Ransomware: A Damage Event Involving a Virus and Inadequate Protection

Given the increasing threats from cybercrime, experts have been advising companies for some time to leave their IT systems to professionals. But nobody is perfect and IT service providers can also make a mistake – or several, with expensive consequences, as this real exali damage event impressively shows.

Cyber Attack with Widespread Damage

As a company, outsourcing certain tasks to professionals can provide some relief for your employees and even smooth out processes. That’s also what a consulting firm that entrusted a service provider with the supervision of its IT environment thought. But the collaboration unfortunately soon turned into a real nightmare for both sides: Not only the consulting firm was the victim of a cyber attack, everything really went wrong when the systems were subsequently restored.

Cybersecurity Risk for Employees

One of the biggest cyber risks for companies is careless employees, as in this case: The IT systems at the consulting firm were initially infected with a cryptotrojan via the desktop of an intern. A cryptotrojan is malicious software (so-called ransomware) that automatically installs itself in networks and encrypts files there. Criminals usually demand a high ransom for the victim to regain access to their data. In the case of the consulting company, the malware went unnoticed for several weeks and encrypted around 60.000 files during this period – almost 30 percent of all company data.

Tip:

The range of possible damage events is almost endless, also in the IT sector. See for yourself in the article IT Risks: Lessons Learned and Precautions For Your Business.

Cyber Risks – the Human Factor and Outdated Technology

In addition to the careless intern, the completely outdated hardware and software at the company was also largely responsible for the infestation. The Trojan succeeded in overwriting files including backups and all file storage. When the error was noticed, only the databases and mailboxes were still available. But that’s not all: As it turned out, the responsible IT service provider had insufficiently protected the email server and backup server systems.

As a result, many of the lost data and systems could not be recovered. But it was not only the restoration of the systems that turned out to be problematic: When setting up the backend storage – the storage solution for backing up digital data – the IT expert made a configuration error during the connection. This resulted in a performance problem during the recovery. The mishap wasn’t noticed during operation for a long time, but nevertheless caused considerable time delays and further failures including subsequent errors during the recovery. Ultimately, the consulting company had no choice but to recreate the 60.000 overwritten files as the data was essential for the business consultancy.

Claim for Damages in the Six-Digit Range

Things got really expensive for the IT service provider following the debacle: The consulting company demanded more than 900.000 euros in damages for the insufficient protection of the IT systems and the error in the data recovery. In addition to the costs of restoring the data, the company also cited business losses that came about as a result of the business interruption and the missing data.

As part of the Professional Indmenity Insurance for Digital Professions taken out by the service provider, they reported the damage to exali customer service. The case was then immediately forwarded to the insurer’s claims department. In a first step, the insurer checked to see whether the claims were justified. During a detailed personal discussion between the IT service provider, the exali customer service and the insurer’s claims experts, it quickly turned out that there were also indications that the consulting company was partly to blame and, as a result, there were corresponding doubts about the amount of the costs for the restoration of the data and the overtime worked.

It was therefore agreed not to accept the claim in that particular form and to enter into negotiations with the injured party. Since the parties (insurer and injured party) could not agree on an amount for the justified compensation, the issue was ultimately clarified in court: After two and a half years of legal arguments, the parties agreed on a settlement of 175.000 euros. Still in the six figures, but only about 19 percent of the damages that were originally claimed.

The insurer covered the compensation for the financial damage as part of its Financial Loss Insurance, which is included in the basic protection of the Professional Indemnity Insurance. Among other things, it covers financial damage – so-called pure financial damage – that occurs as a result of professional errors and omissions with third parties. In this specific case, the insurer also covered the costs for the lawyers.

Professional Indemnity Insurance – More Than Financial Protection

This case shows once again that the benefits of Professional Indemnity Insurance cover more than the mere settlement of claims for comepnsation. The insurer not only steps into the breach financially, but also checks the accuracy of the claims made against you in advance. If the claims are justified, the insurer covers the costs. If the claims are not justified in terms of their grounds or amount, the insurer will defend against the claim on your behalf and bear any costs incurred for lawyers, experts and court proceedings.

As you can already see: Taking out a Professional Indmenity Insurance is a worthwhile investment in the continued existence of your company, because you are no longer at the mercy of claims for compensation, contractual penalties, fines, etc. alone. If you have any further questions, our customer advisors will be happy to help you from Monday to Friday from 9 a.m. to 6 p.m. Call us on +49 (0) 821 80 99 46-0 or use our contact form.

Calculate your premium now:

Professional Indemnity for Digital Professions