Navigating the path to recovery after a breach
Our client, a provider of a cloud-based web hosting platform, suffered an unauthorized network intrusion by unknown hackers. The intrusion temporarily shut down their core business offering and exposed customer data. Thereafter, customers started to report network and service outages across the entire platform. It was soon discovered that the hackers erased router configurations, crippling our client’s entire suite of services.
Within 24 hours, they were able to partially restore services and systems, but it took nearly five days to complete all remediation and investigation efforts. Making matters worse, in the midst of the outage, a file dump containing customer usernames, passwords and contact information was posted online.
Our client immediately retained a breach coach and forensics firm to investigate and remediate. Additionally, a public relations firm was engaged to assist with notification of the affected customers and to manage press reports after news of the incident was leaked online. The FINEX Claims & Legal Group (CLG) was also notified of the incident and was able to provide notice of the incident to our client’s cyber liability insurance carrier that same day (a Sunday).
While our client’s cyber liability insurer generally responded favorably, there were several obstacles standing in the way of a full recovery. First and foremost, the breach coach, forensics and PR firms retained by our client were not on the insurer’s list of approved vendors. Moreover, a full week had elapsed before CLG was advised of the incident, thereby delaying notice to the insurer. The policy only covers expenses incurred after notice has been presented and the insurer has provided its prior consent. During this pre-notice/pre-consent time period, the incurred legal and forensics costs greatly exceeded $100,000. Nevertheless, CLG persuaded the insurer to approve our client’s chosen vendors and fully cover the incurred costs, minus the policy’s self-insured retention. We accomplished this by working with our client’s chosen vendors to demonstrate their competency and the reasonableness (under the circumstances) of the invoices generated during this period. In doing so, we made a compelling case to the insurer not to use technical policy provisions against our client in a punitive fashion, since it appeared all of the pre-notice actions and costs would have otherwise been approved had timely notice been given.
As for the network outage, it caused our client a significant business interruption, resulting in a loss of income in the high six-figures. While the policy provided coverage for income interruption as the result of the attack, a dispute arose concerning the quantum of the damage caused by the interruption. Specifically, our client’s customers paid for services on a monthly, quarterly or annual basis and were free to cancel their services at any time. As such, a true calculation of our client’s lost income did not fit squarely within the cyber policy’s formula for determining income interruption. Working with our client’s accounting department and the insurer, we were able to get all parties to reach an understanding that an income loss directly related to the network interruption had in fact occurred. We were also able to demonstrate — using a sampling of complaints from customers who canceled their service contracts either during or immediately after the outage period — that the majority of the lost accounts were directly attributable to the breach.