Live Webinar 11/20: SMB Cyber Survival Guide 2025

Revisiting the value of cyber insurance

Coalition Blog-RevisitingTheValueOfCyberInsurance

As a broker, you are a trusted advisor to your clients. They seek your advice on more than just how to select the correct cyber insurance policy. They want to know how they will be supported in the worst-case scenario if they are hacked and what a cyber event may cost them.

Using a ransomware event as an example, many businesses think of this as a short-term problem and that paying the ransom or securing the network is the end of the matter. However, cyber incidents can be long-tail problems, and the cleanup can span months. The cost to remediate a ransomware claim has continued to rise over the last few years. Our 2022 Claims Report found ransomware claims severity increased 10.5% to $333k — and this figure is more than just paying a ransom.

In this post, we're going to demystify the hidden costs associated with the process of a digital investigation, explain how a cyber insurance policy can help facilitate a successful investigation and response, and help set expectations surrounding the complex remediation process.

Immediate costs of a cyber incident 

Data exfiltration occurs when threat actors gain unauthorized access to your business data and then copy or remove it from your network. A variety of cyber incidents — including a simple business email compromise or ransomware attack — can open the door for data exfiltration. From that point, threat actors may release the data onto the dark web, the public internet, or hold it hostage for ransom.

As ransomware has proliferated over the last few years, companies are increasingly aware that maintaining good offline backups can mean the difference between paying the ransom and independently resuming operations. However, backups alone are not a silver bullet in incident remediation. While having tested, working backups can help you get back up and running quicker, that doesn't necessarily expedite the investigation process. It just means that your organization can resume operating and continue earning revenue or providing your services again. 

As part of remediating incidents that involve data exfiltration, Coalition's claims and incident response teams will often contract data mining vendors. Data miners comb through exfiltrated records — which can include exorbitant quantities of data — to determine if personally identifiable information (PII) or personal health information (PHI) was exposed. The costs associated with using data mining vendors may vary, and often depends on how much data was exfiltrated. Organizations may find it more economical to notify an entire population as opposed to reviewing the data to find specifically impacted individuals.

When taking into account the sheer volume of data that businesses today gather and the sensitivity of that data for industries such as healthcare, credit, or government, it is possible for data mining to cost more than the ransom itself. 

Special notifications and regulatory fines

Another hidden fee of cyber incidents is the cost associated with communicating with regulatory entities. During the process of discovery and reporting the incident to required authorities, the claims team enlists the help of external breach counsel. Breach counsel assists with the notification process associated with reporting the leak of sensitive data. Different types of data have different legal and regulatory reporting requirements. 

Laws such as the Health Insurance Portability and Accountability Act (HIPAA) have reporting requirements, and breach counsel must communicate incidents or violations to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Countries such as Canada and the UK have their own laws governing these sorts of breaches. According to the HIPAA Journal, as of April 2022, 22 healthcare data breaches have been reported. Half a million individuals were impacted by these breaches, with hacking and IT incidents being listed as the root cause for 73.2% of breaches.

As part of the notification process, companies may be recommended to provide credit monitoring services for the individuals whose data was exposed during the breach. Negotiating the costs and setting up these services will also be handled by the breach counsel and claims team.

For example, in August 2021, T-Mobile reported a data breach of PII involving roughly 40 million former or prospective customers. T-Mobile's notification included a public statement and several offerings to those impacted — including identity protection services, scam-blocking services, and account takeover protections for customers.

Long-tail ramifications

No business wants to find itself wrapped up in a legal dispute, especially one resulting from a cyber incident. Sadly, it is possible for businesses to be sued as a result of a data breach, either by individuals or via a class action lawsuit. The lag time for such an event depends entirely on the notification process (e.g., breach, data mining, notification, credit monitoring services) and the state or province.

Notably, U.S. credit reporting agency Equifax experienced a data breach in 2017 impacting 147 million people. A class action lawsuit was filed and a settlement judgment was issued in January 2020. In addition to potential payments, impacted parties were also entitled to free identity restoration services.

How a partner in the claims process can help

It's understandable that comprehending the duties of the claims team and the number of steps associated with remediating an incident may seem overwhelming. Coalition works with a panel of providers including breach counsel and forensic vendors to assist with a digital investigation from beginning to end. While there is a wide range of costs associated with fully remediating an incident, our leading team of in-house and panel experts helps to mitigate the cost issue and support the insured organization through this complex process.

Experiencing a cyber incident can be overwhelming for your clients. To help them begin the remediation and recovery process report any potential incidents to Coalition Claims.