cyber insurance Claim examples
What are the claims?
Cyber breaches and incidents are becoming more and more common. Here are some examples of incidents, their business impact, and the cyber insurance coverage that could respond to the event.
Claim Example #1:
Summary: A multi-location company released sensitive employee information via a phishing attack. The attackers used a masked email address to appear as though the email request came from a legitimate internal senior employee. The email requested a HR employee to urgently forward sensitive employee information, including earnings and tax forms. The next week, the HR employee asked the senior employee (in person) about the request, which the senior employee was unfamiliar with and had not requested. At that time, the company reviewed the emails in detail and realized the information had been sent outside of the organization to an unknown third party.
Applicable Industries: All
Resulting Business Impact: The company incurred approximately $50,000 in direct costs to mitigate the breach’s impact on employees by offering credit-monitoring and identity theft protection services, as well as the associated consultation with a law firm on the impact, regulatory guidance, and next steps.
Applicable Cyber Insurance Coverage: Privacy Liability, Notification Expenses, Customer Support and Credit Monitoring Expenses, Privacy Regulation Fines & Penalties
Claim Example #2:
Summary: In 2013, an employee of a Canadian Financial Institutions regulatory body accidentally forgot a laptop on a train and was unable to recover it. The laptop contained the personal information of 52,000 investors linked to 32 firms. The laptop had a password but was not encrypted. Initial costs were driven by the cost to provide credit alerts, credit monitoring and support to affected individuals, and a dedicated call center. A class action on behalf of the affected individuals was filed shortly after the news became public, leading to an increase in legal defence and indemnity costs. While the motion for authorization of the original class action was dismissed in 2015; a new slightly modified motion for authorization was filed in November 2015 and was granted as of October 2017. The case is still open as of July 16, 2019 and has resulted in $5.6M of costs to date to the regulatory body.
Applicable Industries: Finance, Healthcare, Non-Profit
Resulting Business Impact: Efforts required to notify all effected individuals, Class Action Lawsuit, $5.6M total cost to entity
Applicable Cyber Insurance Coverage: Privacy Liability, Notification Expenses, Customer Support and Credit Monitoring Expenses, Privacy Regulation Fines & Penalties
Claim Example #3:
Summary: In May 2017, a global cyber attack affected over 200,000 computers in at least 100 countries. One of the most impacted entities was the UK National Health Service (NHS) with about 1/3 of their main hospitals impacted as well as a further 600+ NHS organizations including 595 General Practitioner practices falling victim. The attack used ransomware which proliferated amongst outdated and vulnerable Microsoft operating systems, locking data and applications while demanding a ransom. Microsoft had previously released patches to close the exploit, which appear to not have been applied by the NHS prior to the attack.
Applicable Industries: Healthcare, Social Services
Resulting Business Impact: The attack was stopped within a few days of discovery, however its impact was still very major. More than 19,000 appointments had to be cancelled, including the diversion of emergency ambulance services to other hospitals, costing the NHS approximately £20m. Nearly 1,250 pieces of diagnostic equipment had been infected. Furthermore, the NHS faced nearly £75m in the subsequent cleanup and upgrades to its IT systems with costs including staff overtime, additional IT support provided by local NHS bodies, IT consultants, and the cost of restoring data and systems affected by the attack. NHS believes that no patient data was compromised or stolen.
Applicable Cyber Insurance Coverage: Crisis Management Costs, Network Extortion, Privacy Liability, Notification Expenses, Customer Support and Credit Monitoring Expenses
Claim Example #4:
Summary: A large multi-location retailer was performing an update of the software on their Point of Sale (POS) machines. The vendor provided the update and security staff of the retailer analyzed the update, and then installed it. The company received a call from a large credit card company indicating a pattern of suspicious card activity, and indicated the retailer had likely been breached. The security team then began discovering that the malware had breached company systems. Forensics needed to ascertain what happened and then deploy the tools required to ascertain which systems were affected, and clean the malware off the systems.
Applicable Industries: Retail, Non-Profit, Industry Associations, any operation processing debit / credit cards
Resulting Business Impact: Business interruption from Inability to accept payment via cards. Notification costs, credit monitoring for affected individuals, forensics costs, and POS system remediation. In addition to these costs, the company faced a fine from PCI-DSS of $2M.
Applicable Cyber Insurance Coverage: PCI-DSS Assessment, Privacy Regulatory Fines & Penalties, Crisis Management Costs, Notification Expenses, and Customer Support and Credit Monitoring Expenses
Claim Example #5:
Summary: An auto manufacturer had to shutdown 13 auto manufacturing plants for about an hour after the Zotob Internet Worm entered its air-gapped operational technology environment via an infected laptop.
Applicable Industries: Manufacturing, Industrial
Resulting Business Impact: This resulted in automobile production across 6 states in the USA and approximately 50,000 assembly line workers to be idle for about an hour.
Applicable Cyber Insurance Coverage: Legal Expenses, Crisis Management Costs, Data Recovery, Network Security Liability.
Claim Example #6:
Narrative Summary: A registered nurse working in the maternity department at a Canadian health-care facility improperly accessed, copied, and sold the private information of more than 14,000 patients to financial firms. The financial firms are alleged to have used the confidential information on new mothers to try to sell them registered education savings plans, or RESPs, a form of tax-sheltered savings to pay for children's post-secondary education.
Applicable Industries: Healthcare, Finance, Social Services
Resulting Business Impact: Criminal charges were laid against the former employee as well as the financial firms who purchased the information. The applicable privacy commissioner reported in December that the hospital had "failed to comply" with their legal obligations to protect personal health information. The commissioner ordered the hospital to restrict the kinds of searches staff can perform on its database of health records and, among other things, to immediately conduct privacy training for all clerks. A $412-million class action lawsuit was brought against the hospitals on behalf of the impacted individuals in 2014, however the motion to certify was denied in 2019.
Applicable Cyber Insurance Coverage: Legal Expenses, Privacy Liability, Crisis Management Costs, Notification Expenses, and Customer Support and Credit Monitoring Expenses
Claim Example #7:
Narrative Summary: A ransomware attack hit a Canadian company that resells sensitive personal and business data collected by a provincial government. The attackers asked for ransom in order to decrypt encrypted files and inaccessible systems. At the time the incident was reported in the news no payment had been made and the company had been locked out of its system for more than a week. The company hired third-party experts to look into what happened and to rebuild the hacked system.
Applicable Industries: Professional Services
Resulting Business Impact: Thousands of customers and institutions were unable to access any information. It was reported that sources with knowledge of two competing firms noted that those two competing firms experienced an increase in business after the Company’s search function went down. It is not known whether or not any ransom was ultimately paid.
Applicable Cyber Insurance Coverage: Legal Expenses, Crisis Management Costs, Data Recovery, Network Extortion, Network Security Liability, Privacy Liability
If you have further questions on cyber incident examples and applicable coverage, please contact us.
Common Claims
Ransomware Extortion
Social Engineering
Privacy Breach
Rogue Employees
Regulatory Fines & Penalties