The saying, “Time is of the essence,” is especially true when recovering from a cyber incident. Every hour that passes can result in increased damage to an organization’s systems, finances, and reputation.

The sooner a policyholder alerts us to a possible cyber incident, the more likely we can intervene and aid in mitigating cyber or financial damage.

In a ransomware scenario, for example, early notification enables us to handle all communications and negotiations with the threat actor — events that can be very stressful and carry costly consequences. It also allows our digital forensics team to discover the root cause of the network infiltration, ensure that the threat actor is out of the network, and make recommendations on how to improve security controls to help prevent future attacks. 

However, if a policyholder waits too long to contact us or attempts to resolve matters on its own, it can limit our ability to respond efficiently and effectively. Let’s look at a recent cyber claim Coalition received that illustrates the importance of timely notification.

Data restoration is only half of the battle

When a law firm was hit by ransomware, the first call was to notify its managed service provider (MSP). The firm had viable data backups and hoped to restore its systems on its own. Coalition Claims eventually received a call about the incident after the data was around 75% restored.

During that first call, Coalition Claims recommended the retention of counsel and a full forensic investigation. Unfortunately, the law firm didn’t want to move forward, as it thought it was almost fully operational. Unfortunately, the threat actor threatened to publish data they had exfiltrated: not only names and addresses, but also highly sensitive client information. At this point, the firm engaged counsel and  Coalition Incident Response (CIR) to launch an investigation and consider their next steps.

At the onset, the threat actor demanded a six-figure ransom. They said the price would increase if payment was not received in a timely manner and that they would eventually leak the stolen data. The threat actor said they exfiltrated a specific amount of data, but when asked for proof, they showed CIR a list that comprised much more data than the previous amount stated. All the while, the firm was becoming increasingly anxious about the inconsistency and uncertainty around what data was actually compromised.

Ultimately, we negotiated the ransom down to less than half the demand, which was fully covered by the law firm’s policy. However, the firm still needed to know what data was accessed to properly (and legally) notify its clients. CIR pressured the threat actor for a data tree and, after much pestering, eventually received a screen-captured video of the threat actor deleting the files. CIR confirmed the amount of data stolen was equivalent to the amount the threat actor stated they had taken.

Notifying Coalition at the first sign of a cyber incident gives businesses the greatest chance at recovering without significant loss, while delays give threat actors a greater opportunity to inflict damage.

Early notification is the best way to minimize damage. The inclination to prioritize resuming operations after a cyber incident is understandable for any organization. In this case, the law firm’s MSP did a commendable job helping it recover and become operational again. Unfortunately, restoring from backups data won’t prevent threat actors from leaking data.

By not contacting us promptly, the law firm allowed its MSP to wipe valuable evidence that prevented CIR from putting together a forensic timeline and fully reconstructing the incident. Without a complete picture, CIR had a difficult time ascertaining which systems had been accessed and what data was exfiltrated. 

Delays create opportunity to inflict damage

There’s no way to say for certain that contacting us promptly will prevent a threat actor from releasing exfiltrated data. But our incident response experts have a strong track record and extensive negotiating experience — on average, we successfully negotiate ransomware payments down by 73%. 

The lesson here is that notifying Coalition at the first sign of a cyber incident gives businesses the greatest chance at recovering without significant loss, while delays give threat actors a greater opportunity to inflict damage.

So what can you do to help? Every Coalition policyholder should have readily available access to the Coalition Claims Hotline. This ensures they can get in touch with us at a moment’s notice. We encourage everyone to exercise caution — we don’t mind if you call and it’s a false alarm — rather than waiting until it’s too late.