Most businesses were forced to make hard pivots in 2020 as a direct result of the global pandemic. Some needed to close down completely, others moved their entire operation to a fully remote environment, and some chose to shift their business model altogether. One alcohol manufacturer decided to switch from producing alcohol for consumption to the production of hand sanitizers and other cleaning goods to meet the demand resulting from COVID-19.
In May of 2020, in the early hours of the morning, the network from one of their plants was having issues. They called their processing engineer and saw a strange file — ‘Name-WASTED.’ The file directed them to click a link. Luckily they didn’t open it. They called their IT provider immediately.
Diagnosis, ransom negotiations, and system recovery
This manufacturer was working on a SCADA system. SCADA (supervisory control and data acquisition) is an entire system in which manufacturers and other industries control industrial processes both locally and remote, monitor, gather, and process real-time data. SCADA is essentially the heart of an operation.
After noting the file and ultimate encryption of systems by a ransomware infection, the insured contacted Coalition. We quickly reached out to a forensic firm and negotiating entity who contacted the threat actor to start negotiations.
The initial demand by the threat actor was $2,300,000. That’s a huge price to pay for any business. While we knew we needed to negotiate the ransom down, more needed to be done to diagnose the attack and craft a recovery plan.
To keep the insured moving forward, we had three crucial processes happening simultaneously: 1. forensic work, 2. negotiations, and 3. on-site data restoration.
As part of the first prong, we worked with the insured and the forensic vendor to start gathering relevant information and to confirm, most importantly, that the threat actor was out of the system. At the same time, we worked with the negotiation team to start negotiations with the threat actor. Negotiations moved forward, reducing the demand from $2.3M to $705,000, and ultimately, $609,000.
That’s a $1,700,000 difference — more than enough to completely ruin a normally healthy business. And finally, we worked tirelessly to find a solution so that the insured could bring some systems back up and continue working; this included locating and verifying backups.
The effort to find a solution to bring the insured’s production system back online was urgent, and when an industrial system is down, that downtime causes property damage. Parts dry out, water is stale, and the list goes on. So, even if a company’s computer system is back up and running, a company may not be operational. While other carriers may not cover this type of loss, Coalition covers business interruption due to property damage.
Tip: All policyholders with an issue, please call 24x7 toll-free at +1 833 866 1337 or email firstname.lastname@example.org. The sooner, the better.
In this case, the above is exactly what happened. Coalition was able to bring the computer system back online, but the industrial system (the machinery) had suffered harm and could not come back online until parts were replaced or repaired. Because this insured had the proper endorsement, we covered the cost of their business interruption and the extra expenses from the repair. Without the endorsement, the business interruption arising because of the property damage would not have been covered.
Ultimately, this insured maxed out their policy. This isn’t the ideal situation, but we were glad we could help this policyholder during their time of need. Coalition will pay on behalf of the losses you incur due to the impairment or loss of use of tangible property that results from a security failure. We won’t cover the cost of the property itself, but we can help make up for the time lost while your organization recovers from a cyber event.
Most cyber insurance carriers don’t offer a BI/PD endorsement because they are traditionally covered under property policies. But we understand how complex cyber incidents (and the losses incurred) can be for policyholders. We saw a gap in standard cyber coverage and decided to fill it in.
How cyber insurance can help protect your business
Cyber insurance covers many expenses relating to ransomware, including:
Cyber extortion: Costs to respond to an extortion incident, up to and including payment of a ransom demand.
Breach response: Costs to respond to a security failure or data breach, including 3rd party incident response and public relations experts, customer notification costs when required by a privacy statute or regulation and credit monitoring, media purchases, and legal fees.
Business interruption and extra expense: Financial losses resulting from a failure in your security, data breach, and even systems failure, as well as the extra expenses you incur to bring your company back online.
Crisis management: Voluntary notification costs, even if no PII was accessed, but the clients want to provide notification or credit monitoring services to their customers.
Digital asset restoration: Costs to help recover or recreate digital assets that have been destroyed via the encryption and/or decryption process of the ransomware event.
Learn more about Coalition
Just when you think your policy covers everything, you need to think about all tangential losses that can occur. We offer the most comprehensive cyber insurance policy in the industry. We suggest you work with your broker and, based on your industry and exposure, make sure you’re getting the policy that’s right for you — without any gaps.
Our 2020 Cyber Insurance Claims Report explores top cybersecurity trends and threats facing organizations at this moment, in addition to data showing the impact of COVID-19 on cyber insurance claims. Download the report now.