Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report

Coalition Claims Chronicles: Special counsel required to handle data breach


The last thing you want is to have your business disrupted by a cybersecurity failure. Nobody expects to be the victim of a ransomware attack, funds transfer loss, or data breach. But, once a cyber incident occurs, it’s important to know you have a team of experts ready to help you figure out what happened — and what happens next. This series shares real stories from Coalition policyholders who navigated a cyber insurance claim. The organizations will remain anonymous to protect their privacy and security.

Ransomware is more than just a type of malware — it is a criminal business model which allows attackers to profit by holding their victim’s data hostage. By now, we are all familiar with the most common risks associated with ransomware: loss of critical information and business interruption. However, when ransomware attacks involve data access and exfiltration, organizations face another type of risk: data breaches.

A quick ransomware recovery

Early on July 10, 2021, the IT director for a construction company was surprised to discover their systems were inaccessible and their files encrypted  — they had been hit by HelloKitty ransomware. After discovering a ransom note, the policyholder shut down the impacted systems and contacted Coalition.

Forensic investigation determined that the threat actor compromised the policyholder via Sonicwall VPN, a tool used to facilitate remote access of Windows computers. Thankfully, the policyholder had backups of their mission-critical data and worked through the night to successfully restore systems in enough time for employees to resume work with minimal impact. Further, because the backups were viable and unaffected by the ransomware, there was no need to pay the ransom for a decryption key. Instead, the Coalition panel forensic vendor installed Carbon Black, an Endpoint Detection and Response (EDR) solution, to monitor their endpoints and prevent reinfection. Next, a manual data review vendor and breach counsel reviewed the exfiltrated data in preparation to notify individuals whose personal information was impacted.

When data exfiltration triggers reporting notifications

Ransomware attacks most commonly involve encrypting or deleting data stored on the victim’s network. However, it is becoming increasingly prevalent for threat actors to simultaneously exfiltrate data, transfer it to their external servers, and threaten its release or publication if the ransom is not paid. In this instance, the investigation revealed the threat actor had exfiltrated about 65,000 documents from the insured, which needed to be manually reviewed for whether they contained protected information which would trigger notice obligations. As part of our Breach Response coverage, Coalition helped bring in a data mining vendor to work with the policyholder. The vendor helped review the files to determine the impact and worked with breach counsel to determine what reporting notifications the policyholder would need to follow.

Depending on the industry and the location of the organization and impacted individuals, data breaches have a variety of reporting requirements. For example, the policyholder’s business operations spanned construction, manufacturing, and warehouse distribution. Their customers included the Department of Defense (DoD), which has unique and stringent notification obligations for security incidents. This meant the policyholder had to file a notification with the DoD, as required under Defense Federal Acquisition Regulation Supplement (DFARS).

DFARs is a set of regulations protecting the confidentiality of Controlled Unclassified Information (CUI) and applies to all DoD contractors. In this case, the policyholder had to work with counsel who had highly specialized DFARS knowledge and licensing. Additionally, Coalition panel breach counsel helped the policyholder notify and set up credit monitoring for the roughly 850 current and previous employees impacted by the data breach.

Have a plan for data breach prevention and remediation

A fundamental but uncomfortable truth about modern digital business is it’s not a matter of if you come under cyber attack but when. Attacks could be persistent, or your organization may be a target of opportunity. So having a plan in place before an incident occurs is critical.

Cyber criminals often seek to avoid detection, striking during long weekends or off-hours. A well-documented incident response plan is essential and must include specific steps for dealing with data breaches and cybersecurity controls designed to reduce the likelihood (e.g., robust patch management) and impact of a breach (e.g., data encryption).

Coalition offers a wealth of resources to help businesses implement good cybersecurity practices, including our Cybersecurity Guide, which outlines the basic tenets of a cybersecurity program — a critical factor in reducing your organization’s cyber risk.