Case studies

Cyber risks can hit businesses in a selection of ways and have differing effects on those impacted. To showcase this variation and how Tarian can assist we have provided case-studies on the coverage granted and service response below

Case study_1

Finance – Phishing incident

Coverage granted under Breach Event Costs and Claims Expenses

The Insured, who provides a peer-to-peer platform which allows individuals to lend money, discovered that the email account of an employee of the Insured’s finance team was compromised through a suspected phishing attack. The attack led to phishing emails being sent on the same date from the employee’s email account to around 200 recipients in an attempt to collect email credentials.

Case study_2

Real Estate – TCPA violation

Coverage granted under Breach Event Liability

A class action was filed against the Insured for alleged violation of the Telephone Consumer Protection Act after no consent was given to be contacted via telephone and/or text message, yet members of the class action were bombarded with calls and texts from an automatic telephone dialling system.

Case study_3

Education – Malware incident

Coverage granted under Privacy Breach Response, Customer Notification and Crisis Management

The Insured school reported to Underwriters that they had discovered malware which had been installed on the School’s Domain Name System (DNS) Server which hosts encrypted user passwords. Upon discovery, the Insured appointed a pre-approved Breach Counsel for assistance in handling the incident.

Case study_4

Professional Services – Network Outage / Business Interruption

Coverage granted under Business Income and Digital Asset Restoration

The Insured, who provides Intermediary services to the financial, energy and commodities market, notified Underwriters of a network outage issue which affected various server platforms across the world. The outage impacted IT systems across different Insured entities and each service experienced downtime for various times, ranging from 24 hours to 7 days.

Case study_5

Retail – Phishing incident

Coverage granted under Privacy Breach Response, Customer Notification and Crisis Management

The Insured notified its insurers that it had recently fallen victim to a phishing email incident of which approximately seven employees responded, providing their credentials. The Insured was quick to engage Breach Counsel and Forensics to conduct a review of the systems, which Underwriters acknowledged as reasonable and necessary.

Case study_6

Healthcare – Compromised server

Coverage granted under Breach Event

The matter concerned the deletion of an ERM database file from the Insured’s server, containing Protected Health Information (PHI). Coverage granted under Breach Event

Case study_7

Healthcare – Ransomware attack

Coverage granted under Privacy Breach Response, Customer Notification and Crisis Management

In late 2017, an insured discovered that an unidentified third party had launched a ransomware attack on a subsidiary company. It was discovered that although the ransomware was initially launched against the subsidiary it had subsequently spread to the parent company’s corporate servers.

Glossary of terms

Access control: Controlling who has access to a computer or online service and the information it stores.
Act of god: Natural causes directly and exclusively without human intervention and that could not have been prevented by any amount of foresight and pains and care reasonably to have been expected.
Addendum: A document setting out agreed alterations to an insurance contract.
Additional premium: A further premium payable by the insured as a result of policy amendment that may have increased the risk or changed the policy conditions or sum insured.
Adjuster: One who investigates and assesses claims on behalf of insurers (claims adjuster or loss adjuster).
Aggregate Limit of Indemnity: The maximum amount an insurer will pay under a policy in respect of all accumulated claims arising within a specified period of insurance.
Antivirus: Software that is designed to detect, stop and remove viruses and other kinds of malicious software.
App: Short for Application, typically refers to a software program for a smartphone or tablet.
Asset: Something of value to a person, business or organization.
Attacker: Malicious actor who seeks to exploit computer systems with the intent to change, destroy, steal or disable their information, and then exploit the outcome.
Authentication: The process to verify that someone is who they claim to be when they try to access a computer or online service.
Backdoor: Also known as a "Trap Door", a technical measure used by a software engineer to bypass security measures.
Backing up: To make a copy of data stored on a computer or server to lessen the potential impact of failure or loss.
Bitcoin: A decentralised, peer-to-peer, digital currency; created by process of mining, tracked in a public ledger.
Black Box Testing: Testing conducted against a system or network with only publically available information known before commencement of activity.
Blackhat: Term ascribed to unauthorised, usually malicious, access to computer systems or networks.
Botnet: A network of infected devices, connected to the Internet, used to commit coordinated cyber-attacks without their owner's knowledge.
Breach: An incident in which data, computer systems or networks are accessed or affected in a non-authorised way.
Bring your own device (BYOD): An organisation's strategy or policy that allows employees to use their own personal devices for work purposes.
Broadband: High-speed data transmission system where the communications circuit is shared between multiple users.
Browser: A software application which presents information and services from the web.
Brute force attack: Using a computational power to automatically enter a huge number of combination of values, usually in order to discover passwords and gain access.
Business continuity management: Preparing for and maintaining continued business operations following disruption or crisis.
Cancellation: Termination of a policy before it is due to expire. There may be a cancellation clause in a policy setting out the condition under which the policy may be cancelled by notice. The period of notice could be anything from 48 hours to 3 months. In most cases this will result in a return premium being paid by the insurer to the insured.
Certificate: A form of digital identity for a computer, user or organisation to allow the authentication and secure exchange of information.
Certification: Declaration that specified requirements have been met.
Certification body: An independent organization that provides certification services.
Chargeback: A payment card transaction where the supplier initially receives payment but the transaction is later rejected by the cardholder or the card issuing company. The supplier’s account is then debited with the disputed amount.
Claims: Loss to the insured arising so as to cause liability to the insurer under a policy it has issued.
Cloud: Where shared compute and storage resources are accessed as a service (usually online), instead of hosted locally on physical services. Resources can include infrastructure, platform or software services.
Cloud computing: Delivery of storage or computing services from remote servers online (ie via the internet).
Common text: A structure and series of requirements defined by the International Organization for Standardization, that are being incorporated in all management system International Standards as they are revised.
Credentials: A user's authentication information used to verify identity - typically one, or more, of password, token, certificate.
CryptoLocker: Ransomware, propagated through infected email attachments.
Cyber attack: Malicious attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means.
Cyber incident: A breach of the security rules for a system or service - most commonly; · Attempts to gain unauthorised access to a system and/or to data · Unauthorised use of systems for the processing or storing of data · Changes to a systems firmware, software or hardware without the system owners consent · Malicious disruption and/or denial of service.
Cyber security: The protection of devices, services and networks — and the information on them — from theft or damage.
Dark Web: Network of internet content not indexed by search engines and generally accessed through special means requiring specific software, configurations or authorized access.
Data at rest: Describes data in persistent storage such as hard disks, removable media or backups.
Data server: A computer or program that provides other computers with access to shared files over a network.
Declaration of conformity: Confirmation issued by the supplier of a product that specified requirements have been met.
Deductible: The specified amount a loss must exceed before a claim is payable. Only the amount which is in excess of the deductible is recoverable.
Denial of service (DDoS): When legitimate users are denied access to computer services (or resources), usually by overloading the service with requests.
Dictionary attack: A type of brute force attack in which the attacker uses known dictionary words, phrases or common passwords as their guesses.
Digital footprint: A 'footprint' of digital information that a user's online activity leaves behind.
DMZ: Segment of a network where servers accessed by less trusted users are isolated. The name is derived from the term “demilitarised zone”.
Download attack: The unintentional installation of malicious software or virus onto a device without the users knowledge or consent. May also be known as a drive-by download.
Encryption: A mathematical function that protects information by making it unreadable by everyone except those with the key to decode it.
End user device (EUD): Collective term to describe modern smartphones, laptops and tablets that connect to an organisation's network.
Endorsement: Documentary evidence of a change in the wording of or cover offered by an existing policy or qualification of wording if the policy is written on restricted terms.
Ethernet: Communications architecture for wired local area networks based uponIEEE 802.3 standards.
Ex-Gratia Payment: A payment made by an insurer to a policyholder where there is no legal liability so to pay.
Excess: The first portion of a loss or claim which is borne by the insured. An excess can be either voluntary to obtain premium benefit or imposed for underwriting reasons.
Exclusion: A provision in a policy that excludes the insurer’s liability in certain circumstances or for specified types of loss.
Exploit: May refer to software or data that takes advantage of a vulnerability in a system to cause unintended consequences.
Firewall: Hardware or software which uses a defined rule set to constrain network traffic to prevent unauthorised access to or from a network.
Gap analysis: The comparison of actual performance against expected or required performance.
Gross premium: A term normally applied to gross written premiums before deduction of brokerage and discounts.
Hacker: In mainstream use as being someone with some computer skills who uses them to break into computers, systems and networks.
Hard disk: The permanent storage medium within a computer used to store programs and data.
Hazard: A physical or moral feature that introduces or increases the risk.
Honeypot (honeynet): Decoy system or network to attract potential attackers that helps limit access to actual systems by detecting and deflecting or learning from an attack. Multiple honeypots form a honeynet.
Inception date: The date from which, under the terms of a policy, an insurer is deemed to be at risk.
Incident: A breach of the security rules for a system or service, such as: · attempts to gain unauthorised access to a system and/or data · unauthorised use of systems for the processing or storing of data · changes to a systems firmware, software or hardware without the system owners consent · malicious disruption and/or denial of service
Increase in cost of working: Under a business interruption policy some cover is provided for additional expenditure incurred by the insured solely for the purpose of reducing the shortage in production following an insured event.
Indemnity: A principle whereby the insurer seeks to place the insured in the same position after a loss as he occupied immediately before the loss (as far as possible).
Indemnity period: Under a business interruption insurance the period during which cover is proved for disruption to the business following the occurrence of an insured peril.
Insider risks: The potential for damage to be done maliciously or inadvertently by a legitimate user with privileged access to systems, networks or data.
Insurable interest: For a contract of insurance to be valid the policyholder must have an interest in the insured item that is recognised at law whereby he benefits from its safety, well-being or freedom from liability and would be prejudiced by its damage or the existence of liability. This is called the insurable interest and must exist at the time the policy is taken out and at the time of the loss.
Insurable value: The value of the insurable interest which the insured has in the insured occurrence or event. It is the amount to be paid out by the insurer (assuming full insurance) in the event of total loss or destruction of the item insured.
Insurance Premium Tax (ipt): The Finance Act 1994 introduced this tax on most general insurance risks located in the UK.
Internet of things (IoT): Refers to the ability of everyday objects (rather than computers and devices) to connect to the Internet. Examples include kettles, fridges and televisions.
Lapse: The non-renewal of a policy for any reason.
Limit: The insurer’s maximum liability under an insurance, which may be expressed ‘per accident’, ‘per event’, ‘per occurrence’, ‘per annum’, etc.
Lloyd’s (Of London): A Society, incorporated under Act of Parliament of 1871 and known as the Corporation of Lloyd’s, which provides the premises a wide variety of services, administrative staff and other facilities to enable the Lloyds market to carry on insurance business efficiently.
Lloyd’s Broker: A broker approved by the Council of Lloyd’s and thereby entitled to enter the underwriting room at Lloyd’s and place business direct with underwriters. Lloyd’s brokers must meet the Council of Lloyd’s stringent requirements as to integrity and financial stability. They have to file annually with the Council of Lloyd’s a special accountant’s report concerning their financial position.
Locky: Ransomware delivered by email that makes use of Microsoft Word macros to deliver its payload.
Loss: Another term for a claim.
Machine Learning: The act of getting computers or machines to perform an act without explicitly programming such an act. Utilises computational methods and data to "learn" information without relying on a predetermined model.
Macro: A small program that can automate tasks in applications (such as Microsoft Office) which attackers can use to gain access to (or harm) a system.
Malvertising: Using online advertising as a delivery method for malware.
Malware: Malicious software - a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals.
Man-in-the-Middle Attack: Eavesdropping: when attacker secretly relays computer communication through themselves between two parties enabling them to compromise the integrity and confidentiality of the message.
Material fact: Any fact which would influence the insurer in accepting or declining a risk or in fixing the premium or terms and conditions of the contract is material and must be disclosed by a proposer, or by the insurer to the insured.
Mirai: Large-scale compromise of networked devices running Linux, particularly those such as IP cameras and home routers, for the purpose of establishing a network to perpetrate attacks.
Mitigation: Steps that organisations and individuals can take to minimise and address risks.
Negligence: Arguably the most common form of tort. Could be defined as ‘the omission to do something which a reasonable person guided by those considerations which ordinarily regulate the conduct of human affairs would do, or doing something which a prudent and reasonable person would not do’. Gives rise to civil liability.
Net premiums: Term variously used to mean gross premiums net of reinsurance premiums payable, or commission, brokerage, taxes, or any combination of these.
Network: Two or more computers linked in order to share resources.
Network Sniffing: Also known as Packet Sniffing" or "Packet Analyzation" is the act of eavesdropping on network traffic in an attempt to intercept and log traffic that passes over the path.
No claims bonus (or discount) (N.C.B): A rebate of premium given to an insured by an insurer where no claims have been made by that insured.
Non-Disclosure: The failure by the insured or his broker to disclose a material fact or circumstance to the underwriter before acceptance of the risk.
Patching: Applying updates to firmware or software to improve security and/or enhance functionality.
Pentest: Short for penetration test. An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed.
Peril: A contingency, of fortuitous happening, which may be covered or excluded by a policy of insurance.
Period of risk / Policy period: The period during which the insurer can incur liability under the terms of the policy.
Petya: Ransomware attacking Windows-based systems to encrypt the hard-drive, preventing system from booting.
Pharming: An attack on network infrastructure that results in a user being redirected to an illegitimate website despite the user having entered the correct address.
Phishing: Untargeted, mass emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website.
Platform: The basic hardware (device) and software (operating system) on which applications can be run.
Policy: A document detailing the terms and conditions applicable to an insurance contract and constituting legal evidence of the agreement to insure. It is issued by an insurer or his representative for the first period of risk. On renewal a new policy may well not be issued although the same conditions would apply, and the current wording would be evidence by the renewal receipt.
Policy holder: The named entity and/or individual in whose name the policy is issued.
POODLE: Padding Oracle On Downgraded Legacy Encryption - exploit taking advantage of clients' fallback to SSL 3.0.
Premium: The consideration paid for a contract of insurance.
Proposal form: A form sent by an insurer to a person requiring insurance so as to obtain sufficient information to allow the insurer to decide whether or not to accept a risk and what conditions to apply if it is accepted.
Pwned: Also "Pwn" or "Pown." Meaning an accounts defences have been completely compromised.
Quote: A statement by an insurer of the premium they will require for a particular insurance.
Ransomware: Malicious software that makes data or systems unusable until the victim makes a payment.
Reinstatement: Making good. Where insured property is damaged, it is usual for settlement to be effected through the payment of a sum of money, but a policy may give either the insured or insurer the option to restore or rebuild instead.
Renewal: The process of continuing an insurance from one period of risk to a succeeding one.
Risk: The peril insured against or an individual exposure.
Risk management: The identification, measurement and economic control of risks that threaten the assets and earnings of a business or other enterprise.
Router: A network device which sends data packets from one network to another based on the destination address. May also be called a gateway.
Salvage: A recovery of all or part of the value of an insured item on which a claim has been paid.
Sanitisation: Using electronic or physical destruction methods to securely erase or remove data from memory.
Schedule: The part of a policy containing information peculiar to that particular risk. The greater part of a policy is likely to be identical for all risks within a class of business covered by the same insurer.
Smishing: Phishing via SMS: mass text messages sent to users asking for sensitive information (e.g. bank details) or encouraging them to visit a fake website.
Social engineering: Manipulating people into carrying out specific actions, or divulging information, that's of use to an attacker.
Software as a service (SaaS): Describes a business model where consumers access centrally-hosted software applications over the Internet.
Spear-phishing: A more targeted form of phishing, where the email is designed to look like it's from a person the recipient knows and/or trusts.
Statement of fact: An alternative to a completed proposal form. A statement provided by the insurer clarifying the basis on which insurance is accepted and what conditions apply.
Sum insured: The maximum amount payable in the event of a claim under contract of insurance.
Third party: A person claiming against an insured. In insurance terminology the first party is the insurer and the second party is the insured.
Third party liability: Liability of the insured to persons who are not parties to the contract of insurance and are not employees of the insured.
Tinba: Malware targeting financial institution websites, establishing man-in-the-browser attacks and network sniffing to steal user’s sensitive data, such as account login information and banking codes. Also referred to as "Tiny Banker Trojan".
Trojan: A type of malware or virus disguised as legitimate software that is used to hack into the victim's computer.
Two-factor authentication (2FA): The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication.
Underlying insurance: The primary insurance as distinct from excess insurance.
Underwriter: A person who accepts business on behalf of an insurer.
Utmost good faith: Insurance contracts are contracts of utmost good faith (uberrima fides), which means that both parties to the contract have a duty to disclose, clearly and accurately, all material facts relating to the proposed insurance. Any breach of this duty by the proposer may entitle the insurer to repudiate liability.
Virtual Private Network (VPN): An encrypted network often created to allow secure connections for remote users, for example in an organisation with offices in multiple locations.
Virus: Programs which can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.
Vulnerability: A weakness, or flaw, in software, a system or process. An attacker may seek to exploit a vulnerability to gain unauthorised access to a system.
WannaCry: A ransomware attack in May 2017 that encrypted the data housed on infected windows computers and demanded a ransom payment for its return.
Warranty: A very strict condition in a policy imposed by an insurer. A breach entitles the insurer to deny liability.
Water-holing (watering hole attack): Setting up a fake website (or compromising a real one) in order to exploit visiting users.
Whaling: Highly targeted phishing attacks (masquerading as a legitimate emails) that are aimed at senior executives.
White Box: Testing conducted against a system or network with near-complete knowledge of environment and protections. The idea is to reduce the time a tester needs to identify vulnerabilities so testing is more thorough and takes less time and expense.
White Hat: A hack which is authorised in some manner. Generally performed by engaged vendors/hackers, organisations will periodically authorise hackers to test their systems and networks to discover vulnerabilities.
Whitelisting: Authorising approved applications for use within organisations in order to protect systems from potentially harmful applications.
Without prejudice: Term used in discussion and correspondence. Where there is a dispute or negotiations for a settlement and terms are offered ‘without prejudice’ an offer so made or a letter so marked and subsequent correspondence cannot be admitted in evidence without the consent of both parties concerned. Term also used by an Insurer when paying a claim which they feel may not attach to the policy. This payment must not be treated as a precedent for future similar claims.
Xafecopy: Malware usually found embedded in a variety of mobile apps, most commonly in battery optimisers, without the knowledge or consent of the user, ultimately subscribing the phone to a number of services which incur monetary charges directly to the user's mobile phone bill.
Zero-day: Recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies that hackers can exploit.
Zombie: A computer or device connected to the internet that has been compromised by a hacker or virus that can be used to perform malicious attacks against other hosts.