feet.
Find out more about CFC incident response costs in this article. For more tips on how to stay ahead of rising cyber threats, explore CFC’s website or get in touch with our cyber team.
Legal disclaimer: These examples are intended for illustrative purposes only and not intended to address the circumstances of any particular insured. Each claim submitted to CFC by an insured is based on the terms and conditions of the coverage provided to that particular insured and the facts and circumstances relating to a particular claim.
