When a UK employee from a Canadian mortgage company noticed an outage through the VPN of a server, she alerted the IT manager in Calgary. The IT manager texted the Chief Risk Officer (CRO), and by the time he arrived at the office around 8 a.m., they were shutting down servers. The company had received a ransom note.

The CRO contacted Coalition to file a claim, and he elected to work with Coalition Incident Response Inc. (CIR)¹. CIR quickly began investigating and remediating the ransomware event.

Fortunately, the mortgage company still had access to client and mortgage data because the software was cloud-based, allowing them to carry out most of their work with only a handful of interruptions to their internet-based phones and servers.

By the second week of recovery, the CRO decided to negotiate the ransom to save client confidentiality data. “CIR was extremely professional, available, and gave us amazing guidance on what to expect in managing the ransomware event. Without their guidance, my stress level and blood pressure would have been almost crippling,” said the CRO.

The rebuilding of the company’s servers was particularly challenging. CIR connected the company with a restoration service to aid the single IT person working on the task. The CRO noted, “That was a real turning point because we were given a way to support our systems and get back online. Our team was wearing thin and probably would have broken at some point.”

CIR determined that brute-force entry into the company’s remote access software was the root cause of the ransomware attack. During the investigation and recovery, CIR shared a list of best practices and highlighted where the company should prioritize its security efforts moving forward.

In wrapping up the recovery, the CRO said, “This experience was traumatic on its own, but it would have been much more traumatic without my IT team, CIR, and feeling financially supported by our insurance.”

The mortgage company’s policy covered $29K CAD in Breach Response costs for CIR and breach counsel, $145k in Cyber Extortion for the ransom payment, and $17K for Digital Asset Restoration, totaling nearly $350K after their self-insured retention of $5K.

1. Coalition Incident Response services provided through Coalition’s wholly owned affiliate are offered to policyholders as an option via our incident response firm panel.

The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. Facts may have been changed to protect the privacy of the parties involved.

Insurance products are offered in Canada by Coalition Insurance Solutions Canada Inc. (“CIS Canada”), a licensed insurance producer in all Canadian provinces, with a principal place of business in Vancouver, British Columbia, (Canada) license #LIC-2020- 0020925-R01) acting on behalf of a number of unaffiliated insurance companies. Insurance products offered through CIS Canada may not be available in all provinces. See licenses and disclaimers. CIS Canada receives commission from insurers listed on each policy in connection with the sale of insurance to the policyholder. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.