At Coalition, we spend a lot of time and energy helping policyholders strengthen their security posture because we know how damaging a cyber incident can be.

The average claim cost for small businesses is over $108,000, and in many cases an incident is beyond their control — even those with top-notch security can experience a claim.

Yet, though cyber incidents can seem inevitable, the speed with which an organization responds to an incident (whether real or perceived) can have a major impact on the outcome. To illustrate this, I’d like to share two recent cases of policyholders that responded to cyber incidents differently and, as a result, had far different experiences.

Tale #1: Quick reporting pays off

After noticing suspicious alerts on their Endpoint Detection and Response (EDR) technology, a midwestern municipality contacted us with concerns about a potential ransomware event. They couldn't tell what was triggering the alerts, so they played it safe: they shut down their systems and called the Coalition Claims hotline.  

Working with counsel, Coalition Incident Response (CIR) began investigating the incident immediately and helped the municipality get its systems back up within 48 hours of the initial call. In less than two weeks, CIR completed a thorough investigation, determined no malicious activity occurred, and helped the municipality reconfigure its EDR to avoid similar alerts in the future.

Time matters. The faster we can investigate, the better chance we have of stopping a threat actor in their tracks and preventing a full-blown incident.

By taking swift action and contacting us, the municipality was able to rule out the potential threat, minimize downtime, and quickly resume business activities.

Although no incident occurred, the municipality exercised sound judgment by being extra cautious and ensuring they were safe. Best of all, the breach response was covered under its cyber insurance policy, which significantly reduced the cost of the claim.

Tale #2: Delays and indecision results in further loss

After being unable to properly fulfill and ship orders, a pet supply manufacturer contacted its third-party IT vendor for technical support. The business' systems were encrypted, and the two parties spent four days trying to regain access to the network. They even considered using a decryption company, but ultimately decided to call Coalition.

During the course of the investigation, CIR determined that the manufacturer was actually double encrypted by two separate ransomware groups. Ignoring the recommended course of action of rebuilding from clean backups, the manufacturer opted to pay the threat actor. In response, Coalition paid a total of $122,000 for the ransom payment. In the end, the threat actors never provided a decryption key, and the manufacturer had to revert to the recommended course of action, rebuilding from backups. 

Trying to avoid reporting a claim, the manufacturer wasted multiple days searching for their own solution. Due to the delay in reporting the claim to Coalition, the manufacturer began to feel the pressure of being unable to operate their systems, which caused them to ignore seasoned advice and make a hasty decision. Not only could the manufacturer have resumed business operations sooner by restoring from backups, but they may have also avoided the second ransomware event entirely if they immediately contacted Coalition.

To date, this cyber claim has amounted to $332,907 in ransom payment, breach response, data restoration, and business interruption costs, all of which are covered under their Coalition policy. What's not covered under our policy is the stress and hardship that comes with a cyber incident, like damaged relationships with valued customers.

With cyber incidents, every minute counts

Despite the different responses in these cases, Coalition was able to provide both organizations with impactful support that was covered by their policies. However, the lesson here is simple: every minute counts.

Even if a situation doesn't feel particularly urgent, it's important to remember that threat actors move quickly, and a swift response can enable more options for resolution, which leads to better outcomes for everyone involved.

As a broker, you can support your clients by helping them understand the resources they have available and how to utilize them. Upon binding a policy with Coalition, we recommend reminding your clients to contact us the moment they suspect something isn't right.

Our Claims and CIR teams are on-call around the clock to respond to inquiries and incidents. For additional information or support, visit coalitioninc.com/incident-response.