Cyber risk is manageable. We repeat this mantra to brokers, policyholders, and anyone else who’s willing to listen. But it’s only manageable if everyone involved is on the same page. 

When Coalition detects a new cyber threat, we immediately notify our policyholders and encourage them to swiftly remediate the risk. Similarly, if a policyholder notices something unusual, we want them to promptly report it so we can help.

Speed and responsiveness are essential when it comes to managing cyber risk … yet some don’t call us until it’s too late.

There are many reasons businesses may hesitate to report suspicious activity. Some might not realize how serious an issue is, while others simply deny that anything is wrong. But time and time again, we find that businesses are largely unaware that Active Insurance is intentionally designed for policyholders to ask questions and seek guidance without fear of triggering a costly investigation. 

Businesses often equate reporting suspicious activity with filing a formal claim for coverage, but that’s not always the case. As champions of cyber insurance, brokers and insurers must work together to normalize the reporting of suspicious activity and encourage businesses to use the resources at their disposal.

Below, we’ll explore exactly what happens once a matter is reported and how timely reporting can significantly reduce the likelihood of a bigger problem.

Timely reporting results in positive outcomes

Businesses have been conditioned to be judicious in what they report under other types of insurance policies out of concern for substantial costs, increased premiums at renewal, and other repercussions. Yet, Coalition’s approach to cyber insurance is different.

With cyber insurance, timely reporting can be the deciding factor in whether a matter develops into a costly claim. In fact, 52% of all matters reported to Coalition in 2023 were handled without any out-of-pocket payments by the policyholder.

We necessarily open a claim file when a policyholder reports a matter to Coalition — regardless of whether it’s a claim or incident that falls within coverage, an event that doesn’t qualify for coverage, or merely suspicious activity. However, for anything other than a claim or an incident, the policyholder’s loss run will show a $0 amount.

Streamlined response to reported incidents

If a policyholder encounters something suspicious, like a phish-y email, we encourage them to contact us immediately. And if we’re going to ask policyholders to contact us at the first sign of concern, it’s only right that we respond with the same expediency. 

Coalition’s 24/7 claims hotline is staffed around the clock, and policyholders are able to get help at any time of day. Our full response typically happens in three phases: assessment, investigation, and recovery.

1. Assessment: When a policyholder reports a matter to Coalition, our claims handlers provide an initial assessment and triage the matter. The primary goal is to determine if the policyholder is facing a security threat that needs to be investigated by a forensic IT expert, like Coalition Incident Response* (CIR). If necessary, the claims handler may connect the policyholder with a privacy attorney who works with CIR and the policyholder to investigate the business’ network infrastructure and email accounts to determine if a breach occurred.

2. Investigation: If a breach is confirmed, a full investigation is needed. For ransomware, extortion, and business email compromise events, incident responders partner with breach counsel to inspect how and where the compromise originated. The claims team is involved throughout the investigation.

3. Recovery: After the forensic investigation, policyholders may request additional support for remediation and restoration or recommendations on how to improve their security posture in the future.

What differentiates Coalition’s streamlined process from other cyber insurance providers’ processes is the extent to which CIR can assess potential security concerns without launching a full-blown investigation or requiring the policyholder to pay out of pocket.

“Every case is different, but most of the time, we’re looking for confirmation of compromise,” said Leeann Nicolo, Incident Response Lead at Coalition Incident Response. “This could be successful logins to a network by a threat actor (instead of just attempts), emails being sent by a threat actor using a client’s email address (instead of a spoof), or any other indication that a compromise was successful.”

Active Insurance is intentionally designed for policyholders to ask questions and seek guidance without fear of triggering a costly investigation.

Extensive pre-claims services

Every Coalition policy includes access to initial breach response services from Coalition and two hours of consultation from our panel breach counsel to help remove ambiguity about accessing pre-claims services, including legal, forensic, and IT support. These services can help address security concerns before they develop into active breaches, an approach that’s financially beneficial for both Coalition and policyholders: 

• Policyholders can use pre-claims services without depleting their policy limits, thereby reducing their potential out-of-pocket expenses.

• Coalition can use pre-claims services to prevent larger losses and maintain lower overall costs associated with cyber claims.

“If a policyholder has a $100,000 Self-Insured Retention, they’re probably going to be more hesitant to report a matter because they don't want to incur costs,” said Milan Radosevic, Claims Manager at Coalition. “Businesses with higher Self-Insured Retentions are also typically bigger operations with capable internal IT teams, so they may feel inclined to address issues themselves. This is exactly why we provide pre-claims services.”

Pre-claims services come into play during the assessment process. If a claims handler is uncertain about the severity of a matter, they may ask CIR to evaluate the matter for additional clarity. 

“Spoofed emails are the things we see most often that don’t end up resulting in a claim,” said Nicolo. “Conversely, we see many instances of ransomware in which the policyholder waits until encryption is present to contact us, rather than alerting us upon the first indication of suspicious activity.”

Empowering policyholders to reach out is necessary when triaging and mitigating risks that have the potential to develop into larger claims. Matters that are resolved before evolving into costly losses appear on the policyholders’ loss runs but show a $0 loss. Zero-dollar losses on closed claims are generally viewed the same as loss runs with no claims at all.

Clawing back stolen funds without filing a claim

When a policyholder contacts Coalition to report a funds transfer fraud (FTF) event, we work to recover money on behalf of our policyholders. Threat actors typically attempt to move stolen funds across various jurisdictions to cover their tracks, so we work with U.S. government entities to track down the funds, stop payments, and “claw back” the money. 

The first 48 hours are critical to a successful FTF clawback. If we’re notified of the event promptly, we have a significantly higher chance of recovering the funds. In 2023, Coalition successfully clawed back more than $38 million in fraudulent transfers with an average recovery of $470,000 in instances where recovery was successful.

“FTFs are unique from a claims perspective because two different things are happening in parallel. In addition to attempting to claw back the funds, we have to consider the possibility that the event occurred as a result of a compromised email account,” said Radosevic. “In some cases, we’ll tap CIR to take a look and see if a full investigation is warranted."

FTF events can also happen without inbox compromise, which means a successful clawback can result in a $0 loss. In one case, Coalition successfully clawed back all but $405 in a $3.5 million FTF incident in which the policyholder never had to seek coverage for a loss.

Brokers can empower clients to report suspicious activity

Pre-claims services can significantly enhance a business’ security posture, not only helping to immediately address security concerns but also preparing them to better handle future threats.

Where other cyber insurance providers may wait until a policyholder experiences a loss and then reimburse the loss after the fact, Coalition takes an active approach by trying to help them avoid losses in the first place. 

But it all depends on swift and timely reporting.

Cyber insurance policyholders should always feel comfortable reaching out and asking questions — even if they’re unsure of what’s wrong. Coalition employs experts in claims handling, cybersecurity, and incident response, so that we can provide immediate support.

Reporting suspicious activity can be the difference between a full recovery and a multimillion-dollar cyber claim. The more brokers and cyber insurance providers promote this concept, the better off our industry will be.

This article originally appeared in the May 2024 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

*Coalition Incident Response is an affiliate firm made available to all policyholders via panel selection.

This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. 

Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.