The last thing you want is to have your business disrupted by a cybersecurity failure. Nobody expects to be the victim of a ransomware attack, funds transfer loss, or data breach. But, once a cyber incident occurs, it’s important to know you have a team of experts ready to help you figure out what happened — and what happens next. This series shares real stories from Coalition policyholders who navigated a cyber insurance claim. The organizations will remain anonymous to protect their privacy and security.

Einstein’s special theory of relativity states that the rate at which time passes depends on your frame of reference. He certainly did not envision cyber insurance claims, but if you’ve just discovered that your network was infected by ransomware, the passage of time is going to appear much faster than if you were perusing emails while drinking your morning coffee.

With cyber incidents, time matters, and the readiness of the response to the threat can be the difference between a non-event or widespread, persistent access to all parts of your network.

The 1-10-60 rule

Crowdstrike, a cybersecurity company, surveyed 1900 senior IT managers and security professionals and unveiled a metric that outlines the need for speed in responding to a cyber event: “Breakout Time.” This is the period of time that an organization has to detect and remedy an intrusion before the threat actor is able to move on from the initial compromised machine. Crowdstrike reported the average Breakout Time as 1 hour and 58 minutes. They also reported that the average Breakout Time of Russian nation state actors was 19 minutes.

This report and the urgency needed to properly respond to cyber threats was the premise behind the development of the 1-10-60 Rule:

1 minute to detect the breach or intrusion, 10 minutes to understand it, and 60 minutes to contain it

This is a rule that many organizations are unable to satisfy and is an unrealistic goal for even fully staffed IT departments. Smaller and medium sized businesses are at an even larger disadvantage as they do not have the in-house technical expertise or the funding to retain cybersecurity professionals and legal counsel on a 24/7 basis. Enter Coalition Claims and Incident Response (CIR).

Report early, report often

Our policyholders are not only our customers, but also our partners in solving cyber risk. We scan their networks from the outside for critical vulnerabilities, just as criminals do, and we alert them to these risks, but we cannot make our customers fix them. We have an industry leading claims and incident response team, but we cannot leverage our expertise if the incident or event is not reported to us. In order for Coalition to help our policyholders, we need to know when a suspected or actual cyber event has occurred.

Unlike other cyber carriers, there is no harm in reporting a matter to Coalition that doesn’t trigger coverage under our policy. In fact, 45% of the time we are contacted we’re able to resolve the situation without opening a claim. This is important as the policyholder does not incur any expenses, their limitation of liability is not eroded, and no claims show up on their loss runs when it comes time to renew their insurance coverage.

If there is something suspicious on your network or computer systems, report it.

Remember the 1-10-60 rule: Even if compliance isn’t feasible, every second counts when dealing with a cyber security event or incident. If there is something suspicious on your network or computer systems, report it. We often see threat actors compromising email systems first before moving laterally within a network so even if it appears the matter has been remediated, our experts can double-check the work to ensure that your network is clean and free of any intrusions.

A real ransomware nightmare

A policyholder was hit with a ransomware event over a weekend that encrypted a file server with critical business information. Fortunately the company had viable backups in a clean environment. Their IT consultant formatted the server and restored the files with no issues. However, the policyholder did not analyze the network for the intrusion vector and did not report the matter to Coalition.

Two weeks after the initial event, the threat actors used the same access vector to re-encrypt the network and made special care to get financial documents and all connected back-ups. They had no choice but to pay the ransom to recover the data. If we would have known about the initial attack, Coalition claims and CIR would have deployed an endpoint detection and response solution and shut-down the initial access vector, reducing incurred expenses and keeping money out of the hands of criminals.

How fast is fast?

Coalition aims to respond to reported matters in seconds, whether the claim or incident is reported through our toll free 24/7 claims hotline (+1.833.866.1337), our chat function, or our claims email (claims@coalitioninc.com). A policyholder’s email or phone call does not go to a call center or third-party vendor: you are speaking immediately with knowledgeable claims professionals and attorneys who will triage and assist with the incident right away.

This quick response time is one of the reasons Coalition has been able to assist Insureds in recovering 85% of their funds transfer losses.

Time is relative, but with our insureds promptly notifying us of incidents, and our speedy claims response time, we can change our frame of reference and slow down these malicious actors to keep them from financially hurting our customers.